RBAC Configuration
RBAC Configuration
Role-Based Access Control configuration and management.
Overview
The platform uses hierarchical RBAC with granular permissions:
- Roles: Admin, Developer, User, Service
- Permissions: Resource-action pairs (e.g.,
agent:execute) - Groups: GitLab group-based role assignment
- Inheritance: Roles inherit permissions from parent roles
- Policy Engine: Open Policy Agent (OPA) enforcement
Role Hierarchy
graph TD A[Admin] --> B[Developer] B --> C[User] A --> D[Service Account]
Built-in Roles
Admin
Description: Full system access
Permissions: All (*:*)
MFA: Required
Assignment: Manual only
Permissions:
{ "role": "admin", "permissions": ["*:*"], "restrictions": { "mfa": "required", "ipWhitelist": ["10.0.0.0/8", "192.168.0.0/16"] } }
Developer
Description: Agent execution, workflow creation
Permissions: Agent and workflow operations
MFA: Recommended
Assignment: GitLab group llm-platform/developers
Permissions:
{ "role": "developer", "permissions": [ "agent:read", "agent:execute", "workflow:read", "workflow:create", "workflow:update", "workflow:delete", "mesh:communicate", "tracer:read", "mcp:connect" ] }
User
Description: Read-only access Permissions: View agents and workflows MFA: Optional Assignment: Default for all authenticated users
Permissions:
{ "role": "user", "permissions": [ "agent:read", "workflow:read", "tracer:read" ] }
Service Account
Description: Service-to-service authentication Permissions: Specific to service MFA: N/A (certificate-based) Assignment: Manual via API
Example (Agent Brain):
{ "role": "service.agent-brain", "permissions": [ "agent:execute", "mesh:register", "mesh:communicate", "ollama:inference" ], "authentication": "mtls" }
Permission Model
Permission Format
permission = resource:action
Examples:
- agent:execute
- workflow:create
- mesh:communicate
- admin:configure
Wildcard Permissions
agent:* # All agent operations
*:read # Read all resources
*:* # All operations (admin only)
Resource Types
| Resource | Actions | Description |
|---|---|---|
agent | read, execute, manage | AI agent operations |
workflow | read, create, update, delete, execute | Workflow management |
mesh | register, communicate, discover | Agent mesh operations |
tracer | read, analyze | Tracing and monitoring |
mcp | connect, discover, manage | MCP registry operations |
compliance | read, validate, report | Compliance operations |
admin | configure, audit, manage | Administrative tasks |
Permission Assignment
Via GitLab Groups
Group Mapping:
groupMappings: - gitlabGroup: "llm-platform/admins" platformRole: "admin" permissions: ["*:*"] - gitlabGroup: "llm-platform/developers" platformRole: "developer" permissions: - "agent:*" - "workflow:*" - "mesh:communicate" - gitlabGroup: "llm-platform/ml-team" platformRole: "ml-engineer" permissions: - "agent:execute" - "model:train" - "model:deploy"
Via API
POST /api/v1/auth/roles/assign Authorization: Bearer admin-token Content-Type: application/json
Request:
{ "userId": "user-123", "roles": ["developer", "ml-engineer"], "permissions": [ "agent:execute", "workflow:create" ], "expiresAt": "2025-12-31T23:59:59Z" }
Policy Enforcement
Open Policy Agent (OPA)
Policy Language: Rego
Example Policy:
package authz import future.keywords # Default deny default allow = false # Allow if user has required permission allow { required_permission := concat(":", [input.resource, input.action]) required_permission in input.user.permissions } # Allow if user has wildcard permission allow { wildcard := concat(":", [input.resource, "*"]) wildcard in input.user.permissions } # Allow if user is admin allow { input.user.roles[_] == "admin" } # Deny if resource is classified and user lacks clearance deny { input.resource_classification == "top-secret" not input.user.clearance == "top-secret" } # MFA required for sensitive resources mfa_required { input.resource_classification == "sensitive" } mfa_required { input.user.roles[_] == "admin" }
