Beside applying the WORKSPACE_TAG to the workspace query, additional constraints should be imposed with the current login user's workspace access.
The resulting query should only return workspaces that the current user have access to.
Users should have access to all workspaces that
they own "metacard.owner_txt":["email@example.com"]
they have been given access "security.access-individuals_txt":["firstname.lastname@example.org"],
they have been given administrator right (this could be deprecated) "security.access-administrators_txt":["email@example.com"],
they belong to the group with access "security.access-groups_txt":["guest"],