You can specify user access to Segment Folders, Profiles, Predictive Scoring, Profiles API Tokens, Activations, Activation Templates, and Journeys. You can also set Audience Column Visibility to set permissions for individual attribute and behavior columns within a Parent Segment (previously Master Segment). These permissions are also used to control access for LLM-based agents such as Audience Agent when they query the raw data of a Parent Segment.
- Log in to the Treasure Console.
- Navigate to Control Panel > Policies.
- Create a new or select an existing policy.
- Select the Permissions tab and scroll down to Audience Studio.
| Options | Description |
|---|---|
| None | Users do not see Audience Studio in the navigation; users cannot view any Audience Studio features.  |
| Full access | Users can view all of Audience Studio's features, including profiles, segment folders, predictive scoring, and API tokens. Traffic Control permissions are displayed.  |
| Limited Access | Account owners and administrators can select a Parent Segment. From this view, they can drill down to lower panes that enable the selection of specific segment folders. Users only see Parent Segments for which they have permissions.  Select the pencil icon to change the parent segment permissions, including the configuration, folder, and segment access levels. |
- Select the pencil icon to make permission updates for segment folders in each parent segment.
- Select Save to update the policy.
Note: Audience Studio permissions, together with Raw Data Access, determine which Parent Segments and underlying cdp_audience_* databases LLM-based agents can query on behalf of each user.
When you specify Limited Access permissions and a specific parent segment, you can select Full or View permissions in all or some folders within the specified parent segment.
These settings control access to Audience Studio folders and segments. Raw Data Access is configured per Parent Segment and is additionally required for LLM-based agents to run raw queries against cdp_audience_* databases.
| Scope | Access level | Description |
|---|---|---|
| All segment folders | Full Control | Users can view, create, delete, and modify any segment folders and their content within the specified parent segment. They cannot see profiles if they do not have "Profile View" checked. With "Full Control," predictive scoring and Profile API tokens associated with the segments are visible. |
| All segment folders | View | Users can view all segment folders and their contents within the specified parent segment. With "Profiles View" enabled and, at minimum, "View" permissions, these users can also view profiles in all segment folders within specified parent segments. |
| Specific segment folders | Full Control | Users can view and edit specific segment folders within the specified parent segment. They cannot see profiles unless they have "Profile View" checked. Predictive scoring and API tokens associated with the segments are disabled. |
| Specific segment folders | View | Users can view specified segment folders within the selected parent segment. With "Profiles View" enabled and, at minimum, "View" permissions, these users can also view profiles in those segment folders. |
When selecting Full Control, View will automatically be selected. Keep View selected so that the user has access to the parent segment.
Configure Raw Data Access when using LLM-based agents such as Audience Agent with a parent segment knowledge base or PlazmaDB knowledge base. When these agents execute Trino queries against the underlying cdp_audience_* databases, they run with the executing user's permissions, not the Knowledge Base updater's permissions.
Understanding Access Control Layers: Access to Parent Segment data through LLM-based agents is controlled by two layers:
- Raw Data Access — Determines whether queries can be executed against the
cdp_audience_*database - Column-level permissions — Controls which specific data is visible within the database, configured via Audience Column Visibility
Both layers must grant appropriate permissions for the agent to access the data.
Important: If a Parent Segment has PBP (Profile-Based Protection) enabled (e.g., pbp_pii), you must configure Column Level Access Control with the Policy default accessibility set to View. Without this configuration, queries will fail with a permission error even if Raw Data Access is granted.
To allow these agents to read raw audience data in a controlled way:
Grant Raw Data Access permission per Parent Segment In the relevant policy, configure Raw Data Access for each Parent Segment. You can set this to Query (read access) or None for each Parent Segment individually. Users can only query the underlying
cdp_audience_*database via LLM-based agents for Parent Segments where Raw Data Access is set to Query.
Do not rely on Folder/Segment permissions alone Even if a user has Full Control or View permissions for Segment Folders in Audience Studio, Audience Agent queries to
cdp_audience_*databases will fail with an authorization error if Raw Data Access is not granted.
See Also