# Access Control Studio executes all Treasure AI operations using your existing credentials — your organization's PBP policies and IP allowlists apply to those operations automatically. Studio itself does not have its own access control layer. Protect PII during agent inference To prevent PII from being sent to external LLM providers (Bedrock, OpenAI, etc.) when agents run inference, configure column-level masking at the data layer. The masking carries through Studio agents and custom skills automatically. See [Configure column-level access control to keep PII out of LLMs](/products/customer-data-platform/ai-agent-foundry/security/configure-column-level-access-control-for-pii). Note Studio authenticates through Treasure AI SSO and uses your TD credentials for all data operations. Access to databases, tables, and APIs is governed by your organization's Treasure AI policies — Studio passes your credentials through, it does not enforce its own access controls. ## Objective Understand how your organization's Treasure AI access controls interact with Treasure AI Studio. ## Prerequisites - A **Treasure AI account** - Familiarity with [Security & Permissions](/products/ai-studio/security) ## Treasure AI Permissions (PBP) Studio does not introduce a new permissions layer. Every query, segment push, and API call the AI executes goes through your Treasure AI account using your credentials. Your organization's [Policy-Based Permissions](/products/control-panel/security/policies/about-policy-based-permissions) govern what the AI can and cannot access. Note The AI operates with your credentials. If PBP restricts your access to a database, the AI receives the same "permission denied" error you would see in the console. Studio does not elevate or bypass your permissions. Technical Note During sign-in, Studio obtains an OAuth access token from Treasure AI. This token is stored server-side and used to authenticate all Treasure AI API requests made by the AI. No permission logic runs inside Studio itself — enforcement is entirely at the Treasure AI API layer. ## IP Allowlist If your organization uses Treasure AI's IP allowlist to restrict API access to approved networks, Studio's architecture is designed to work within those boundaries. Most users do not need to take any action here — this is an administrator configuration task. ### Treasure AI IP Allowlist Studio connects to the Treasure AI API from a fixed set of outbound IP addresses. These addresses are static — they do not change between sessions or deployments. **If your organization has a Treasure AI IP allowlist configured**, you must add Studio's outbound IPs to the allowlist. Without this step, the AI's queries and API calls will be blocked by Treasure AI's network policy. The following outbound IP addresses are used by Studio. If your organization has an IP allowlist configured, add these addresses for your region. US ``` 34.199.15.172 100.51.233.143 54.175.7.102 ``` Tokyo ``` 13.113.25.188 13.114.204.90 35.79.133.156 ``` EU01 ``` 63.182.125.82 52.57.200.243 63.180.90.169 ``` ### Studio Inbound Access Studio itself does not restrict inbound access by IP address. Once authenticated through Treasure AI SSO, you can access the Studio web application from any network. ### Network Change Scenarios If your organization uses both Treasure AI's IP allowlist and network-based access controls, be aware of how network changes affect your session: | Scenario | Studio UI | TD Operations (Queries, API Calls) | | --- | --- | --- | | You stay on the same allowed network | Works normally | Works normally | | You move to a disallowed network after login | Works normally (Studio UI is not IP-restricted) | Works normally (Studio workers use fixed outbound IPs, not your client IP) | | You attempt to log in from a network blocked by your IdP | Login fails (TD SSO enforces your IdP's network policy) | Not applicable — no session established | Technical Note Treasure AI is the identity provider (IdP) for Studio. IP allowlist checks apply during the OAuth authentication flow — your organization's IdP policy determines which networks can initiate a login. After authentication, Studio makes all Treasure AI API calls from fixed outbound IP addresses, independent of your client's network location. Studio does not re-check client IP addresses after login. ## Access to AI Features All authenticated users with a valid Treasure AI account have full access to AI features in Studio. There are no per-user feature restrictions, entitlements, or usage quotas in the current release — account-level disabling via your Customer Success Manager is the only available opt-out. | Access Control | Current Behavior | | --- | --- | | **AI and LLM access** | All authenticated users — no restrictions | | **Per-user feature restrictions** | None — all features available to all users | | **Per-account opt-out** | Available — contact your Customer Success Manager to disable Studio for your account | | **Admin-only features** | Network Audit Log requires the `account_admin` role ([Security & Permissions](/products/ai-studio/security) for details) | Technical Note The only role-based restriction in the current release is `account_admin` for the Network Audit Log. No per-user feature flags, entitlements, or quotas exist. This is consistent with the Treasure Studio Labs pre-release and is intentional for the GA launch. Per-user controls may be introduced in future releases. ## Summary | Layer | What It Controls | Where It Is Enforced | Action Required | | --- | --- | --- | --- | | **Policy-Based Permissions (PBP)** | Database, table, and API access per user/group | Treasure AI API (server-side) | None — existing PBP policies apply automatically | | **TD IP Allowlist** | Which IPs can call the Treasure AI API | Treasure AI API (server-side) | Add Studio's outbound IPs if an allowlist is configured | | **Studio Inbound Access** | Which IPs can reach the Studio web application | Not enforced — no IP restriction | None | | **AI Feature Access** | Which users can use AI capabilities | All authenticated users | None — all users have full access | | **Account Opt-Out** | Disable Studio for an entire account | Treasure AI account settings | Contact CSM if needed | ## Verification Access control is enforced by Treasure AI, not Studio. No Studio-specific verification steps are required. ## Troubleshooting | Issue | Solution | | --- | --- | | Queries fail after your organization enabled an IP allowlist | Studio's outbound IPs may not be in the allowlist. Contact your CSM to obtain the current IP addresses and add them to your Treasure AI IP allowlist configuration | | Login fails from a specific network | Your organization's identity provider may enforce network-based access policies. Try logging in from an approved network, or contact your IT administrator to update the IdP policy | ## Next Steps - [Security & Permissions](/products/ai-studio/security) — Sandbox and audit logging - [SSO Login](/products/ai-studio/security/sso-login) — Authentication flow details - [Getting Started](/products/ai-studio/getting-started) — Platform setup guide - [Core Concepts](/products/ai-studio/concepts) — Projects, models, and credits