Welcome to Intric Support Center
Security & Compliance
DPIA
Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC)

To ensure that personal data and sensitive business information are only available to authorized staff, Intric uses strict role-based access control (RBAC). This system is central to meeting the GDPR’s requirements for data minimization and data protection by design.

Overall permission structure

Intric’s permission model is built in a hierarchy to give maximum flexibility and security:

  • Organization/Workspace: The top level where overall settings and user management are handled.
  • Spaces: Logical groupings (e.g. departments or projects) where access is controlled at group level.
🔍 Read more in the article How to structure your spaces
  • Collections: Specific folders or subject areas within a Space where documents are stored.
🔍 Read more in the article Collections

Defined roles

Users’ permissions in the platform are determined by their assigned role. Roles can be assigned both at organization level and for specific Spaces to control access and functionality. For roles within a Space:

🔍 Read more in the article Roles in Spaces
RoleDescriptionKey functions
OwnerThe organization’s owner/administrator.Full control over organization settings, user management, groups, SSO configuration, and billing.
CreatorContent creator / contributor.Can upload documents, create and manage content in Collections, and interact fully with AI Assistants.
UserEnd user / reader.Can search, read documents, and ask questions to AI Assistants, but cannot upload, change, or delete data.

Spaces and Collections: Granular control

Access control in Intric is based on the principle of need-to-know. This is handled through granular control at Space and document level.

  • Spaces as access boundary: Access is controlled by inviting specific users or groups to a Space. A user who is not a member of a Space cannot see its documents, search results, or the Assistants linked to that Space.
🔍 Read more in the article Collaborate in Spaces
  • Private Spaces: For particularly sensitive information (e.g. management documentation or specific HR matters), private Spaces can be created. These are hidden from everyone except the specifically invited members.
  • Collections for internal structure: Within each Space, documents can be organized in Collections. This gives administrators a clear overview of where different types of information are stored and ensures that the right content is processed by the right Assistant.
🔍 Read more about Collections: Collections

Security classification: Control at model level

In addition to user permissions, Intric uses security classification to control data flows at system level. This makes it possible to restrict which AI models may be used by specific Assistants.

  • Model boundaries: Administrators can classify Assistants (e.g. “Sensitive HR data” vs “Public information”). An Assistant with a high security classification can be configured to use only specific models that meet your organization’s highest compliance requirements.
🔍 Read more in the article Language Models
🔍 Read more about model classification: Model Classification
  • Data minimization in processing: By controlling model choice you ensure that sensitive information is never sent to a model or sub-processor that is not approved for that type of data.
🔍 Read more about security classification for administrators: Security Classification

Technical security boundaries

Intric’s architecture ensures that access control is enforced at all levels. For an overall technical picture:

🔍 Read more in the article System Architecture and Technical Overview
  • API validation: Every call to the database or AI model is validated against the user’s current permissions. If a user lacks permission for a specific document, it is never included in the AI model’s context.
  • Login protection: Via SSO integration (e.g. Entra ID), your internal security policies are reflected, including multi-factor authentication (MFA) and conditional access.
🔍 Read more about SSO: SSO and User Groups
  • Logical isolation: Even when multiple Spaces exist within the same organization, search indexes and storage are structured so that searches never return results outside the user’s permission scope.

Configuration and Audit

To support compliance, Intric offers tools to review and control access:

  • Permission overview: In the control panel, administrators can see exactly which users have access to which Spaces.
  • Audit logs: The system logs critical events such as role changes, data deletion, and document export. This provides the traceability often required in a DPIA.
🔍 Read more in the article Audit log

Best practices for access configuration

We recommend the following for a secure setup:

  • Principle of least privilege: Assign Creator or Owner status only to those who actually need to manage data. Use User as the default for most users.
  • Use Spaces strategically: Create separate Spaces for sensitive areas (e.g. HR, management, or specific customer projects) rather than one large shared Space for the whole organization. This also makes export, erasure, and deletion easier in line with the GDPR.
🔍 Read more in the article Data Handling: Export, Erasure, and Deletion
  • Combine RBAC with security classification: Use security classification on your Assistants so that the most sensitive data is always processed by the most secure model options.
🔍 Read more in the article Security Classification