Skip to content
For Self-Managed AI Platform users running v11.1, see the on-premise platform documentation
Self-managed installation and maintenance > Installation and configuration guide > DataRobot advanced configuration section > ACL Service Enablement

ACL service enablement

Premium

ACL hydration is a premium feature. Contact your DataRobot representative for enablement information.

The ACL (Access Control List) service provides continuous synchronization of file permissions from external sources such as Google Drive and SharePoint, ensuring that vector database query results respect the original source-system access controls.

When enabled, the ACL service deploys two Kubernetes workloads:

  • acl-service Deployment: A long-running server that continuously polls Google Drive (via Drive Activity API) and SharePoint (via Delta Query) for permission changes and updates the stored ACLs accordingly.
  • principals-update CronJob: A scheduled task running every 30 minutes to refresh external user and group memberships (for example, Google Workspace groups).

For information on configuring ACL hydration for your organization and end-user behavior, see ACL hydration.

Requirements

Before enabling the ACL service, ensure the following:

  • DataRobot 11.6 or later is installed.
  • At least one supported data source connector is configured:
  • The Kubernetes cluster has sufficient capacity for the additional workloads (see Resource requirements below).

Resource requirements

The ACL service introduces two new Kubernetes workloads with the following resource footprint:

Workload CPU request/limit Memory request/limit
acl-service Deployment 2 / 2 4Gi / 4Gi
principals-update CronJob 100m / 1 300Mi / 600Mi

Enablement

The ACL service is disabled by default. To enable it, add the following to your Helm values override file:

global:
  acl_service:
    enabled: true

Apply the updated values and perform a Helm upgrade:

helm upgrade datarobot datarobot/datarobot-prime \
  -f your-values-override.yaml \
  --namespace datarobot

Once global.acl_service.enabled is set to true, DataRobot automatically sets the ACL_SYNC_AVAILABLE environment variable to True in the application configuration. This makes the Enable ACL Synchronization feature flag available for organization administrators to enable per-organization from the DataRobot UI.

Verification

After the upgrade completes, verify that the ACL service pods are running:

kubectl get pods -n datarobot -l app=acl-service-app

Verify that the principals-update CronJob was created:

kubectl get cronjobs -n datarobot | grep principals-update

Confirm that the ACL_SYNC_AVAILABLE variable is set in the application ConfigMap:

kubectl get configmap datarobot-modeling-envvars -n datarobot -o yaml | grep ACL_SYNC_AVAILABLE

The output should include:

ACL_SYNC_AVAILABLE: "True"

Post-enablement configuration

After the service is running, a DataRobot organization administrator must enable ACL synchronization for each supported data source connection in the DataRobot UI. See Setting up ACL hydration for steps.