Enforcement Points
API Gateway:
app.use(async (req, res, next) => { const decision = await opa.evaluate({ input: { user: req.user, resource: req.params.resource, action: req.method.toLowerCase(), context: { ip: req.ip, time: new Date(), userAgent: req.headers['user-agent'] } } }); if (!decision.allow) { return res.status(403).json({ error: 'forbidden', required: `${req.params.resource}:${req.method.toLowerCase()}`, userPermissions: req.user.permissions }); } if (decision.mfa_required && !req.user.mfaVerified) { return res.status(403).json({ error: 'mfa_required', message: 'Multi-factor authentication required' }); } next(); });
Attribute-Based Access Control (ABAC)
Enhanced access control with attributes:
Policy Example:
# Allow developer to deploy model if they own it allow { input.action == "deploy" input.resource == "model" input.resource_owner == input.user.id input.user.roles[_] == "developer" } # Allow access during business hours only allow { input.action == "execute" business_hours(input.context.time) } business_hours(time) { hour := time.hour hour >= 9 hour < 17 }
Role Management
Create Custom Role
POST /api/v1/auth/roles Authorization: Bearer admin-token Content-Type: application/json
Request:
{ "name": "ml-engineer", "description": "Machine learning engineer role", "permissions": [ "agent:execute", "model:train", "model:deploy", "dataset:read", "dataset:create" ], "inheritsFrom": ["developer"], "restrictions": { "maxConcurrentJobs": 10, "maxGPUTime": "24h" } }
Update Role
PATCH /api/v1/auth/roles/{roleId} Authorization: Bearer admin-token Content-Type: application/json
Request:
{ "permissions": { "add": ["workflow:execute"], "remove": ["agent:delete"] } }
List Roles
GET /api/v1/auth/roles Authorization: Bearer admin-token
Response:
{ "roles": [ { "id": "role-admin", "name": "admin", "permissions": ["*:*"], "userCount": 3 }, { "id": "role-developer", "name": "developer", "permissions": ["agent:*", "workflow:*"], "userCount": 25 } ] }
Permission Auditing
Check User Permissions
GET /api/v1/auth/users/{userId}/permissions Authorization: Bearer admin-token
Response:
{ "userId": "user-123", "roles": ["developer", "ml-engineer"], "permissions": [ "agent:read", "agent:execute", "workflow:create", "model:train", "model:deploy" ], "effectivePermissions": [ "agent:*", "workflow:*", "model:*" ] }
Audit Log
GET /api/v1/audit/authorization?userId=user-123&timeRange=24h Authorization: Bearer admin-token
Response:
{ "events": [ { "timestamp": "2025-01-15T10:00:00Z", "userId": "user-123", "resource": "agent", "action": "execute", "decision": "allow", "reason": "permission:agent:execute" }, { "timestamp": "2025-01-15T10:05:00Z", "userId": "user-123", "resource": "admin", "action": "configure", "decision": "deny", "reason": "missing:admin:configure" } ] }
Best Practices
1. Principle of Least Privilege
Assign minimum required permissions:
// Too broad assignRole(user, 'admin'); // Specific permissions assignPermissions(user, [ 'agent:read', 'workflow:create' ]);
2. Regular Access Review
Review permissions every 90 days:
npm run compliance:access-review --days 90
3. Temporary Access
Grant time-limited permissions:
await grantPermission(user, 'admin:audit', { expiresAt: new Date(Date.now() + 24 * 60 * 60 * 1000) // 24 hours });
4. Separation of Duties
Prevent privilege escalation:
# Prevent user from approving their own changes deny { input.action == "approve" input.resource_creator == input.user.id }
Integration
TypeScript SDK
import { RBACClient } from '@bluefly/auth-client'; const rbac = new RBACClient({ endpoint: 'https://auth.bluefly.io', apiKey: process.env.API_KEY }); // Check permission const canExecute = await rbac.hasPermission(user, 'agent:execute'); // Get all permissions const permissions = await rbac.getUserPermissions(user); // Assign role await rbac.assignRole(user, 'developer');