Skip to main content
Learn how to create governance exceptions using individual security overrides. Define consumption limits, access to data connectors, or blocks for specific models for a user, regardless of the default policies of the team they belong to.

What is it?

Restrictions (technically known as “Per-policy strict overrides”) are the highest-priority rules in Tess’s authorization system. When you apply a restriction at the user level, it replaces and overrides any existing permissions at the team level, ensuring precise control.

How to configure restrictions?

  1. Go to the Members screen.
  2. Locate the row of the desired user and click the edit pencil button or the ”+” button to create a new restriction.
    Captura De Tela 2026 05 27 Às 17 59 55
  3. In the User Restrictions modal, you will see the three security variables:
    • Connector access: Define whether the user can access all connectors (such as Google Drive, Slack, Notion) or select restrictions to hide critical corporate connectors.
    • AI model access: Define whether they will use only standard basic text models or have restricted authorization.
    • Monthly credit limit: Configure a specific and precise monthly credit quota only for this user.
    Captura De Tela 2026 05 27 Às 18 00 51
  4. If, at any point, you want the collaborator to go back to following purely the default rules of the rest of their team, click the Restore team defaults button in the bottom left corner.
  5. Click Save to immediately apply the new restrictions.

How it works under the hood (Inheritance vs Override)

The Tess AI security engine operates under a flexible hybrid default permission model:
  • Inherit: Fields that you keep with the system default value (such as “All team models/connectors”) will make the user continue passively following whatever is changed in their group’s governance.
  • Override: As soon as you click and change a specific field in their individual profile, the inheritance link for that field is broken. The individual rule takes absolute security priority over any later modifications to the team.
       [ General Team Rule: CS ]
       Allows use of video AI


   [ Restriction Applied to User Camy ]
      Blocks Video Generation Models


              Result:
        Camy will not access videos,
     even while being part of the CS team.
Best practices
  • Use only for Exceptions: Use individual restrictions only in specific cases. If you notice that you are creating the same manual restrictions for multiple isolated collaborators, it is a strong sign that you should create a specific team for this profile.
  • Connector Security: Use individual restrictions to limit access to critical external data connections in the workspace for freelance collaborators or temporary third-party service providers.
WARNING:Once the individual credit limit is applied, as soon as the user reaches that barrier in real time, new prompts will be paused in chat until there is an automatic monthly account reset or a manual change to the restriction.
The individual restrictions and overrides tool delivers the highest level of refinement for AI compliance policy and cost governance, ensuring that your workspace is always protected against any unexpected situations.