The "can manage contacts" permission gives a user permissions on all contacts no matter where they are. On version 1.5 this permission was renamed to "can manage all contacts". If a user doesn't have this permission it still can create and view contacts assigned to workspaces, depending on workspace-specific permissions.
Cheers.