Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to enforce data source access control (also referred to
as ACLs) for search apps you create using Cloud Storage or BigQuery.
Overview
Access control for your data sources in Agentspace limits the data
that users can view in your search app's results. Google uses your identity
provider to identify the end user performing a search and determine if they
have access to the documents that are returned as results.
For example, say that employees at your company search across BigQuery
documents using your search app. However, you need to make sure they can't view
content through the app that they aren't allowed to access. If you have set up a
workforce pool in Google Cloud for your organization's identity provider, then
you can also specify that workforce pool in Agentspace. Now, if an
employee uses your app, they get search results only for documents that their
account already has access to in BigQuery.
Turning on access control is a one-time procedure. To apply access control to a
BigQuery or Cloud Storage data source, use the
following steps depending on your data type, such as structured or
unstructured data.
When setting up a data store for unstructured data from
Cloud Storage, you need to also upload ACL metadata and set the data
store as access controlled:
When preparing your data, include ACL information in your metadata using the
acl_info field. For example:
{"id":"<your-id>","jsonData":"<JSON string>","content":{"mimeType":"<application/pdf or text/html>","uri":"gs://<your-gcs-bucket>/directory/filename.pdf"},"acl_info":{"readers":[{"principals":[{"group_id":"group_1"},{"user_id":"user_1"}]}]}}
For more information about unstructured data with metadata, see the
Unstructured data section of Prepare data for
ingesting.
When following the steps for data store creation in Create a first-party
data store, you can enable access control by doing the
following in either the console or using the API:
Console: When creating a data store, select This data store contains
access control information during data store creation.
API: When creating data store, include the field "aclEnabled": "true"
in your JSON payload.
When following the steps for data store creation in Create a first-party data
store, you can enable access control by doing the
following in either the console or using the API:
Console: When creating a data store, select This data store contains
access control information during data store creation.
API: When creating data store, include the field "aclEnabled": "true"
in your JSON payload.
When setting up a data store for unstructured data from BigQuery,
you need to set the data store as access controlled and provide ACL metadata
using a predefined schema for Agentspace:
When preparing your data, specify the following schema. Don't use a custom
schema.
When setting up a data store for structured data from BigQuery,
you need to set the data store as access controlled and provide ACL metadata
using a predefined schema for Agentspace:
When preparing your data, specify the following schema. Don't use a custom
schema.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[],[],null,["# Configure access controls for custom data sources\n\nThis page describes how to enforce data source access control (also referred to\nas ACLs) for search apps you create using Cloud Storage or BigQuery.\n\nOverview\n--------\n\nAccess control for your data sources in Agentspace limits the data\nthat users can view in your search app's results. Google uses your identity\nprovider to identify the end user performing a search and determine if they\nhave access to the documents that are returned as results.\n\nFor example, say that employees at your company search across BigQuery\ndocuments using your search app. However, you need to make sure they can't view\ncontent through the app that they aren't allowed to access. If you have set up a\nworkforce pool in Google Cloud for your organization's identity provider, then\nyou can also specify that workforce pool in Agentspace. Now, if an\nemployee uses your app, they get search results only for documents that their\naccount already has access to in BigQuery.\n\nTurning on access control is a one-time procedure. To apply access control to a\nBigQuery or Cloud Storage data source, use the\nfollowing steps depending on your data type, such as structured or\nunstructured data.\n\n- [Unstructured data from Cloud Storage](#acl-storage-unstructured)\n- [Structured data from Cloud Storage](#acl-storage-structured)\n- [Unstructured data from BigQuery](#acl-unstructured-bq)\n- [Structured data from BigQuery](#acl-structured-bq)\n\nUnstructured data from Cloud Storage\n------------------------------------\n\nWhen setting up a data store for unstructured data from\nCloud Storage, you need to also upload ACL metadata and set the data\nstore as access controlled:\n\n1. When preparing your data, include ACL information in your metadata using the\n `acl_info` field. For example:\n\n {\n \"id\": \"\u003cyour-id\u003e\",\n \"jsonData\": \"\u003cJSON string\u003e\",\n \"content\": {\n \"mimeType\": \"\u003capplication/pdf or text/html\u003e\",\n \"uri\": \"gs://\u003cyour-gcs-bucket\u003e/directory/filename.pdf\"\n },\n \"acl_info\": {\n \"readers\": [\n {\n \"principals\": [\n { \"group_id\": \"group_1\" },\n { \"user_id\": \"user_1\" }\n ]\n }\n ]\n }\n }\n\n For more information about unstructured data with metadata, see the\n Unstructured data section of [Prepare data for\n ingesting](/agentspace/docs/prepare-data#unstructured).\n2. When following the steps for data store creation in [Create a first-party\n data store](/agentspace/docs/create-data-store), you can enable access control by doing the\n following in either the console or using the API:\n\n - **Console** : When creating a data store, select **This data store contains\n access control information** during data store creation.