Permission Model
π Planned
Documentation Under Construction
This page will explain Vanna's group-based permission model, including tool-level permissions, UI feature flags, and row-level security patterns.
Planned Content
- β Group-based access control overview
- β Tool-level permissions (access_groups property)
- β UI feature flags (showing/hiding tool details)
- β Row-level security patterns (filtering SQL results)
- β Permission checking flow
- β Example permission configurations
- β Audit logging for permission checks
Want to contribute or suggest improvements? Open an issue on GitHub
Three-Layer Permission Model
When complete, this will explain:
1. Tool-Level Permissions
class SensitiveTool(Tool):
@property
def access_groups(self) -> List[str]:
return ["admin", "finance"] # Only these groups can use this tool2. UI Feature Flags
config = AgentConfig(
ui_features={
"tool_names": ["admin", "user"], # Who can see tool names
"tool_arguments": ["admin"], # Who can see tool arguments
"tool_results": ["admin", "developer"] # Who can see full results
}
)3. Row-Level Security
class SecureSqlRunner(SqlRunner):
async def run_sql(self, args: RunSqlToolArgs, context: ToolContext) -> pd.DataFrame:
# Filter results based on user's department
user_dept = context.user.metadata.get('department')
filtered_query = f"SELECT * FROM ({args.query}) WHERE department = '{user_dept}'"
return await self.execute(filtered_query)Permission Flow
- User makes request β UserResolver extracts User
- User invokes tool β Check
tool.access_groupsagainstuser.group_memberships - Tool executes β Apply row-level filters if needed
- Results returned β UI features filtered based on userβs groups