Built-in groups
Every organization has three built-in groups that cannot be deleted or have their permissions modified:
New users are automatically added to the default and admin (if the first user) groups.
Custom groups
Admins can create custom groups with a tailored set of permissions. This is useful for:- Service accounts that should only access specific tools (e.g., an MCP integration that only needs data source and knowledge graph access)
- External partners who should have limited access
- Specialized roles like “monitor operators” who can trigger monitor runs but not create diffs
- Go to Settings → Groups and click New Group
- Enter a name and select the permissions you want to grant
- Click Create
Built-in group permissions (admin, default, viewonly) cannot be modified. To restrict access, create a custom group with only the permissions you need.
Permissions reference
Permissions are organized by category. A user’s effective permissions are the union of all groups they belong to.Organization
Data Sources
CI/CD
Data Diffs
Monitors
Knowledge Graph
MCP tool visibility
When using the Datafold MCP server, the tools available to an AI agent are determined by the API key’s user permissions. Tools that require permissions the user doesn’t have are automatically hidden. This means you can create a custom group with a limited set of permissions, assign it to a service account, and use that service account’s API key to control exactly which MCP tools the agent can access. For example, to give an agent access to only data sources and the knowledge graph:- Create a custom group with List data sources and View knowledge graph permissions
- Create a service account assigned to that group
- Use the service account’s API key in your MCP client configuration
