Datafold uses groups to control what users and service accounts can access. Every user belongs to one or more groups, and each group carries a set of permissions.
Built-in groups
Every organization has three built-in groups that cannot be deleted or have their permissions modified:
| Group | Description | Permissions |
|---|
| admin | Administrator | All permissions, plus user and configuration management |
| default | Full user role | Create and modify monitors, create diffs, explore data, lineage, and knowledge graph |
| viewonly | View-only role | View diffs, monitors, and knowledge graph without the ability to create or modify them |
Custom groups
Admins can create custom groups with a tailored set of permissions. This is useful for:
- Service accounts that should only access specific tools (e.g., an MCP integration that only needs data source and knowledge graph access)
- External partners who should have limited access
- Specialized roles like “monitor operators” who can trigger monitor runs but not create diffs
To create a custom group:
- Go to Settings → Groups and click New Group
- Enter a name and select the permissions you want to grant
- Click Create
To edit permissions on an existing custom group, click Edit on the group row, then toggle permissions in the checklist.
Built-in group permissions (admin, default, viewonly) cannot be modified. To restrict access, create a custom group with only the permissions you need.
Permissions reference
Permissions are organized by category. A user’s effective permissions are the union of all groups they belong to.
Organization
| Permission | Description |
|---|
| List users | View organization members |
| Edit table descriptions | Modify table and column descriptions |
| Edit tags | Create and modify tags |
Data Sources
| Permission | Description |
|---|
| List data sources | View and query connected data sources |
| Refresh schema | Trigger schema refresh on a data source |
| Run profiling | Run table profiling |
| Cancel profiling | Cancel running profiling jobs |
| Cancel schema fetch | Cancel schema fetch jobs |
| Cancel fetch history | Cancel fetch history jobs |
| Cancel BI sync | Cancel BI sync jobs |
CI/CD
| Permission | Description |
|---|
| Cancel CI run | Cancel a running CI check |
| Upload dbt artifacts | Upload dbt manifest and catalog files |
Data Diffs
| Permission | Description |
|---|
| View diffs | View existing data diffs and their results |
| Create diffs | Create new data diffs |
| Cancel diffs | Cancel running data diffs |
| Archive diffs | Archive completed diffs |
| Purge diffs | Permanently delete diffs |
Monitors
| Permission | Description |
|---|
| View monitors | View monitors, their configuration, and run results |
| Edit monitors | Create, modify, provision, and trigger monitor runs |
Knowledge Graph
| Permission | Description |
|---|
| View knowledge graph | Query the knowledge graph, view schema, and explore lineage |
| Edit knowledge graph | Modify knowledge graph data (reserved for future use) |
- Create a custom group with List data sources and View knowledge graph permissions
- Create a service account assigned to that group
- Use the service account’s API key in your MCP client configuration
See MCP Tool Permissions for the exact permissions each MCP tool requires, plus the minimum set needed to enable every tool.
Data source access control
In addition to group-level permissions, Datafold supports per-data-source access control. Admins can restrict which groups can access specific data sources under Settings → Integrations → [Data Source] → Restrict Access.
This provides an additional layer of control: a user may have the “List data sources” permission but only see data sources their groups are allowed to access. 