# ACL metadata hydration and enforcement

> ACL metadata hydration and enforcement - Details the API routes and permissions required for ACL
> metadata hydration and enforcement.

This Markdown file sits beside the HTML page at the same path (with a `.md` suffix). It summarizes the topic and lists links for tools and LLM context.

Companion generated at `2026-06-12T13:31:55.362625+00:00` (UTC).

## Primary page

- [ACL metadata hydration and enforcement](https://docs.datarobot.com/en/docs/reference/gen-ai-ref/acl-hydrate-query.html.md): Full documentation for this topic (Markdown sidecar).

## Sections on this page

- [Purpose of access](https://docs.datarobot.com/en/docs/reference/gen-ai-ref/acl-hydrate-query.html.md#purpose-of-access): In-page section heading.
- [Google Drive](https://docs.datarobot.com/en/docs/reference/gen-ai-ref/acl-hydrate-query.html.md#google-drive): In-page section heading.
- [Google API permissions](https://docs.datarobot.com/en/docs/reference/gen-ai-ref/acl-hydrate-query.html.md#google-api-permissions): In-page section heading.
- [SharePoint](https://docs.datarobot.com/en/docs/reference/gen-ai-ref/acl-hydrate-query.html.md#sharepoint): In-page section heading.
- [Microsoft Graph permissions](https://docs.datarobot.com/en/docs/reference/gen-ai-ref/acl-hydrate-query.html.md#microsoft-graph-permissions): In-page section heading.
- [Change detection (delta-based)](https://docs.datarobot.com/en/docs/reference/gen-ai-ref/acl-hydrate-query.html.md#change-detection-delta-based): In-page section heading.
- [Microsoft Graph routes](https://docs.datarobot.com/en/docs/reference/gen-ai-ref/acl-hydrate-query.html.md#microsoft-graph-routes): In-page section heading.

## Related documentation

- [Reference documentation](https://docs.datarobot.com/en/docs/reference/index.html.md): Linked from this page.
- [Agentic AI](https://docs.datarobot.com/en/docs/reference/gen-ai-ref/index.html.md): Linked from this page.
- [Access Control List (ACL) metadatahydration](https://docs.datarobot.com/en/docs/agentic-ai/vector-database/acl-hydration.html.md): Linked from this page.

## Documentation content

[Access Control List (ACL) metadatahydration](https://docs.datarobot.com/en/docs/agentic-ai/vector-database/acl-hydration.html.md) is the process of continuously retrieving and updating permission data from source systems, while enforcement ensures that those same access controls are applied and adhered to in DataRobot. This provides secure and compliant operation of AI workflows that rely on source-system permissions.

To retrieve and synchronize file- and user-level permissions from the source system, DataRobot requires:

**Google Drive:**
A service account with domain-wide delegation enabled.
Access to
specific Google Workspace APIs
.

**SharePoint:**
A Microsoft Entra ID-registered application with
Microsoft Graph application permissions
(administrator-granted). These are required because service-style, tenant-wide access uses the OAuth 2.0 client credentials flow against the Microsoft identity platform.
Access to
specific SharePoint and Microsoft 365 APIs
.


## Purpose of access

DataRobot requires read-only access to:

**Google Drive:**
Retrieve and update ACL metadata for Google Drive files and folders.
Detect permission changes in near real-time.
Map user and group memberships to accurately enforce source access controls.

**SharePoint:**
Retrieve and update ACL metadata for SharePoint document libraries, folders, and files (via Microsoft Graph
driveItem
and
permission
resources).
Detect permission and sharing changes by continuously polling the drive delta API with sharing-aware
Prefer
headers.
Map users and Microsoft 365 groups to correctly resolve and enforce group-based grants in DataRobot.
Resolve the Azure AD tenant ID for organization-scoped sharing links via the organization API.


This integration does not modify any permissions, files, or settings in the source system. All API usage is restricted to metadata retrieval and event monitoring.

## Google Drive

### Google API permissions

The following OAuth scopes are needed to enable end-to-end ACL synchronization and enforcement:

| Permission scope | Purpose |
| --- | --- |
| https://www.googleapis.com/auth/admin.directory.group.readonly | View group structures and memberships to resolve group-based permissions. |
| https://www.googleapis.com/auth/admin.directory.user.readonly | View user directory information to map file ACLs to domain users. |
| https://www.googleapis.com/auth/drive.readonly | Retrieve file and folder metadata, including ACLs and sharing configurations. |
| https://www.googleapis.com/auth/drive.activity.readonly | Monitor Drive activity to capture permission and sharing changes. |

## SharePoint

**Microsoft reference**

To learn more about ACL hydration and enforcement in Microsoft, see:

- List sharing permissions on adriveItem
- Microsoft GraphdriveItem: delta
- Microsoft Graph permissions reference
- Overview ofSelectedpermissions in OneDrive and SharePoint

### Microsoft Graph permissions

This section lists the Microsoft Graph permissions an administrator must grant to the Microsoft Entra ID-registered application.

| Permission | Purpose |
| --- | --- |
| Files.Read.All | Read items across drives; list effective sharing permissions on a driveItem; use drive delta to track adds, updates, deletes, and permission changes in the hierarchy. |
| Sites.Read.All | Read SharePoint sites and site-scoped drives (e.g. GET /sites/{site-id}/drives). |
| Directory.Read.All | Read user profiles (GET /users/{id}) and group memberships (GET /users/{id}/memberOf) to map principals referenced in ACLs; resolve tenant ID via GET /organization. |

### Change detection (delta-based)

Change detection is implemented via the Microsoft Graph drive delta API. The integration polls `GET /drives/{drive-id}/root/delta` continuously with the following `Prefer` header:

```
Prefer: hierarchicalsharing,deltashowremovedasdeleted,deltatraversepermissiongaps,deltashowsharingchanges
```

| Header value | Purpose |
| --- | --- |
| hierarchicalsharing | Propagates inherited sharing changes through the item hierarchy. |
| deltashowremovedasdeleted | Includes items removed from the drive as delete events. |
| deltatraversepermissiongaps | Traverses items where permission inheritance is broken to surface accurate per-item ACLs. |
| deltashowsharingchanges | Includes permission and sharing changes in delta responses. |

The `deltatraversepermissiongaps` header causes Microsoft Graph to traverse items where permission inheritance is broken. Microsoft's documentation notes that processing permissions correctly in some scanning scenarios may require `Sites.FullControl.All`.

### Microsoft Graph routes

This section lists the Microsoft Graph routes used for ACL sync. The base URL `https://graph.microsoft.com/v1.0/` is the common root for each endpoint in the table.

| Area | Route |
| --- | --- |
| List sites | GET /sites |
| Get site | GET /sites/{site-id} |
| List drives for a site | GET /sites/{site-id}/drives |
| Get drive | GET /drives/{drive-id} |
| Drive delta (change detection) | GET /drives/{drive-id}/root/delta |
| Item permissions | GET /drives/{drive-id}/items/{item-id}/permissions |
| Item metadata | GET /drives/{drive-id}/items/{item-id} |
| User profile | GET /users/{id} |
| User group memberships | GET /users/{id}/memberOf |
| Organization / tenant ID resolution | GET /organization |