CONCEPT Cited by 1 source
ACL-propagated agent memory¶
Definition¶
ACL-propagated agent memory is the access-control design where each chunk of agent memory is tagged with its originating data source and the data source's existing ACL is enforced at memory-retrieval time — rather than copying the data source's ACL onto the memory chunk and re-enforcing it independently, or ignoring source ACLs and treating all memories as globally readable.
Canonical framing (Grafana Assistant, 2026-05-01)¶
(Source: sources/2026-05-01-grafana-how-grafana-assistant-learns-your-infrastructure-before-you-even-ask)
"Assistant also respects your organization's access controls. Each memory is linked to the data sources used to generate it, so users only see knowledge derived from data sources they have permission to access."
Two load-bearing design decisions in that sentence:
- Link, don't copy. Each memory records its source data source(s), not a snapshot of that data source's ACL. When ACLs change on the data source, memory access changes automatically without re-tagging memories.
- Enforce at retrieval. The ACL check happens when the user (or the agent on behalf of the user) queries the memory, not at extraction time. The swarm's discovery agents may run under a higher-privileged service account that has access to all data sources; the memories they produce are still access-controlled for the end user at query time.
Why this design shape matters¶
Consider the failure modes the link-don't-copy design prevents:
Failure mode 1: Privilege escalation by memory extraction¶
If memories were extracted under a service account's
privileges and then stored with "globally readable" ACLs, a
developer with access only to namespace=frontend Prometheus
could read a summary of namespace=payments service
dependencies just because the memory was extracted by a
higher-privileged account. This is a real exfiltration
vector in a multi-team stack.
Link-don't-copy closes it: the payments memory is tagged with
source=payments-prometheus, and at retrieval the user's
ACL list is checked against that source. The developer
without access to the payments data source doesn't see the
memory.
Failure mode 2: ACL staleness¶
If the memory chunk copied the data source's ACL at extraction time, revoking a user's access to the source data source would not revoke their access to memories already extracted from that source. The revoked user continues to see historical memories indefinitely.
Link-don't-copy: the ACL check at retrieval time uses the data source's current ACL, so revocation is immediate.
Failure mode 3: ACL divergence from source-of-truth¶
If memories had independent ACLs, adding a new team member to the payments data source would require two parallel grants: one to the source, one to every derived memory. Link-don't- copy ensures the memory ACL is always consistent with the data source's ACL because it is the data source's ACL.
When the design applies¶
Link-don't-copy ACL propagation is the right model when:
- The originating data source has first-class ACL support. Grafana Cloud's data-source ACLs are the anchor; any system with comparable source-of-truth permissions can apply the same model.
- The derived data is a transformation, not a reorganisation. A memory summarising one data source is the natural case. A memory that joins two data sources (e.g. cross-referencing Prometheus metrics with Loki logs) needs to inherit the intersection of ACLs from both sources.
- ACLs change rarely enough that per-query enforcement is cheap. If ACL lookup is expensive (LDAP roundtrip, IAM policy evaluation), per-query enforcement may need a cached permission snapshot with TTL.
When it breaks down¶
- Aggregated memories across sources with heterogeneous ACLs. A service-group memory that aggregates info from multiple data sources with different ACL populations needs to compute the ACL intersection (most restrictive), not union.
- Derived insights leak source-level data. A "services with highest error rates" memory derived from a protected source may leak the existence of the service even when the user can't read the underlying metrics. Correct design requires redacting source-bound identifiers from aggregate memories.
- Data source exposure change. If the data source itself is deleted, linked memories become orphaned; the retrieval policy must handle this (deny by default? tombstone? ACL failure?). Undisclosed for Grafana Assistant.
Contrast with the copy-ACL-at-extraction alternative¶
| Property | Link-don't-copy | Copy-ACL-at-extraction |
|---|---|---|
| ACL change propagation | Immediate (reads current ACL) | Stale until next refresh |
| Retrieval cost | ACL lookup per query | None (pre-baked) |
| Revocation | Immediate | Delayed until refresh |
| Memory store size | Smaller (no ACL metadata) | Larger (ACL metadata per memory) |
| Cross-source memory | Must intersect source ACLs | Must copy intersection |
| Audit trail | ACL history lives on source | Split across source + memory |
The Grafana instance takes link-don't-copy; the tradeoff it accepts is per-query ACL lookup cost for the correctness win on revocation latency.
Seen in¶
- sources/2026-05-01-grafana-how-grafana-assistant-learns-your-infrastructure-before-you-even-ask — canonical wiki instance of link-don't-copy ACL propagation for AI-agent memory. Grafana's data-source ACL model is the anchor; memories inherit access by source-tag at retrieval time.