{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":["platform-badges","admonition","img"]},"type":"markdown"},"seo":{"title":"Treasure AI Studio - Security & Permissions","description":"Monitor network activity through the audit log and understand the server-side sandbox that isolates every execution.","siteUrl":"https://docs.treasuredata.com","lang":"en-US","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"security--permissions","__idx":0},"children":["Security & Permissions"]},{"$$mdtype":"Tag","name":"PlatformBadges","attributes":{"platforms":["Web","Desktop","Mobile"]},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Ship faster without sacrificing control. The server-side sandbox ensures every command runs in an isolated execution environment — never on your local machine."]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"info","name":"Note"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The AI executes all commands and queries inside a sandboxed execution environment with restricted network access and filesystem scope. Your Treasure AI credentials are managed server-side and are not stored in the browser."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"objective","__idx":1},"children":["Objective"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Understand the security boundaries that protect your data when using Treasure AI Studio — the server-side sandbox, network audit logging, and your responsibilities when working with AI-generated output."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"prerequisites","__idx":2},"children":["Prerequisites"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Signed in to Treasure AI Studio (",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/products/ai-studio/getting-started"},"children":["Getting Started"]},")"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Admin role"]}," required for Network Audit Log access"]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"server-side-execution-environment","__idx":3},"children":["Server-Side Execution Environment"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Unlike Treasure Studio Labs — which ran commands directly on your local machine — Treasure AI Studio executes all CLI commands and queries in an isolated server-side sandbox."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This means:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["No local filesystem access."]}," The AI cannot read or write files on your computer. File operations happen in a managed server environment."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Sandboxed execution."]}," Each session runs in its own isolated worker with restricted network and filesystem access. If a sandbox crashes unexpectedly, you'll see the message: \"The sandbox environment crashed unexpectedly and is restarting. Please wait a moment and try again.\""]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Credential isolation."]}," Your Treasure AI credentials are managed server-side and are not stored in the browser. The AI accesses your Treasure AI account through a server-side access token — you do not need to provide credentials directly."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"network-audit-log-admin-only","__idx":4},"children":["Network Audit Log (Admin Only)"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Account administrators can monitor all network activity through the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Network Audit Log"]}," in Settings."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"how-to-access","__idx":5},"children":["How to Access"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Open ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Settings"]}," (click your user avatar in the sidebar footer)"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["In the left navigation, under the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Organization"]}," section, click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Network Audit Log"]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"audit-log-features","__idx":6},"children":["Audit Log Features"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Feature"},"children":["Feature"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Description"},"children":["Description"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Time range"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Filter by duration: 1h, 6h, 24h, 3d, 7d, 14d, 30d"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Sort order"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Newest first or Oldest first"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Filters"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Domain, IP, Port, Chat ID, Action type (\"Any\" for all)"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Columns"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Timestamp, Chat, Action, Domain, IP, Port, Protocol"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Stats"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Shows matched count, scanned count, and bytes scanned"]}]}]}]}]},{"$$mdtype":"Tag","name":"Image","attributes":{"src":"/assets/ai-studio-audit-log.a42f304eaf678ce358efa50e7bc8082ace74cdd67bcf4055052fe0c31f9b4a7b.8a9297e8.webp","alt":"Network Audit Log showing time range selector, filter controls, and activity table","withLightbox":true,"width":"700px"},"children":[]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"info","name":"Note"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The Network Audit Log tab is only visible to account administrators. Regular users will not see the \"Organization\" section in Settings."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"ai-generated-output-disclaimer","__idx":7},"children":["AI-Generated Output Disclaimer"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Studio uses AI to generate outputs including queries, configurations, segments, and recommendations. These outputs:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["May be incorrect or incomplete."]}," Always review generated SQL, segment rules, and configurations before deploying to production."