Authorization & Access Control
Autonify implements a comprehensive multi-layered authorization system that ensures secure access to data and features. This guide explains how permissions work, what different roles can do, and how data isolation is maintained across teams.
Overview
Autonify's authorization system operates at three distinct levels:
- Application Level - Controls platform-wide access and administrative functions
- Team Level - Manages access to team-specific data sources and resources
- Column Level - Provides fine-grained control over sensitive data access
All authorization is enforced through PostgreSQL Row-Level Security (RLS) policies, ensuring data isolation happens at the database level, not just in the application code.
Permission Hierarchy
Application Permissions
Application-level permissions control access to platform features and administrative functions:
Owner
- Full platform control: Complete administrative access to all platform features
- User management: Can add, remove, and manage all users across the platform
- Team oversight: Can access and manage all teams and their resources
- System configuration: Can modify platform-wide settings including AI models and integrations
- First user privilege: The first user to sign up automatically receives Owner permissions
Admin
- Platform administration: Can manage users and groups across the platform
- Cross-team access: Can view and access all teams and their data sources
- Configuration management: Can modify system settings and integrations
- Cannot: Remove Owner users or change Owner permissions
User
- Standard access: Can access teams they belong to
- Team creation: Can create new teams (becomes Team Owner of created teams)
- Limited platform access: Cannot access platform administration features
- Data access: Limited to teams where they have membership
Team Permissions
Team-level permissions control access within specific teams:
Team Owner
- Complete team control: Full administrative access to the team
- Member management: Can add or remove team members and modify their roles
- Data source management: Can create, modify, and delete data sources
- Agent configuration: Can configure and run all AI agents
- Settings control: Can modify team settings and integrations
Team Admin
- Team administration: Can manage team resources and settings
- Data source access: Can create, modify, and delete data sources
- Agent operations: Can configure and run all AI agents
- Scan management: Can initiate and view database scans
- Member management: Can add/remove team members (except Owners)
- Cannot: Remove Team Owners or delete the team
Team User
- Read access: Can view team data sources and their contents
- Query access: Can run queries and view results
- Limited agent access: Cannot directly run agents (requires Team Admin role)
- Cannot: Modify data sources, team settings, or run agents
Group-Based Access
Groups provide a way to manage permissions for multiple users efficiently:
How Groups Work
- Group Creation: Only Platform Admins (Owner/Admin) can create groups
- Member Assignment: Users are added to groups by Platform Admins
- Permission Inheritance: Users inherit the highest permission level from their groups
- Team Assignment: Groups can be assigned to teams with specific roles by Team Admins
Group Benefits
- Simplified Management: Manage permissions for many users at once
- Consistent Access: Ensure teams of users have identical permissions
- Easy Onboarding: New users can be added to pre-configured groups
- Audit Trail: Track permission changes at the group level
Example Group Configurations
Data Analysts Group
- Application Permission: User
- Team Assignments:
- Sales Team (User role) - Read-only access to sales data
- Marketing Team (User role) - Read-only access to marketing data
Data Engineers Group
- Application Permission: User
- Team Assignments:
- Production Team (Admin role) - Can manage production databases
- Development Team (Owner role) - Full control of development resources
Platform Administrators Group
- Application Permission: Admin
- Automatic access to all teams with Admin privileges
Column-Level Permissions
For fine-grained data access control, Autonify supports column-level permissions:
How It Works
- Permission Assignment: Assign specific columns to groups
- Access Control: Users can only see columns their groups have access to
- Inheritance: Column permissions are inherited through group membership
- API Integration: Permissions automatically apply to API access (GraphQL/REST)
Use Cases
- PII Protection: Restrict access to personally identifiable information
- Financial Data: Limit who can see salary or revenue information
- Compliance: Ensure only authorized users access regulated data
- Department Isolation: Marketing can't see HR data, etc.
