Skip to main content
Applies to:
  • Plan:
  • Deployment:

Summary

Goal: Understand why there is no export-specific permission in Braintrust and how to limit data access. Features: ACL permissions (create, read, update, delete, ACL management), project-scoped roles, API key controls.

No export-specific permission exists

Braintrust’s permission model does not have a dedicated export or download permission. The available permissions are:
  • create, read, update, delete
  • create_acls, read_acls, update_acls, delete_acls
read controls all data access, including UI CSV downloads and API-based bulk exports. Granting read to a user necessarily allows them to export that data. There is no configuration today that allows a user to view data but not export it.

Limiting data access

Since export cannot be separated from read, the only way to restrict exports is to restrict read access itself. Restrict by project or object Assign users to custom permission groups scoped to specific projects or objects. This limits which data they can read — and therefore export. The Viewer role still grants full read and export access. It only restricts create, update, and delete. Restrict API-based bulk exports No permission prevents a user with read access from making bulk API calls. To limit this:
  • Control which users are issued API keys.
  • Scope service account permissions to specific objects rather than the entire org.
S3 automations S3 export automations are an org-level admin feature and cannot be used to restrict user-initiated exports. See data management automations.