Role-Based Access Control
FoundationaLLM RBAC provides fine-grained access control to platform resources.
Overview
FoundationaLLM RBAC enables:
- Controlling who can access resources
- Defining what actions users can perform
- Scoping access to specific resources or the entire instance
- Auditing access changes
Key Concepts
| Concept | Description |
|---|---|
| Role Definition | A collection of permissions (actions) |
| Role Assignment | Grants a role to a principal at a scope |
| Principal | User, group, service principal, or managed identity |
| Scope | Where the access applies (instance or resource) |
Built-in Roles
| Role | Description |
|---|---|
| Owner | Full access including role assignment management |
| Contributor | Full access except role assignment management |
| Reader | Read-only access to resources |
| User Access Administrator | Manage role assignments only |
See Role Definitions for complete details.
How RBAC Works
graph LR
A[Principal] -->|assigned| B[Role]
B -->|defines| C[Permissions]
C -->|applied at| D[Scope]
D -->|grants access to| E[Resources]
- Principal requests access
- System checks role assignments
- Permissions are evaluated at the scope
- Access is granted or denied
Management Options
Management Portal
The Management Portal provides a UI for:
- Viewing role assignments
- Creating new assignments
- Deleting assignments
- Managing access at instance and resource levels
Management API
Programmatic access via REST API:
- List role definitions
- Create/delete role assignments
- Query assignments by scope
- Retrieve identity information
See Role Management for API details.
Quick Start
Grant Instance Access
- Navigate to Management Portal
- Select Security > Instance Access Control
- Click Add Role Assignment
- Select principal (user/group)
- Select role
- Click Save
Grant Resource Access
- Navigate to the resource (e.g., Agent)
- Click Access Control button
- Click Add Role Assignment
- Select principal and role
- Click Save
Inheritance
| Scope | Inherits From |
|---|---|
| Resource | Instance |
| Instance | None (top level) |
- Roles assigned at instance level apply to all resources
- Resource-level assignments add specific permissions
- Cannot remove inherited permissions at lower levels
Documentation
| Topic | Description |
|---|---|
| Role Definitions | Understanding role structure and permissions |
| Role Assignments | How assignments work |
| Scope | Understanding scope levels |
| Role Management | Managing assignments via Portal and API |
| Agent Role Assignments | Automating agent access control |