ContextFlo

Access Control

ContextFlo restricts data access by combining access groups with per-table rules. This doc explains the mental model so you can reason about who sees what.

Key Concepts

Access Groups

  • Users belong to one or more groups.
  • Each group holds a list of rules (ALLOW or DENY).
  • A group can be marked as the default; new users are automatically added.

Rules at a Glance

  • Each rule combines an action (ALLOW or DENY) with a name pattern eg: PROD.CRM.*, ANALYTICS.*, FINANCE.PRODUCTS.TRANSACTIONS
  • Patterns apply against fully qualified names of tables. (case-insensitive).
  • Deny takes precedence when multiple rules match the same table.
  • For a given user, we look at all the groups they are part of and evaluate.

Recommended Pattern

Most customers follow this pattern:

  1. Default group – contains a single ALLOW namespace wildcard (e.g., *). Everyone belongs to it.
  2. Specialized groups – layer DENY (and narrow ALLOW) rules to carve out exceptions.
  3. Users inherit baseline access from the default group but lose it for any namespaces explicitly denied elsewhere.
  4. If you want some users to have very specific permissions, add them to specific groups (not overlapping) and add specific allow rules.

If a user belongs only to a deny-only group (e.g., DENY FINANCE.*) and no allow-all group, they will be denied from every table—because there are no ALLOWs to match.

How the MCP Server Enforces It

  • list-tables and get-table-context hide tables the user can’t access and tell them to contact an admin if nothing remains.
  • execute-query currently relies on table-level enforcement. It extracts the tables from the query and makes sure the user has access to them.
  • The UI warns when access-control evaluation fails so admins can diagnose configuration issues.

Operating Tips

  • Name groups for business intent (finance-readonly, marketing-plus).
  • Use DENY sparingly and as specific as possible (TABLE > SCHEMA > NAMESPACE).
  • Audit memberships periodically to ensure users only inherit what they need.
  • When onboarding a new datasource, update the default group’s allow rule if necessary.

Need help modeling rules? Reach out to the ContextFlo team—we’re happy to review your setup.