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Should be validated."]}," Use the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["sql-skills:trino-optimizer"]}," skill to check query performance, ask the AI to run ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["tdx sg validate"]}," to validate segment definitions, and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["tdx journey validate"]}," for journeys."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Are your responsibility."]}," Review and approve all AI-generated changes before pushing them to your Treasure AI account."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"best-practices","__idx":8},"children":["Best Practices"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"for-administrators-rolling-out-to-teams","__idx":9},"children":["For Administrators Rolling Out to Teams"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Use projects to enforce guardrails."]}," Create projects with instructions like \"Always validate before pushing\" and \"Never modify production segments directly.\""]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Monitor via Network Audit Log."]}," Review network activity regularly, filtering by time range and domain to identify unexpected API calls."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"for-individual-users","__idx":10},"children":["For Individual Users"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Review tool calls."]}," Every action the AI takes is visible in the chat stream. Watch for queries and API calls as they execute."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Leverage skills for validation."]}," Skills like ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["validate-segment"]}," and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["validate-journey"]}," catch configuration errors before they reach your account."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"security-responsibility","__idx":11},"children":["Security Responsibility"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["You are responsible for:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Reviewing and validating all AI-generated outputs before deployment"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Not embedding secrets, passwords, or access tokens directly into chat messages"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Reporting any security concerns to ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"mailto:security@treasure-data.com"},"children":["security@treasure-data.com"]}]}]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"info","name":"Note"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Penetration testing, vulnerability scanning, or other security assessments of Treasure AI Studio require Treasure AI's prior written consent."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"verification","__idx":12},"children":["Verification"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"input","attributes":{"checked":false,"type":"checkbox","readOnly":true},"children":[]}," (Admins) Access the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Network Audit Log"]}," under Settings > Organization"]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"troubleshooting","__idx":13},"children":["Troubleshooting"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Issue"},"children":["Issue"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Solution"},"children":["Solution"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["\"The sandbox environment crashed unexpectedly and is restarting\""]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Wait a moment and retry your message. If persistent, start a new chat — the operation may exceed sandbox resource limits"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Audit log shows no entries"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Audit log access requires admin permissions. Confirm your account role with your organization administrator"]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"next-steps","__idx":14},"children":["Next Steps"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/products/ai-studio/security/access-control"},"children":["Access Control"]}," — PBP, IP allowlists, and AI feature access"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/products/ai-studio/getting-started"},"children":["Getting Started"]}," — Set up Studio on your platform"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/products/ai-studio/security/sso-login"},"children":["SSO Login"]}," — Authentication details"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/products/ai-studio/concepts"},"children":["Core Concepts"]}," — Projects, models, and credits"]}]}]},"headings":[{"value":"Security & Permissions","id":"security--permissions","depth":1},{"value":"Objective","id":"objective","depth":2},{"value":"Prerequisites","id":"prerequisites","depth":2},{"value":"Server-Side Execution Environment","id":"server-side-execution-environment","depth":2},{"value":"Network Audit Log (Admin Only)","id":"network-audit-log-admin-only","depth":2},{"value":"How to Access","id":"how-to-access","depth":3},{"value":"Audit Log Features","id":"audit-log-features","depth":3},{"value":"AI-Generated Output Disclaimer","id":"ai-generated-output-disclaimer","depth":2},{"value":"Best Practices","id":"best-practices","depth":2},{"value":"For Administrators Rolling Out to Teams","id":"for-administrators-rolling-out-to-teams","depth":3},{"value":"For Individual Users","id":"for-individual-users","depth":3},{"value":"Security Responsibility","id":"security-responsibility","depth":2},{"value":"Verification","id":"verification","depth":2},{"value":"Troubleshooting","id":"troubleshooting","depth":2},{"value":"Next Steps","id":"next-steps","depth":2}],"frontmatter":{"seo":{"title":"Treasure AI Studio - Security & Permissions","description":"Monitor network activity through the audit log and understand the server-side sandbox that isolates every execution."},"platforms":["Web","Desktop","Mobile"]},"lastModified":"2026-05-22T08:07:54.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/products/ai-studio/security","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}