> ## Documentation Index > Fetch the complete documentation index at: https://docs.datafold.com/llms.txt > Use this file to discover all available pages before exploring further. # User Roles and Permissions > Datafold uses role-based access control to manage user permissions and actions. Datafold uses groups to control what users and service accounts can access. Every user belongs to one or more groups, and each group carries a set of permissions. ## Built-in groups Every organization has three built-in groups that cannot be deleted or have their permissions modified: | Group | Description | Permissions | | -------- | -------------- | -------------------------------------------------------------------------------------- | | admin | Administrator | All permissions, plus user and configuration management | | default | Full user role | Create and modify monitors, create diffs, explore data, lineage, and knowledge graph | | viewonly | View-only role | View diffs, monitors, and knowledge graph without the ability to create or modify them | New users are automatically added to the **default** and **admin** (if the first user) groups. ## Custom groups Admins can create custom groups with a tailored set of permissions. This is useful for: * **Service accounts** that should only access specific tools (e.g., an MCP integration that only needs data source and knowledge graph access) * **External partners** who should have limited access * **Specialized roles** like "monitor operators" who can trigger monitor runs but not create diffs To create a custom group: 1. Go to **Settings → Groups** and click **New Group** 2. Enter a name and select the permissions you want to grant 3. Click **Create** To edit permissions on an existing custom group, click **Edit** on the group row, then toggle permissions in the checklist. Built-in group permissions (admin, default, viewonly) cannot be modified. To restrict access, create a custom group with only the permissions you need. ## Permissions reference Permissions are organized by category. A user's effective permissions are the union of all groups they belong to. ### Organization | Permission | Description | | ----------------------- | ------------------------------------ | | List users | View organization members | | Edit table descriptions | Modify table and column descriptions | | Edit tags | Create and modify tags | ### Data Sources | Permission | Description | | -------------------- | --------------------------------------- | | List data sources | View and query connected data sources | | Refresh schema | Trigger schema refresh on a data source | | Run profiling | Run table profiling | | Cancel profiling | Cancel running profiling jobs | | Cancel schema fetch | Cancel schema fetch jobs | | Cancel fetch history | Cancel fetch history jobs | | Cancel BI sync | Cancel BI sync jobs | ### CI/CD | Permission | Description | | -------------------- | ------------------------------------- | | Cancel CI run | Cancel a running CI check | | Upload dbt artifacts | Upload dbt manifest and catalog files | ### Data Diffs | Permission | Description | | ------------- | ------------------------------------------ | | View diffs | View existing data diffs and their results | | Create diffs | Create new data diffs | | Cancel diffs | Cancel running data diffs | | Archive diffs | Archive completed diffs | | Purge diffs | Permanently delete diffs | ### Monitors | Permission | Description | | ------------- | --------------------------------------------------- | | View monitors | View monitors, their configuration, and run results | | Edit monitors | Create, modify, provision, and trigger monitor runs | ### Knowledge Graph | Permission | Description | | -------------------- | ----------------------------------------------------------- | | View knowledge graph | Query the knowledge graph, view schema, and explore lineage | | Edit knowledge graph | Modify knowledge graph data (reserved for future use) | ## MCP tool visibility When using the [Datafold MCP server](/datafold-mcp), the tools available to an AI agent are determined by the API key's user permissions. Tools that require permissions the user doesn't have are automatically hidden. This means you can create a custom group with a limited set of permissions, assign it to a [service account](/security/service-accounts), and use that service account's API key to control exactly which MCP tools the agent can access. For example, to give an agent access to only data sources and the knowledge graph: 1. Create a custom group with **List data sources** and **View knowledge graph** permissions 2. Create a service account assigned to that group 3. Use the service account's API key in your MCP client configuration See [MCP Tool Permissions](/security/mcp-tool-permissions) for the exact permissions each MCP tool requires, plus the minimum set needed to enable every tool. ## Data source access control In addition to group-level permissions, Datafold supports per-data-source access control. Admins can restrict which groups can access specific data sources under **Settings → Integrations → \[Data Source] → Restrict Access**. This provides an additional layer of control: a user may have the "List data sources" permission but only see data sources their groups are allowed to access.