Role-Based Access Control (RBAC)

Definition

Role-Based Access Control (RBAC) is a security paradigm where access to resources and capabilities is granted based on organizational roles rather than individual identities. In AI agent systems, RBAC controls not only who can use the agent but what the agent itself can do on behalf of different users: which data sources it queries, which tools it invokes, which actions it can take autonomously versus which require human approval. The agent's effective permissions are the intersection of the requesting user's role permissions and the agent's own service account permissions.

Engineering Context

AI-specific RBAC extends traditional access control with AI-relevant permissions: which tools an agent can call, which data sources it can query, which users can view audit logs, and who can modify prompt templates. Principle of least privilege applies: an agent should only have access to the minimum data and tools needed for its specific task. Implement RBAC at the tool layer—before the agent calls any external system, verify the requesting user's role has permission for that specific tool and target resource. Store role-permission mappings in a central policy engine (OPA, Permit.io) rather than hardcoding in agent logic, enabling policy changes without code deployment.

Related Terms