Data Access
Control what end-user data each agent can read and write.
Permission Levels
Each agent has a data access level configured in the Galadri Console. This controls what the manage-data tool can do.
| Field | Type | Description |
|---|---|---|
read_write | default | Full CRUD access. The agent can create, read, list, update, and delete records across the manage-data tables: end_users, vehicles, vehicle_groups, documents, milestones, and schedules. |
read | restricted | Read and list only. The agent can view existing data but cannot create, update, or delete records. Write attempts are blocked before reaching the handler. |
none | restricted | No data access. The manage-data tool is not available to the agent. The agent cannot see or modify any end-user data tables. |
How It Works
Data access is enforced at two levels:
- Prompt level — When an agent has restricted data access, the system prompt informs the model of the restriction. The model will not attempt to use manage-data for blocked operations.
- Execution level — As a safety net, the tool executor validates the agent's data access level before dispatching any manage-data action. Even if the model attempts a blocked operation, it is rejected before the handler runs.
When to restrict access
Use read for agents that need to reference user data but should not modify it (e.g., a read-only support agent). Use none for agents that only perform searches or external lookups and should not interact with stored data at all.
REST API Access
Data access permissions only apply to agent tool calls. The REST endpoints (Users, Vehicles, Vehicle Groups, Documents, Milestones, Schedules, Sessions, and Session Messages) are available to your API key regardless of agent data access settings.