# Connection and Knowledge Base Permissions

Use permissions to control who can view and use **Connections** and **Knowledge Bases**. This helps protect credentials and sensitive internal data.

Permissions here work alongside [Role-Based Access Control (RBAC)](https://docs.stackai.com/welcome-to-stackai/security-and-governance/security-in-stackai/role-based-access-controls-rbac-and-groups).

{% hint style="warning" %}
Users may be able to run a **published** workflow that uses a connection or Knowledge Base, even if they can’t see that resource in the Connections or Knowledge Bases list.

If a workflow uses sensitive resources, keep it in a private folder with a restricted allowlist.
{% endhint %}

{% tabs %}
{% tab title="Connections" %}

### Connection access and sharing

Connections are private by default. Visibility depends on both the user role and the connection’s sharing settings.

This helps keep integration credentials scoped to the people who need them. It also reduces accidental reuse of sensitive connections in new workflows.

#### Default visibility

* **Admins**: Can view and use all connections in the organization.
* **Editors and Users**: Can view and use connections they created or that were shared with them.
* **Viewers**: Cannot view or use connections.

#### Share a connection

1. Open the connection.
2. Update the access level (admin/edit/view), or add specific users and groups.

<figure><img src="https://3697023207-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFSlso1Kjob5CLDrh0dVn%2Fuploads%2F8u2ZgxVHGygenDXp7fze%2FScreenshot%202026-01-23%20at%2011.13.43%E2%80%AFAM.png?alt=media&#x26;token=abd86a46-89d8-4fe0-8e04-4cb17f3df70b" alt=""><figcaption></figcaption></figure>

#### Best practices for sensitive connections

* Put workflows that use sensitive connections in **private folders**.
* Limit folder access to a specific group (for example, “Finance Ops”).
* Prefer sharing a connection with **groups** over many individual users.
  {% endtab %}

{% tab title="Knowledge Bases" %}

### Knowledge Base access and sharing

Knowledge Bases are private by default. Visibility depends on both the user role and the Knowledge Base’s sharing settings.

Use this to ensure sensitive content is only available to approved teams.

#### Default visibility

* **Admins**: Can view and use all Knowledge Bases in the organization.
* **Editors and Users**: Can view and use Knowledge Bases they created or that were shared with them.
* **Viewers**: Cannot view or use Knowledge Bases.

#### Share a Knowledge Base

1. Open the Knowledge Base.
2. Update the access level (admin/edit/view), or add specific users and groups.

<figure><img src="https://3697023207-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFSlso1Kjob5CLDrh0dVn%2Fuploads%2F75kcgk00OCQjUToETQZ6%2FScreenshot%202026-01-23%20at%2012.17.54%E2%80%AFPM.png?alt=media&#x26;token=6d9f2aa7-e5ec-4d04-a7e3-70449aa8865d" alt=""><figcaption></figcaption></figure>

#### Best practices for sensitive Knowledge Bases

* Store sensitive workflows in **private folders** with restricted access.
* Split content into separate Knowledge Bases by sensitivity or team ownership.
* Prefer sharing to **groups** to keep access manageable over time.
  {% endtab %}
  {% endtabs %}

***

### End-user connections (use the end user’s credentials)

For certain apps, StackAI can run a connection using the **end user’s credentials**. This helps ensure the workflow only returns data the end user is allowed to access.

To enable this, select **Use end-user connection** while building your workflow. End users will be prompted to authorize before they can run the agent.

<figure><img src="https://3697023207-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFSlso1Kjob5CLDrh0dVn%2Fuploads%2FBynLHK164wiwbegWzz96%2FScreenshot%202026-01-23%20at%2011.55.17%E2%80%AFAM.png?alt=media&#x26;token=795aa057-d7fc-4b4a-a5cb-65c4750fc62f" alt=""><figcaption></figcaption></figure>