diff --git a/domain/storer.go b/domain/storer.go
index d244acfa..cfb6725a 100644
--- a/domain/storer.go
+++ b/domain/storer.go
@@ -76,6 +76,7 @@ type UserStorer interface {
 	GetActiveUsersForOrganization(ctx RequestContext) (u []user.User, err error)
 	GetUsersForOrganization(ctx RequestContext) (u []user.User, err error)
 	GetSpaceUsers(ctx RequestContext, folderID string) (u []user.User, err error)
+	GetVisibleUsers(ctx RequestContext) (u []user.User, err error)
 	UpdateUser(ctx RequestContext, u user.User) (err error)
 	UpdateUserPassword(ctx RequestContext, userID, salt, password string) (err error)
 	DeactiveUser(ctx RequestContext, userID string) (err error)
diff --git a/domain/user/mysql/store.go b/domain/user/mysql/store.go
index 17d346cc..63d35fd9 100644
--- a/domain/user/mysql/store.go
+++ b/domain/user/mysql/store.go
@@ -201,6 +201,68 @@ func (s Scope) GetSpaceUsers(ctx domain.RequestContext, folderID string) (u []us
 	return
 }
 
+// GetVisibleUsers returns all users that can be "seen" by a user.
+// "Seen" means users who share at least one space in common.
+// Explicit access must be provided to a user in order to associate them
+// as having access to a space. Simply marking a space as vieewable by "everyone" is not enough.
+func (s Scope) GetVisibleUsers(ctx domain.RequestContext) (u []user.User, err error) {
+	err = s.Runtime.Db.Select(&u,
+		`SELECT id, refid, firstname, lastname, email, initials, password, salt, reset, created, revised
+		FROM user 
+		WHERE 
+			refid IN (SELECT userid FROM account WHERE orgid = ?)
+			AND refid IN 
+				(SELECT userid FROM labelrole where userid != '' AND orgid=?
+					AND labelid IN (
+						SELECT refid FROM label WHERE orgid=? AND type=2 AND userid=?
+						UNION ALL
+						SELECT refid FROM label a WHERE orgid=? AND type=1 AND refid IN (SELECT labelid FROM labelrole WHERE orgid=? AND userid='' AND (canedit=1 OR canview=1))
+						UNION ALL
+						SELECT refid FROM label a WHERE orgid=? AND type=3 AND refid IN (SELECT labelid FROM labelrole WHERE orgid=? AND userid=? AND (canedit=1 OR canview=1))
+					)
+				GROUP BY userid)
+		ORDER BY firstname, lastname`,
+		ctx.OrgID,
+		ctx.OrgID,
+		ctx.OrgID,
+		ctx.UserID,
+		ctx.OrgID,
+		ctx.OrgID,
+		ctx.OrgID,
+		ctx.OrgID,
+		ctx.UserID)
+
+	if err != nil {
+		err = errors.Wrap(err, fmt.Sprintf("get visible users for org %s user %s", ctx.OrgID, ctx.UserID))
+		return
+	}
+
+	return
+}
+
+/*
+
+`SELECT
+	id, refid, firstname, lastname, email, initials, password, salt, reset, created, revised
+FROM
+	user
+WHERE
+	refid IN (SELECT userid FROM account where orgid = '4Tec34w8')
+	AND refid IN
+		(SELECT userid FROM labelrole where userid != '' AND orgid='4Tec34w8'
+			AND labelid IN (
+				SELECT refid FROM label WHERE orgid='4Tec34w8' AND type=2 AND userid='iJdf6qUW'
+				UNION ALL
+				SELECT refid FROM label a WHERE orgid='4Tec34w8' AND type=1 AND refid IN (SELECT labelid FROM labelrole WHERE orgid='4Tec34w8' AND userid='' AND (canedit=1 OR canview=1))
+				UNION ALL
+				SELECT refid FROM label a WHERE orgid='4Tec34w8' AND type=3 AND refid IN (SELECT labelid FROM labelrole WHERE orgid='4Tec34w8' AND userid='iJdf6qUW' AND (canedit=1 OR canview=1))
+			)
+	 	GROUP BY userid)
+ORDER BY
+	firstname, lastname`
+
+*/
+
 // UpdateUser updates the user table using the given replacement user record.
 func (s Scope) UpdateUser(ctx domain.RequestContext, u user.User) (err error) {
 	u.Revised = time.Now().UTC()