Roles in the C3 Agentic AI Platform
In a role based security model, or role based access control (RBAC), a role represents a defined level of authorization that includes actions a user or group of users can perform.
A role within an RBAC system is a collection of permissions (or privileges) that represent specific job functions or responsibilities within an organization. By grouping permissions into roles, RBAC reduces the complexity of assigning and managing individual permissions for each user. For example, instead of individually setting permissions for each user in a large organization, you can assign them to predefined roles like 'Administrator', 'Editor', 'Viewer', thereby streamlining the entire process of access control.
In the C3 Agentic AI Platform, the Role Type defines the basic unit of access control. Every instance of a role comprises a collection of Permissions and optional DataPermissions that define a behavior pattern.
How users, groups, roles, and permissions interact
In the C3 Agentic AI Platform and the RBAC framework, users are added to groups, and each group has exactly one role. You do not grant permissions to users directly. Instead, you identify roles that contain the appropriate permissions, create groups with those roles, and then add users to the groups.
A user can be added to one or more groups, allowing for a nuanced distribution of access rights that reflects the varied nature of user job functions. The dynamic nature of group membership means that when a user's job function changes, their access rights can be adjusted simply by changing which groups they belong to. This approach reduces the administrative burden and enhances the agility of the access management process.
Nested roles
RBAC implementations may also feature role hierarchies, where higher-level roles encompass the permissions of their subordinate roles, along with additional privileges. This hierarchical structuring further refines the access control process, making it more granular and reflective of organizational hierarchies.
The C3 Agentic AI Platform supports the ability to reference roles from other roles. Nested roles add a layer of flexibility and sophistication to the RBAC model.
- Hierarchy: Nested roles create a hierarchy within the access control model, allowing more granular control over permissions.
- Inheritance: A role can inherit permissions from another role, reducing redundancy in defining permissions.
- Dynamic Access Control: They allow dynamic changes in permissions. Updating a parent role automatically updates the access rights of the nested roles.
- Role Specialization: Nested roles enable specialization within a broader role category, tailoring access to specific needs.
Data permissions with nested roles
When using nested roles with data permissions, it's important to understand how they combine:
- Data permissions within a role: Data permissions from a role and all its nested roles are flattened and combined using AND logic. All data permission conditions must be satisfied for access to be granted.
- Data permissions across groups (when a user is in multiple groups): If a user belongs to multiple groups, data permissions from the different groups' roles are combined using OR logic. A user needs to satisfy data permissions from at least one group to access an object.
For more details, see Add Access Controls to a Role using Data Permissions.
Best Practices for Role Configuration
When configuring roles, consider the following best practices:
- Principle of Least Privilege: Assign roles that provide only the minimum necessary permissions to perform the required tasks.
- One of the key strengths of utilizing roles in RBAC lies in the facilitation of the principle of least privilege. This principle mandates that individuals are granted only those accesses which are absolutely necessary for them to perform their job functions. By doing so, roles significantly bolster security by minimizing the risk of unauthorized access and potential breaches.
- Regular Audits: Periodically review roles and permissions to ensure they still align with the current needs and security standards.
- Clear Role Definitions: Ensure that each role has a clear and concise description to facilitate understanding and management of roles.
More detailed information about roles and permissions can be found in the Define roles and groups and Define permissions topics.
Roles in the C3 Agentic AI Platform form the backbone of the security model, providing a structured approach to managing user access and permissions. Understanding and effectively implementing these roles is essential for maintaining a secure and efficient environment within the C3 AI ecosystem.