Simplifying AI Data Access with Granular Control: How Liberator's Entitlements Engine Enables Secure Model Training

The promise of AI-driven financial insights depends on one critical factor: access to high-quality, diverse datasets. But in the financial services industry, data access isn't just about connectivity—it's about compliance, security, and fine-grained control over who sees what, when, and how much.

CloudQuant's Data Liberator platform solves this challenge through its sophisticated entitlements service engine, providing AI teams with streamlined access to financial datasets while maintaining the granular controls that enterprise security and compliance teams demand.

The AI Data Access Challenge

Modern AI models—whether for market prediction, risk assessment, or algorithmic trading—require training on diverse historical datasets. Data teams need to:

• Access historical market data across multiple symbols and timeframes
• Correlate patterns across data stored in on in different locations
• Run iterative experiments with different dataset combinations
• Validate model performance against out-of-sample data

Traditional approaches create friction at every step:

• Manual provisioning: Every dataset request requires tickets, approvals, and engineering time
• Coarse-grained controls: All-or-nothing access that grants more than users need
• Audit gaps: Lost visibility into who accessed what data and when
• Data sprawl: Multiple copies of datasets proliferate across environments
• Fragmented interfaces: Each data source requires different APIs, query languages, and authentication patterns
  

The challenge isn't just providing access—it's enforcing precise policies at scale while maintaining query performance.

How Liberator's Entitlements Engine Works

Through granular data controls, Data Liberator's entitlements service provides policy-based access control with column- and row-level precision. Here's how it transforms AI workflows:

RESTful API with Integrated Authorization

Every API request to Data Liberator passes through the entitlements engine before data is returned. Data teams authenticate once using a username and token.

curl -H "Content-Type:application/json" \   -d '{"name":"dataset","user":"data-scientist","token":"your-token-here"}' \   https://liberator.cloudquant.ai/liberator/query 

Behind the scenes, the entitlements engine validates in real-time:

• Does this user have access to this dataset?
• Are they entitled to query the requested symbols?
• Does their subscription tier allow this date range?
• Are they within their rate limits and record quotas?
• Which columns should they see? 
• Which data keys have they been permissioned for? 

All policy enforcement happens at query time—no data is returned that violates configured entitlements.

Multi-Level Policy Enforcement

Unlike monolithic data platforms, Data Liberator enforces entitlements at multiple granularities:

Dataset-level: Control access to entire datasets like "US Equities" or "Options Data"

Symbol-level: Restrict visibility to specific keys or asset classes—perfect for enforcing proprietary watchlists or licensing restrictions

Field-level: Control which columns are visible (price, volume, bid/ask spreads, etc.)

Time-based: Enforce lookback windows, embargo periods, and recency restrictions

This means administrators can configure your equity research team to see large-cap constituents while your options desk sees only their authorized derivatives universe—all from the same platform, with policies enforced automatically and audit trails generated with every query.

Temporal Access Controls

AI models need historical data, but licensing and compliance requirements often dictate temporal restrictions. Data Liberator's entitlements engine enforces:

• Lookback windows: Limit users to "the last 5 years of data" rather than "all historical data"
• Embargo periods: Automatically restrict access to recent data for users on delayed feeds
• Time-boxed experiments: Configure temporary access for specific research projects with automatic expiration

These policies align data access with both business needs and upstream provider licensing constraints—enforced automatically without manual intervention.

Comprehensive Audit Trails

Every query generates detailed audit logs capturing:

• Who accessed which datasets
• What symbols and date ranges were requested
• How many records were returned
• When the access occurred
• Whether the request was allowed or denied

For SOC2-compliant organizations (like CloudQuant), these logs feed directly into security information and event management (SIEM) systems, providing the complete audit trail that security teams and auditors require.

Real-World AI Workflow: Model Training with Liberator

Let's walk through how a data science team uses Liberator to train a market correlation model, with policies enforced automatically at each step:

1. Discovery Phase

import liberator  

# List datasets the user is entitled to access, with schema details 
datasets = liberator.datasets(entitled=True, details=True, schema=True, user="data_scientist", token="your-token-here" ) 

Outcome: The entitlements engine returns the datasets and schemas the user is authorized to see—no time wasted exploring restricted data.

2. Historical Data Retrieval

import liberator  

# Query 3 years of daily data for large-cap equities 
liberator.url = 'https://liberator.cloudquant.com'  
df = liberator.get_dataframe(liberator.query(name="equity_market_data", symbols="TICKER_A,TICKER_B,TICKER_C,TICKER_D", back_to="2021-01-01", as_of="2023-12-31", fields="close,volume,adj_close", user="data_scientist", token="your-token-here") ) 

Outcome: The entitlements engine validates the request against configured policies in milliseconds. If the user is entitled to these symbols and date range, data streams directly into the model training pipeline. If not, the request is denied with a clear explanation.

