# Controlling AI Studio Access per User By default, every user in an account that has **Treasure AI Studio** can use it. If you want only specific users to have access, you can manage it **per user** through the Treasure AI REST API: an account administrator grants Studio access to the intended users, and everyone else is denied once your account is switched to restricted (opt-in) mode. In the current release there is no Treasure Console UI for this — per-user access is managed entirely through the API described below. Enabling per-user access restriction for your account Per-user grants only take effect once your account is switched to **restricted (opt-in) mode**. Until then, every user with Treasure AI Studio can use it regardless of individual grants. Restricted mode is enabled by Treasure AI — contact your **Customer Success Manager** to request it. When enabling restricted mode, grant access to the intended users *before* the change takes effect so they are not interrupted. ## Authentication and Permissions These endpoints use the standard Treasure AI REST API authentication. See [Accessing REST APIs](/products/control-panel/security/accessing-rest-apis) and [Treasure API baseURLs](/apis/endpoints/endpoints) for the base URL that applies to your region. - Authenticate with a **Master API key**, supplied in the `Authorization: TD1 ` header. - Granting and removing access (`PUT` / `DELETE`) requires the **account administrator** role. - Reading a user's current access (`GET`) is allowed for an account administrator, a delegated administrator, or the user themselves — so users can check their own access, and administrators can check any user in the account. - The target user must belong to **your own account** — a user ID from another account is not found. The option key for Treasure AI Studio access is `treasure_ai_studio`, and the only accepted value is `full_access`. These endpoints are available on both **API v3** and **API v4**. The two behave identically; note that the v4 path omits the `access_control` segment (for example, `/v3/access_control/users/:user_id/...` becomes `/v4/users/:user_id/...`). Each operation below lists both paths. When access changes take effect Access is evaluated when Studio issues the user a session token (at sign-in), so changes take effect from the user's next sign-in. Granting access lets the user start a Studio session from then on. Removing access (in a restricted-mode account) immediately revokes the user's issued Treasure AI credentials, so operations that use Treasure AI data stop right away and the user cannot start a new session. A user who is **already signed in**, however, keeps their current session — and can continue interactions that do not rely on Treasure AI data — until they sign out or the session expires. In the current release there is no administrator action to force-terminate an already-active session — to end one immediately, the user must sign out (or wait for the session to expire). A user who was never granted access is denied at sign-in. ## Grant Studio Access to a User Grants Treasure AI Studio access to a user. | HTTP Verb | Resource | Description | | --- | --- | --- | | PUT | `/v3/access_control/users/:user_id/profile_options/treasure_ai_studio` | Grants Studio access to the user | | PUT | `/v4/users/:user_id/profile_options/treasure_ai_studio` | Same operation on API v4 | ### URI Parameters | Parameter Name | Required | Type | Description | | --- | --- | --- | --- | | `user_id` | Yes | Integer | ID of the user in your account to grant access to | ### Request Body | Property Name | Required | Type | Description | | --- | --- | --- | --- | | `value` | Yes | string | Must be `full_access`. No other value is accepted. | ### Sample Request ```bash $ curl -X PUT \ 'https://api.treasuredata.com/v3/access_control/users//profile_options/treasure_ai_studio' \ -H 'Authorization: TD1 ' \ -H 'Content-Type: application/json' \ -d '{"value": "full_access"}' ``` ### Sample Response Status: 200 OK The response is a map of the user's profile option keys to their resolved values: ```json { "treasure_ai_studio": "full_access" } ``` ## Remove a User's Studio Access Removes a user's Treasure AI Studio grant. The user reverts to the account default — denied while your account is in restricted mode. | HTTP Verb | Resource | Description | | --- | --- | --- | | DELETE | `/v3/access_control/users/:user_id/profile_options/treasure_ai_studio` | Removes the user's Studio grant | | DELETE | `/v4/users/:user_id/profile_options/treasure_ai_studio` | Same operation on API v4 | ### URI Parameters | Parameter Name | Required | Type | Description | | --- | --- | --- | --- | | `user_id` | Yes | Integer | ID of the user in your account to remove access from | ### Sample Request ```bash $ curl -X DELETE \ 'https://api.treasuredata.com/v3/access_control/users//profile_options/treasure_ai_studio' \ -H 'Authorization: TD1 ' ``` ### Sample Response Status: 204 No Content The response body is empty. In a restricted-mode account, removing access immediately revokes the user's already-issued Treasure AI Studio credentials. (While the account is in default-allow mode, removing a grant has no immediate effect, since ungranted users are still allowed.) ## Check a User's Current Access Returns the user's resolved profile option values, so you can confirm whether Studio access is currently granted. | HTTP Verb | Resource | Description | | --- | --- | --- | | GET | `/v3/access_control/users/:user_id/profile_options/treasure_ai_studio` | Gets the user's current Studio access value | | GET | `/v4/users/:user_id/profile_options/treasure_ai_studio` | Same operation on API v4 | ### URI Parameters | Parameter Name | Required | Type | Description | | --- | --- | --- | --- | | `user_id` | Yes | Integer | ID of the user in your account to check | ### Sample Request ```bash $ curl \ 'https://api.treasuredata.com/v3/access_control/users//profile_options/treasure_ai_studio' \ -H 'Authorization: TD1 ' ``` ### Sample Response Status: 200 OK ```json { "treasure_ai_studio": "full_access" } ``` A value of `null` means the option is unset, so the user follows the account default. ## Auditing Per-user access changes are recorded in the [Premium Audit Log](/products/control-panel/security/auditlogs/premium-audit-log-events), so you can review when Studio access was granted to or removed from each user. ## Next Steps - [User management](/products/control-panel/security/users) — Manage the users in your account - [Accessing REST APIs](/products/control-panel/security/accessing-rest-apis) — API keys and authentication - [Treasure AI Studio — Access Control](/products/ai-studio/security/access-control) — How access control works within Studio