Authorization FAQ

The Authorization Runbook provides guidelines for troubleshooting the authorization of a User's actions. It covers issues of checking UserGroup and Role existence, if a user is authorized to a specific action, and the groups a specific user has.

Copy link to this section

Authorization basics

The C3 Agentic AI Platform uses a RBAC (Role Based Access Control) approach to authorization. Please see the Overview for a detailed overview of the C3 Agentic AI Platform's authorization framework.

Copy link to this section

Commonly faced issues

How to check if Roles are created correctly

• Roles are metadata within the C3 Agentic AI Platform. Roles are tied to the current package of the application, and should exist upon the loading of the package.

• To check the Roles for the package are created, run Role.fetch(), and verify that all the Roles exist with the proper permission lists.

How to check if UserGroups are created correctly

• UserGroups are entities within the C3 Agentic AI Platform. The existence of a UserGroup is tied to the existence of the correlating Role.

• To check that the UserGroups are created correctly, first check that the Roles are created correctly. Then, verify that the UserGroups exist by running UserGroup.fetch().

• Upon validating that all expected UserGroups exist, for each UserGroup where an IDP mapping was created, verify that the idpGroups field is populated with the correct mapping(s).

How to check if a User has the correct UserGroups

• A User can have UserGroups that come from the C3 Agentic AI Platform, as well as UserGroups from external identity providers.
• To verify that a User has their groups correctly populated, run the following steps:
• Get the instance of a User by running User.forId('<user's ID>').
• From the User object, the UserGroups that are from the C3 Agentic AI Platform are stored in the c3Groups field.
• The UserGroups that are from external identity providers are stored in the idpGroups field. The specific external identity provider and group in the external IDP are stored in the idpAssignedGroups field.

How to check if a User can run an action

• If you want to check for the User of the current session, use Authorizer#isAuthorized. Run the following command Authorizer.isAuthorized(<Type>, <Action>, True).

  • For example, to verify if the current User can run Cluster.startEnv(), run Authorizer.isAuthorized('Cluster', 'startEnv', True).

• To check for a given User, investigate the permissions and security level the user has. A User is denied running an action unless ALL the following requirements are met:

  1. The SecurityLevel of the action is equal or greater to the Security Level of the User. The Security Level of the action can be calculated by the command Permission.fromString(allow:<Type>::<Action>).securityLevel(). The Security Level of the user can be calculated by the command User.forId(<user's ID>).securityLevel().

  2. The user must have permission to execute the action. The permissions a user has can be found by running User.forId(<user's ID>).allPermissions().

• For more information on permissions, see Permissions in the C3 Agentic AI Platform.