Data Access
Control what end-user data each agent can read, write, and delete.
Permission Levels
Each agent has a data access level configured in the Galadri Console. This controls what the manage-data tool can do.
| Field | Type | Description |
|---|---|---|
read_write_delete | elevated | Read, write, and delete access for supported records. The agent can create, read, list, update, and delete records across vehicles, vehicle_groups, documents, milestones, and schedules. The end_users profile can be read and updated, but cannot be deleted through manage-data. Vehicle deletion requires explicit affirmative user confirmation. |
read_write | default | Read and write access for supported records. The agent can create, read, list, and update records, but delete attempts are blocked unless delete access is explicitly enabled. |
read | restricted | Read and list only. The agent can view existing data but cannot create, update, or delete records. Write attempts are blocked before reaching the handler. |
none | restricted | No data access. The manage-data tool is not available to the agent. The agent cannot see or modify any end-user data tables. |
How It Works
Data access is enforced at two levels:
- Prompt level: When an agent has restricted data access, the system prompt informs the model of the restriction. The model will not attempt to use manage-data for blocked operations.
- Execution level: As a safety net, the tool executor validates the agent's data access level before dispatching any manage-data action. Even if the model attempts a blocked operation, it is rejected before the handler runs.
When to restrict access
Use read for agents that need to reference user data but should not modify it (e.g., a read-only support agent). Use none for agents that only perform searches or external lookups and should not interact with stored data at all. Enable read_write_delete only for agents that should perform destructive cleanup on stored records.
REST API Access
Data access permissions only apply to agent-managed data access during chat. The REST endpoints (Users, Vehicles, Vehicle Groups, Documents, Milestones, Schedules, Sessions, and Session Messages) are available to your API key regardless of agent data access settings.