Agent RBAC

Agent RBAC (Role-Based Access Control)¶

Define reusable roles with granular permissions and assign them to agents. Roles are evaluated during every intercept call, if any active role denies the action type, the request is blocked before policies run.

Concept	Description
Role	A named permission bundle with allowed/denied action types, scopes, and a minimum trust threshold.
Assignment	A many-to-many link between roles and agents. One agent can hold multiple roles.
Inheritance	A role can inherit from a parent role, composing permissions up the hierarchy.
Wildcards	Action type patterns like `payment:*` match any action starting with `payment:`.

Create a Role¶

from xybern import Xybern

client = Xybern(api_key="xb_your_key")

role = client.roles.create(
    name="finance-agent",
    description="Can read and transfer payments, but not admin actions",
    allowed_action_types=["payment:*", "report:read"],
    denied_action_types=["admin:*"],
    min_trust_level=60.0,
)
print(role["role"]["role_id"])

Assign a Role to an Agent¶

client.roles.assign(
    role_id="role_abc123",
    agent_id="agent_xyz789",
)

Role Inheritance¶

# Create a base "reader" role
reader = client.roles.create(
    name="reader",
    allowed_action_types=["*.read"],
)

# Create "analyst" that inherits from "reader" and adds more
analyst = client.roles.create(
    name="analyst",
    allowed_action_types=["report:generate", "data:query"],
    inherits_from=reader["role"]["role_id"],
)

How Enforcement Works¶

Agent submits an action via client.agents.intercept(...)
Control plane resolves the agent and loads all active roles
If any role's denied list matches the action type → block
If no role's allowed list matches → block
If the agent's trust level is below the role's min_trust_level → block
Otherwise, proceed to policy evaluation

REST API Reference¶

Method	Endpoint	Description
`POST`	`/v1/enforce/roles`	Create a role
`GET`	`/v1/enforce/roles`	List roles
`GET`	`/v1/enforce/roles/:id`	Get a role
`PUT`	`/v1/enforce/roles/:id`	Update a role
`DELETE`	`/v1/enforce/roles/:id`	Delete a role
`POST`	`/v1/enforce/roles/:id/assign`	Assign role to agent
`POST`	`/v1/enforce/roles/:id/unassign`	Unassign role from agent
`GET`	`/v1/enforce/roles/:id/agents`	List agents in role
`GET`	`/v1/enforce/roles/stats`	RBAC statistics

Dashboard¶

The Roles (RBAC) tab in the Authorisation Layer dashboard displays all roles, their agent counts, allowed/denied action types, trust thresholds, and inheritance chains. You can delete roles directly from the UI.