Agent Lifecycle Management Roles and Permissions
Agent Lifecycle Management uses role-based access control to manage who can create, modify, deploy, and manage agents. The system defines permissions across three role categories, with different access levels for agent drafts, agents in the store, and deployed agents.
General roles
General roles include C3.Developer and GenaiCore.BaseUser, and similar platform roles. Users with these roles can create agents and view any agent in the Gallery or Workbench. They can modify, chat with, or delete only the agents they created.
AgentAdmin
The GenaiCore.AgentAdmin role provides full access to manage any agent in the system. Users with this role can modify, chat with, and delete agents created by any user. This role supports team leads and senior developers who need to assist others without requiring full application administrator access.
AppAdmin
The C3.AppAdmin role provides complete system access with no restrictions. Users with this role can deploy agents, manage deployments, access preview deployments, and perform any operation in Agent Lifecycle Management.
Agent draft permissions
Agent drafts are agents under development in the Workbench. The following table shows which operations each role can perform on agent drafts.
| Action | C3.Developer, GenaiCore.BaseUser | GenaiCore.AgentAdmin | C3.AppAdmin |
|---|---|---|---|
| Create Agent | ✓ | ✓ | ✓ |
| Duplicate Agent | Any Agent | Any Agent | Any Agent |
| View Agent in Gallery | Any Agent | Any Agent | Any Agent |
| View Agent in Workbench | Any Agent | Any Agent | Any Agent |
| Modify Agent | Agent Creator Only | Any Agent | Any Agent |
| Chat with Agent | Agent Creator Only | Any Agent | Any Agent |
| Delete Agent | Agent Creator Only | Any Agent | Any Agent |
| View Traces in Workbench | Agent Creator Only | Any Agent | Any Agent |
Users with C3.Developer and GenaiCore.BaseUser can invoke traces only for agents they created. For read-only agents, the trace view appears empty.
Agent store permissions
The Agent Store contains non-draft agents that are available for deployment. The following table shows which operations each role can perform on agents in the store.
| Action | C3.Developer, GenaiCore.BaseUser | GenaiCore.AgentAdmin | C3.AppAdmin |
|---|---|---|---|
| View Agent in Gallery | Any Agent | Any Agent | Any Agent |
| View Agent in Workbench | Any Agent | Any Agent | Any Agent |
| Modify Agent | × | × | × |
| Chat with Agent | Agent Creator Only | Any Agent | Any Agent |
| Delete Agent | Agent Creator Only | Any Agent | Any Agent |
| View Traces in Workbench | Any Agent | Any Agent | Any Agent |
No role can modify agents in the store. To update a non-draft agent, duplicate it to create a draft, make changes, and publish the updated version.
Agent deployment permissions
Agent deployments are agents running in production or test environments. The following table shows which operations each role can perform on deployed agents.
| Action | C3.Developer, GenaiCore.BaseUser | GenaiCore.AgentAdmin | C3.AppAdmin |
|---|---|---|---|
| View Deployment in Deployments Page | Any Deployment | Any Deployment | Any Deployment |
| View Deployment in Workbench | Any Deployment | Any Deployment | Any Deployment |
| Deploy Agent | × | Any Agent | Any Agent |
| Update Deployment Version | × | Any Agent | Any Agent |
| Enable/Disable Deployment | × | Any Agent | Any Agent |
| Chat with Agent | Any Agent | Any Agent | Any Agent |
| Terminate Deployment | × | Any Agent | Any Agent |
| View Deployment Metrics | Any Agent | Any Agent | Any Agent |
| View Traces In Workbench | Any Agent | Any Agent | Any Agent |
| View Traces In Deployments Page | Any Agent | Any Agent | Any Agent |
| View Preview Deployment | × | × | Any Agent |
| Terminate Preview Deployments | × | × | Any Agent |
Only GenaiCore.AgentAdmin and C3.AppAdmin roles can deploy, update, or terminate agent deployments. Users with C3.Developer and GenaiCore.BaseUser can view and test deployments.
Assign users to roles
To assign users to Agent Lifecycle Management roles, follow the steps in Assign Users.
Role changes apply immediately. Refresh your browser to see updated permissions.
Best practices
Apply these practices when managing Agent Lifecycle Management roles:
- Assign minimum required access: Start users with
C3.DeveloperandGenaiCore.BaseUserand expand access only when their responsibilities require it. - Grant
GenaiCore.AgentAdminto team leads or senior developers who support other team members. - Limit
C3.AppAdminassignments: ReserveC3.AppAdminfor operations staff who manage production environments. - Review assignments regularly: Audit role assignments each quarter to match current team structure and responsibilities.
- Document elevated permissions: Record why users received
GenaiCore.AgentAdminorC3.AppAdminaccess for compliance and knowledge transfer. - Separate development and production: Consider using different role assignments for development and production environments.
C3.AppAdmin and GenaiCore.AgentAdmin provide unrestricted access to all Agent Lifecycle Management operations, including deploying and terminating production agents. Assign this role only to experienced administrators who understand operational impact.