\n - **API** : When creating data store, include the field `\"aclEnabled\": \"true\"` in your JSON payload.\n3. When following the steps for data import in [Create a first-party\n data store](/agentspace/docs/create-data-store), make sure to do the following:\n\n - Upload your metadata with ACL information from the same bucket as your unstructured data\n - If using the API, set [`GcsSource.dataSchema`](/agentspace/docs/reference/rest/v1/GcsSource) to `document`\n\nStructured data from Cloud Storage\n----------------------------------\n\nWhen setting up a data store for structured data from\nCloud Storage, you need to also upload ACL metadata and set the data\nstore as access controlled:\n\n1. When preparing your data, include ACL information in your metadata using the\n `acl_info` field. For example:\n\n {\n \"id\": \"\u003cyour-id\u003e\",\n \"jsonData\": \"\u003cJSON string\u003e\",\n \"acl_info\": {\n \"readers\": [\n {\n \"principals\": [\n { \"group_id\": \"group_1\" },\n { \"user_id\": \"user_1\" }\n ]\n }\n ]\n }\n }\n\n2. When following the steps for data store creation in [Create a first-party data\n store](/agentspace/docs/create-data-store), you can enable access control by doing the\n following in either the console or using the API:\n\n - **Console** : When creating a data store, select **This data store contains\n access control information** during data store creation.\n - **API** : When creating data store, include the field `\"aclEnabled\": \"true\"` in your JSON payload.\n3. When following the steps for data import in [Create a first-party data\n store](/agentspace/docs/create-data-store), make sure to do the following:\n\n - Upload your metadata with ACL information from the same bucket as your structured data\n - If using the API, set [`GcsSource.dataSchema`](/agentspace/docs/reference/rest/v1/GcsSource) to `document`\n\nUnstructured data from BigQuery\n-------------------------------\n\nWhen setting up a data store for unstructured data from BigQuery,\nyou need to set the data store as access controlled and provide ACL metadata\nusing a predefined schema for Agentspace:\n\n1. When preparing your data, specify the following schema. Don't use a custom\n schema.\n\n [\n {\n \"name\": \"id\",\n \"mode\": \"REQUIRED\",\n \"type\": \"STRING\",\n \"fields\": []\n },\n {\n \"name\": \"jsonData\",\n \"mode\": \"NULLABLE\",\n \"type\": \"STRING\",\n \"fields\": []\n },\n {\n \"name\": \"content\",\n \"type\": \"RECORD\",\n \"mode\": \"NULLABLE\",\n \"fields\": [\n {\n \"name\": \"mimeType\",\n \"type\": \"STRING\",\n \"mode\": \"NULLABLE\"\n },\n {\n \"name\": \"uri\",\n \"type\": \"STRING\",\n \"mode\": \"NULLABLE\"\n }\n ]\n },\n {\n \"name\": \"acl_info\",\n \"type\": \"RECORD\",\n \"mode\": \"NULLABLE\",\n \"fields\": [\n {\n \"name\": \"readers\",\n \"type\": \"RECORD\",\n \"mode\": \"REPEATED\",\n \"fields\": [\n {\n \"name\": \"principals\",\n \"type\": \"RECORD\",\n \"mode\": \"REPEATED\",\n \"fields\": [\n {\n \"name\": \"user_id\",\n \"type\": \"STRING\",\n \"mode\": \"NULLABLE\"\n },\n {\n \"name\": \"group_id\",\n \"type\": \"STRING\",\n \"mode\": \"NULLABLE\"\n }\n ]\n }\n ]\n }\n ]\n }\n ]\n\n2. Include your ACL metadata as a column in your BigQuery table.\n\n3. When following the steps in [Create a first-party data\n store](/agentspace/docs/create-data-store), enable access control in either the console or\n using the API:\n\n - **Console** : When creating a data store, select **This data store contains\n access control information** during data store creation.\n - **API** : When creating data store, include the field `\"aclEnabled\": \"true\"` in your JSON payload.\n4. When following the steps for data import in [Create a first-party data\n store](/agentspace/docs/create-data-store), if using the API, set\n [`BigQuerySource.dataSchema`](/agentspace/docs/reference/rest/v1/BigQuerySource) to `document`.\n\nStructured data from BigQuery\n-----------------------------\n\nWhen setting up a data store for structured data from BigQuery,\nyou need to set the data store as access controlled and provide ACL metadata\nusing a predefined schema for Agentspace:\n\n1. When preparing your data, specify the following schema. Don't use a custom\n schema.\n\n [\n {\n \"name\": \"id\",\n \"mode\": \"REQUIRED\",\n \"type\": \"STRING\",\n \"fields\": []\n },\n {\n \"name\": \"jsonData\",\n \"mode\": \"NULLABLE\",\n \"type\": \"STRING\",\n \"fields\": []\n },\n {\n \"name\": \"acl_info\",\n \"type\": \"RECORD\",\n \"mode\": \"NULLABLE\",\n \"fields\": [\n {\n \"name\": \"readers\",\n \"type\": \"RECORD\",\n \"mode\": \"REPEATED\",\n \"fields\": [\n {\n \"name\": \"principals\",\n \"type\": \"RECORD\",\n \"mode\": \"REPEATED\",\n \"fields\": [\n {\n \"name\": \"user_id\",\n \"type\": \"STRING\",\n \"mode\": \"NULLABLE\"\n },\n {\n \"name\": \"group_id\",\n \"type\": \"STRING\",\n \"mode\": \"NULLABLE\"\n }\n ]\n }\n ]\n }\n ]\n }\n ]\n\n2. Include your ACL metadata as a column in your BigQuery table.\n\n3. When following the steps in [Create a first-party data\n store](/agentspace/docs/create-data-store), enable access control in either the console or\n using the API:\n\n - **Console** : When creating a data store, select **This data store contains\n access control information** during data store creation.\n - **API** : When creating data store, include the field `\"aclEnabled\": \"true\"` in your JSON payload.\n4. When following the steps for data import in [Create a first-party\n data store](/agentspace/docs/create-data-store), make sure to do the following:\n\n - If using the console, then when specifying the kind of data you're uploading, select **JSONL for structured data with metadata**.\n - If using the API, set [`BigQuerySource.dataSchema`](/agentspace/docs/reference/rest/v1/BigQuerySource) to `document`."]]
