Role-Based Access Control
An authorization model that grants permissions based on a user's assigned role rather than individually.
Definition
Role based access control, commonly abbreviated RBAC, is an authorization model in which permissions are attached to roles, and users or services are assigned one or more of those roles, rather than having permissions granted to them individually. Instead of checking whether a specific user can delete a specific resource, the system checks whether that user's assigned role includes the delete permission. This indirection makes it practical to reason about and audit access across an organization as people and services join, change function, or leave.
How it works
A typical RBAC setup defines a small set of roles, such as owner, admin, and member, each with a fixed bundle of permissions appropriate to that level of responsibility. A user is assigned a role within a given scope, such as a project, workspace, or tenant, and the system checks that role before allowing any sensitive action, such as inviting new members, changing billing, deleting resources, or issuing credentials. Because roles are reused across many users, changing what a role can do updates permissions for everyone holding it, instead of requiring individual edits for each account.
Why it matters for AI agent systems
Agent platforms multiply the number of actors that need permission checks: human operators, service accounts, and the agents themselves, each of which may need different levels of access to configuration, credentials, and data. RBAC lets an organization limit who can create or modify agents, who can view or rotate credentials, and who can only observe agent activity, which matters because the permissions held by a compromised account or an over privileged agent define the maximum damage that account or agent can cause. Agenhood applies workspace scoped roles of owner, admin, and member, so access to sensitive actions such as managing provider keys or inviting users can be limited to the people who actually need it, independently in each workspace.
Related concepts
- Multi-tenancy: RBAC is usually scoped per tenant, so a role in one workspace does not grant access in another.
- Zero trust networking: a network level complement to the identity level controls RBAC provides.