> ## Documentation Index
> Fetch the complete documentation index at: https://braintrust.dev/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# No export-only permission in Braintrust ACL model

export const plans_0 = "Plans: Enterprise"

export const deployments_0 = "Deployments: Any"

export const data_plane_version_0 = undefined

export const use_case_0 = "Use case - Enterprise customers wanting to allow users to view data in the UI but prevent them from bulk exporting or downloading data"

<Note>
  **Applies to:**

  * Plan - {plans_0}
  * Deployment - {deployments_0}
  * {data_plane_version_0}
  * {use_case_0}
</Note>

## Summary

**Goal:** Understand why there is no export-specific permission in Braintrust and how to limit data access.

**Features:** ACL permissions (`create`, `read`, `update`, `delete`, ACL management), project-scoped roles, API key controls.

***

## No export-specific permission exists

Braintrust's permission model does not have a dedicated export or download permission. The available permissions are:

* `create`, `read`, `update`, `delete`
* `create_acls`, `read_acls`, `update_acls`, `delete_acls`

`read` controls all data access, including UI CSV downloads and API-based bulk exports. Granting `read` to a user necessarily allows them to export that data.

There is no configuration today that allows a user to view data but not export it.

***

## Limiting data access

Since export cannot be separated from read, the only way to restrict exports is to restrict `read` access itself.

**Restrict by project or object**

Assign users to custom permission groups scoped to specific projects or objects. This limits which data they can read — and therefore export.

The Viewer role still grants full read and export access. It only restricts `create`, `update`, and `delete`.

**Restrict API-based bulk exports**

No permission prevents a user with `read` access from making bulk API calls. To limit this:

* Control which users are issued API keys.
* Scope service account permissions to specific objects rather than the entire org.

**Cloud storage automations**

Cloud storage export automations are an org-level admin feature and cannot be used to restrict user-initiated exports. See [Export to cloud storage](/admin/automations/export-to-cloud-storage).
