# Configuring Data Permissions

## Data Permissioning and Isolation

Akkio offers a flexible approach to data access. Data can either be shared at a global (agency-wide) level or isolated per client. This approach respects any data-warehouse-level permissions you might have (e.g., in Snowflake or other databases).

#### Global Agency Data

* Description: Datasets configured to be accessible to the entire agency.
* Access: Any user within the agency (with roles Team Member, Approver, Distributor, or Admin) can see and use these datasets, provided they have at least a Team Member role or higher.
* Use Cases: Common reference data or cross-client data that the agency wants to share broadly.

#### Client-Specific Data (Data Isolation)

* Description: Datasets that are isolated to a specific client’s team.
* Access: Only users who are members of that client’s team can see and use these datasets. This allows for strict data isolation, protecting sensitive or proprietary data.
* Inherited Permissions: Akkio enforces any underlying database permissions. If Snowflake or another data warehouse is configured to only allow specific users or roles to see certain tables, Akkio respects that setting.

## Best Practices

**Least Privilege Principle**

Assign the lowest role necessary for a user to perform their job. For instance, if a user only needs to create projects, make them a Team Member rather than a Team Admin.

**Client Isolation**

* If a client’s data must remain private, ensure only client-specific users and relevant agency team members (who need access) are assigned to that client’s team.

**Regularly Audit Roles**

* Periodically review users’ roles and client memberships to ensure they still reflect current responsibilities.