3. Iterative Experimentation

As the model evolves, the team queries additional data:

import liberator 

# Add correlation with sector ETFs 
sector_df = liberator.get_dataframe(liberator.query(name="equity_market_data", symbols="ETF_SECTOR_A,ETF_SECTOR_B,ETF_SECTOR_C", back_to="2021-01-01", as_of="2023-12-31", user="data_scientist", token="your-token-here") ) 

Outcome: Each query is automatically validated against the user's configured entitlements—authorized requests succeed instantly, unauthorized requests are blocked immediately.

4. Out-of-Sample Validation

For model validation, the team queries recent data:

import liberator 

# Get recent data for backtesting (last 250 records per symbol) 
validation_df = liberator.get_dataframe(liberator.query(name="equity_market_data", symbols="TICKER_A,TICKER_B,TICKER_C,TICKER_D,ETF_SECTOR_A,ETF_SECTOR_B,ETF_SECTOR_C", back_to="2024-01-01", record_limit=-250, user="data_scientist", token="your-token-here") ) 

Outcome: The entitlements engine enforces the user's subscription tier automatically—if their license includes recent data, the query succeeds; if not, it's denied with clear feedback.

The Enterprise Security Advantage

While data scientists experience seamless query access within their entitled scope, security and compliance teams maintain complete control:

Centralized Policy Management

• Configure entitlements once, and enforcement happens automatically at every query
• Update policies in real-time with immediate impact across all users
• No data copies to track down and update

Principle of Least Privilege

• Grant access to exactly the datasets, symbols, and fields each user needs—nothing more
• Enforce and report on licensing restrictions at the symbol level to match vendor agreements
• Automatically deny queries that violate configured policies

Identity Provider Integration

• Leverage existing LDAP, Active Directory, or SAML/OIDC infrastructure
• Map user attributes to entitlements automatically
• Single sign-on with federated identity management

Resource Management

• Enforce rate limiting to prevent abuse and manage infrastructure costs
• Set per-user quotas for data volume and query frequency
• Monitor usage patterns and optimize policy configurations

Multi-Tenant Isolation

• Different client organizations see completely separate data universes
• Enforce strict isolation even on shared infrastructure
• Audit trails are tenant-specific for compliance reporting

Beyond Traditional Data Lakes

Traditional data lakes create security and operational challenges:

• Data teams request access through tickets that take days or weeks
• Coarse-grained permissions grant broader access than needed
• Data copies proliferate across environments, multiplying compliance surface area
• Audit trails are incomplete or scattered across systems
• Policy changes require touching multiple systems and data copies

Liberator's entitlements-driven architecture eliminates these problems:

Policy-Based Enforcement

• Policies are configured centrally and enforced automatically at query time
• Users query within their entitled scope without per-request approvals
• Policy violations are blocked instantly with clear feedback

Zero Data Movement

• Data stays in place; APIs provide controlled virtual access
• No stale copies or version management overhead
• Single source of truth for audit and compliance

Standard Interfaces

• RESTful APIs with JSON responses work with any ML or AI frameworks
• Python, R, and other data science tools integrate seamlessly, or use industry standard data retrieval libraries
• Access to data using our Excel plugin
• No proprietary query languages to learn

Live Data Access

• Always query the latest available data within entitlement scope
• No batch refresh cycles or synchronization delays
• Real-time policy enforcement at query time

Complete Auditability

• Every query logged with full context
• Denied requests captured for security monitoring
• SIEM integration for enterprise security operations

Real-World Impact

CloudQuant's Data Liberator platform, powered by its entitlements service engine, enables financial institutions to:

Accelerate Development Cycles

• Data scientists work within clearly defined boundaries without per-query approvals
• Policies are enforced automatically, eliminating manual review overhead
• Query validation happens in milliseconds, not days

Maintain Compliance

• Audit trails captured automatically
• Regulatory requirements enforced through policy configuration
• Vendor licensing restrictions enforced at the symbol or column level

Reduce Infrastructure Costs

• Eliminate redundant data stores and copies
• Centralized policy enforcement reduces operational overhead
• Multi-tenant architecture maximizes infrastructure utilization

Scale Securely

• Support hundreds of users with fine-grained entitlements
• No compromise between security and usability
• Policies scale horizontally with infrastructure

Simplify Vendor Management

• Aggregate multiple data providers behind unified API
• Enforce provider-specific licensing restrictions automatically
• Single audit trail across all data sources

Technical Architecture Highlights

Liberator's entitlements engine is built for enterprise scale and performance:

• Sub-millisecond validation: Policy checks add minimal latency to query execution
• Token-based authorization: OIDC/JWT tokens carry entitlements for stateless validation
• Distributed enforcement: Policies enforced at the edge, close to data sources
• Audit-first design: Every decision logged for compliance and security analysis
• High availability: Policy enforcement continues even during configuration updates

Getting Started

CloudQuant Data Liberator gives your organization precise, policy-driven control over financial data access—with enforcement that's automatic, auditable, and performant at enterprise scale.

For Security Teams: Centralized policy management with real-time enforcement and comprehensive audit trails.

For Data Teams: Clear boundaries, instant validation, and seamless access within entitled scope.

For Compliance: Complete audit trails, regulatory policy enforcement, and SOC2 Type II controls.

Secure by design. Enforced at query time. Auditable by default.

Contact us to see it in action.