Data RBAC Configuration

This page covers the admin configuration side of data access control. For how the permission model works conceptually, see Data Access Control.

Access control granularity

Data RBAC operates at three levels:

Restrictions are enforced at context injection time — agents don't see restricted schemas at all, so they can't accidentally reference hidden data. See Data Access Control for details on enforcement.

Table settings schema

Each table-level setting contains:

Configuring each tier

The 4-tier hierarchy works identically to agent access control:

Platform settings

Who: Superadmin only

Set system-wide defaults for all data connections. Use this to globally restrict sensitive connections or tables that no organization should access without explicit permission.

Organization settings

Who: Org admin (own org) or superadmin

Set org-level defaults. The admin panel shows inherited platform settings alongside the editable org controls so admins understand what they're overriding.

Group settings

Who: Org admin (own org) or superadmin

Configure access for a specific group. Useful for team-based access patterns like "the analytics group can query the reporting database."

User overrides

Who: Org admin (own org) or superadmin

Set per-user exceptions. The admin panel shows all four tiers for the selected user so the admin can see the full resolution chain.

Viewing effective permissions

The admin panel provides enriched views that show context from all levels. For any user, admins can see the resolved result — the final allow/deny after walking through all four tiers.

Practical examples

Hide salary columns from non-HR teams

1. Organization level: Allow the HR database connection for the whole org
2. Group level (HR): Allow all tables including employees
3. Group level (Marketing, Sales, etc.): Deny the salary and ssn columns in the employees table

Marketing agents can still query the employees table for names and departments, but salary and SSN columns won't exist in their context.

Block a database for specific teams

1. Organization level: Allow the production database
2. Group level (Interns): Deny the entire production connection

Interns won't see the production database at all. Other team members retain access.

One user exception

1. Group level (Marketing): Deny the financial_reports table
2. User override (VP of Marketing): Allow the financial_reports table

The VP can access financial reports despite the group restriction.

Relationship with PII detection

Thallus can automatically flag PII columns during schema discovery. PII detection is informational — it identifies sensitive columns but doesn't automatically restrict them. Admins use PII flags to make informed RBAC decisions:

1. Schema discovery identifies a ssn column as PII
2. Admin sees the PII flag in the data access panel
3. Admin configures a "deny" rule for that column at the org or group level

Audit trail

Data RBAC changes are logged with these actions:

Related pages

• Data Access Control — Conceptual overview of the permission model
• PII Detection — Automatic column sensitivity flagging
• Connecting Databases — Set up the connections that RBAC controls
• Agent Restrictions — Similar 4-tier model for agent access
• Group Management — Create and manage groups