ACL metadata hydration and enforcement¶
Access Control List (ACL) metadata hydration is the process of continuously retrieving and updating permission data from source systems, while enforcement ensures that those same access controls are applied and adhered to in DataRobot. This provides secure and compliant operation of AI workflows that rely on source-system permissions.
To retrieve and synchronize file- and user-level permissions from the source system, DataRobot requires:
- A service account with domain-wide delegation enabled.
- Access to specific Google Workspace APIs.
- A Microsoft Entra ID-registered application with Microsoft Graph application permissions (administrator-granted). These are required because service-style, tenant-wide access uses the OAuth 2.0 client credentials flow against the Microsoft identity platform.
- Access to specific SharePoint and Microsoft 365 APIs.
Purpose of access¶
DataRobot requires read-only access to:
- Retrieve and update ACL metadata for Google Drive files and folders.
- Detect permission changes in near real-time.
- Map user and group memberships to accurately enforce source access controls.
- Retrieve and update ACL metadata for SharePoint document libraries, folders, and files (via Microsoft Graph
driveItemandpermissionresources). - Detect permission and sharing changes by continuously polling the drive delta API with sharing-aware
Preferheaders. - Map users and Microsoft 365 groups to correctly resolve and enforce group-based grants in DataRobot.
- Resolve the Azure AD tenant ID for organization-scoped sharing links via the organization API.
This integration does not modify any permissions, files, or settings in the source system. All API usage is restricted to metadata retrieval and event monitoring.
Googleドライブ¶
Google API permissions¶
The following OAuth scopes are needed to enable end-to-end ACL synchronization and enforcement:
| Permission scope | 目的 |
|---|---|
https://www.googleapis.com/auth/admin.directory.group.readonly |
View group structures and memberships to resolve group-based permissions. |
https://www.googleapis.com/auth/admin.directory.user.readonly |
View user directory information to map file ACLs to domain users. |
https://www.googleapis.com/auth/drive.readonly |
Retrieve file and folder metadata, including ACLs and sharing configurations. |
https://www.googleapis.com/auth/drive.activity.readonly |
Monitor Drive activity to capture permission and sharing changes. |
SharePoint¶
Microsoft reference
To learn more about ACL hydration and enforcement in Microsoft, see:
Microsoft Graph permissions¶
This section lists the Microsoft Graph permissions an administrator must grant to the Microsoft Entra ID-registered application.
| ユーザー権限 | 目的 |
|---|---|
Files.Read.All |
Read items across drives; list effective sharing permissions on a driveItem; use drive delta to track adds, updates, deletes, and permission changes in the hierarchy. |
Sites.Read.All |
Read SharePoint sites and site-scoped drives (e.g. GET /sites/{site-id}/drives). |
Directory.Read.All |
Read user profiles (GET /users/{id}) and group memberships (GET /users/{id}/memberOf) to map principals referenced in ACLs; resolve tenant ID via GET /organization. |
Change detection (delta-based)¶
Change detection is implemented via the Microsoft Graph drive delta API. The integration polls GET /drives/{drive-id}/root/delta continuously with the following Prefer header:
Prefer: hierarchicalsharing,deltashowremovedasdeleted,deltatraversepermissiongaps,deltashowsharingchanges
| Header value | 目的 |
|---|---|
hierarchicalsharing |
Propagates inherited sharing changes through the item hierarchy. |
deltashowremovedasdeleted |
Includes items removed from the drive as delete events. |
deltatraversepermissiongaps |
Traverses items where permission inheritance is broken to surface accurate per-item ACLs. |
deltashowsharingchanges |
Includes permission and sharing changes in delta responses. |
The deltatraversepermissiongaps header causes Microsoft Graph to traverse items where permission inheritance is broken. Microsoft's documentation notes that processing permissions correctly in some scanning scenarios may require Sites.FullControl.All.
Microsoft Graph routes¶
This section lists the Microsoft Graph routes used for ACL sync. The base URL https://graph.microsoft.com/v1.0/ is the common root for each endpoint in the table.
| 面 | Route |
|---|---|
| List sites | GET /sites |
| Get site | GET /sites/{site-id} |
| List drives for a site | GET /sites/{site-id}/drives |
| Get drive | GET /drives/{drive-id} |
| Drive delta (change detection) | GET /drives/{drive-id}/root/delta |
| Item permissions | GET /drives/{drive-id}/items/{item-id}/permissions |
| Item metadata | GET /drives/{drive-id}/items/{item-id} |
| User profile | GET /users/{id} |
| User group memberships | GET /users/{id}/memberOf |
| Organization / tenant ID resolution | GET /organization |