Skip to main content
Datafold uses groups to control what users and service accounts can access. Every user belongs to one or more groups, and each group carries a set of permissions.

Built-in groups

Every organization has three built-in groups that cannot be deleted or have their permissions modified: New users are automatically added to the default and admin (if the first user) groups.

Custom groups

Admins can create custom groups with a tailored set of permissions. This is useful for:
  • Service accounts that should only access specific tools (e.g., an MCP integration that only needs data source and knowledge graph access)
  • External partners who should have limited access
  • Specialized roles like “monitor operators” who can trigger monitor runs but not create diffs
To create a custom group:
  1. Go to Settings → Groups and click New Group
  2. Enter a name and select the permissions you want to grant
  3. Click Create
To edit permissions on an existing custom group, click Edit on the group row, then toggle permissions in the checklist.
Built-in group permissions (admin, default, viewonly) cannot be modified. To restrict access, create a custom group with only the permissions you need.

Permissions reference

Permissions are organized by category. A user’s effective permissions are the union of all groups they belong to.

Organization

Data Sources

CI/CD

Data Diffs

Monitors

Knowledge Graph

MCP tool visibility

When using the Datafold MCP server, the tools available to an AI agent are determined by the API key’s user permissions. Tools that require permissions the user doesn’t have are automatically hidden. This means you can create a custom group with a limited set of permissions, assign it to a service account, and use that service account’s API key to control exactly which MCP tools the agent can access. For example, to give an agent access to only data sources and the knowledge graph:
  1. Create a custom group with List data sources and View knowledge graph permissions
  2. Create a service account assigned to that group
  3. Use the service account’s API key in your MCP client configuration
See MCP Tool Permissions for the exact permissions each MCP tool requires, plus the minimum set needed to enable every tool.

Data source access control

In addition to group-level permissions, Datafold supports per-data-source access control. Admins can restrict which groups can access specific data sources under Settings → Integrations → [Data Source] → Restrict Access. This provides an additional layer of control: a user may have the “List data sources” permission but only see data sources their groups are allowed to access.