Data Isolation
Row-Level Security (RLS)
Autonify uses PostgreSQL RLS to ensure complete data isolation:
- Database Enforcement: Security policies are enforced at the database level
- Team Isolation: Users can only see data from teams they belong to
- Automatic Filtering: All queries are automatically filtered based on user context
- No Bypass: Even direct database access respects RLS policies
Multi-Tenant Architecture
Each team operates in complete isolation:
- Separate Data Sources: Each team has its own set of data sources
- Independent Configurations: Agent settings and configurations are team-specific
- Isolated Operations: Scans, quality checks, and reports are team-bounded
- Scan Visibility: Only Team Admins and Owners can view scan results
- No Cross-Contamination: Data never leaks between teams
Permission Checking
How Permissions Are Evaluated
When a user attempts to access a resource:
- Authentication Check: Verify the user is logged in
- Application Permission: Check if user has required platform-level permission
- Team Membership: Verify user belongs to the team (directly or via group)
- Role Evaluation: Determine highest role (Owner > Admin > User)
- Column Filtering: Apply column-level restrictions if configured
- Access Decision: Grant or deny based on combined permissions
Permission Precedence
When a user has multiple permission sources:
- Highest Permission Wins: If a user has multiple permission sources, the highest level applies
- Group Inheritance: Users inherit permissions from all their groups
- Platform Admin Override: Platform Admins (Owner/Admin) can access all teams regardless of membership
Common Scenarios
New Employee Onboarding
- Platform Admin creates user account
- User is added to appropriate group (e.g., "Data Analysts")
- Group membership automatically grants team access
- Column permissions restrict sensitive data visibility
- User can immediately access allowed resources
Department Data Isolation
- Create separate teams for each department
- Assign department members to their respective teams
- Configure column permissions to hide sensitive fields
- Each department only sees their own data
- Platform Admins retain oversight across all departments
Contractor Access
- Create a "Contractors" group with limited permissions
- Assign User role at application level
- Grant read-only access to specific teams
- Set expiration dates on group membership
- Easily revoke access by removing from group
Security Best Practices
Role Assignment
- Principle of Least Privilege: Give users the minimum permissions needed
- Regular Audits: Review and update permissions quarterly
- Document Decisions: Keep records of why permissions were granted
- Use Groups: Prefer group-based over individual assignments
Access Management
- Immediate Revocation: Remove access immediately when users leave
- Temporary Access: Use time-limited permissions for temporary needs
- Separation of Duties: Don't give single users too much power
- Monitor Usage: Track who accesses sensitive data
Data Protection
- Column Restrictions: Use column permissions for sensitive data
- Team Isolation: Keep unrelated data in separate teams
- Regular Reviews: Audit data access patterns
- Compliance Alignment: Ensure permissions meet regulatory requirements
Troubleshooting Access Issues
User Cannot Access Team
Possible Causes:
- User not added to team
- Group membership not configured
- Role permissions insufficient
- Team doesn't exist
Resolution Steps:
- Verify team exists and is active
- Check user's team memberships
- Review group assignments
- Confirm role has required permissions
Missing Data or Features
Possible Causes:
- Insufficient role permissions
- Column-level restrictions active
- Feature requires higher role
- Data source not shared with team
Resolution Steps:
- Check user's role in the team
- Review column permissions if applicable
- Verify feature requirements
- Confirm data source team assignment
Cannot Modify Settings
Possible Causes:
- User role is too low (needs Admin/Owner)
- Application-level permissions insufficient
- Settings locked by Platform Admin
- Feature disabled for team
Resolution Steps:
- Verify user has Admin or Owner role
- Check application-level permissions
- Contact Platform Admin if needed
- Review team feature settings
Integration with Features
AI Agents
Agent execution requires Team Admin privileges or higher:
- Team Owners: Can configure and run all agents
- Team Admins: Can configure and run all agents
- Team Users: Cannot directly run agents (need Team Admin to execute on their behalf)
- Platform Admins: Can access all teams' agents
MCP Services
Model Context Protocol access follows team permissions:
- Configuration: Only Team Admins and Owners can enable/disable MCP services
- Viewing: All team members can view MCP configurations
- Usage: External tools (like Claude Desktop) use MCP endpoints with appropriate authentication
- Audit: MCP usage is tracked (usage_count and last_used_at)
Data Quality Rules
Permission requirements for quality management:
- Rule Creation: Team Admins and Owners only
- Rule Execution: Team Admins and Owners only (via agent runs)
- Result Viewing: All team members can view results
- Rule Modification: Team Admins and Owners only
- AI Rule Building: Requires Team Admin to run the Build Rules agent