Users, Roles, and Groups in C3 AI
Within the C3 Agentic AI Platform's ecosystem, users interact with each other, governed by security policies and protocols. These interactions can range from sharing data to collaborative editing, all enforced by the platform's security implementation of a role-based access control architecture.
Users also interact with external systems and APIs. These interactions are regulated by OAuth scopes and consent frameworks, ensuring that users can safely extend their activities beyond the C3 Agentic AI Platform's boundaries while maintaining security and data integrity.
Entity identification and authentication
Each User is recognized as a unique entity within the system, typically identified by a user's email address. This unique identifier is crucial for differentiating users and tracking their activities within the platform.
Users prove their identity through various authentication mechanisms. The authentication process often integrates with Identity Providers (IdPs) such as Okta, Microsoft Entra ID, or Google Identity, leveraging robust protocols such as Security Assertion Markup Language (SAML) and OpenID Connect (OIDC).
If you are an Administrator refer to the topic on Configure authentication for more information about configuring OIDC and SAML in the platform.
Authorization and access control
At a high level, users are assigned to specific groups, or UserGroups. Each group corresponds to a single Role. A role contains a collection of Permissions. Permissions determine what actions a user can perform, such as reading data, modifying content, or executing actions.
Permissions within these roles are granular, allowing precise control over user activities. This granularity ensures adherence to the principle of least privilege, where users are granted only the access necessary to perform their tasks.
Users may also be part of groups. These groups bundle roles and permissions, simplifying the management of access rights across multiple users. This structure is particularly beneficial in large organizations, where numerous users require similar access rights.
Interoperability with security protocols and standards
Users often benefit from single sign-on (SSO) capabilities, allowing them to access multiple applications or services with a single set of credentials. This is achieved through federated identity management, using standards like SAML and OIDC, which streamline the authentication process across different systems.
The OAuth framework is pivotal for delegated authorization. It allows users to grant third-party applications limited access to resources on the C3 Agentic AI Platform without exposing their credentials. This integration is essential for maintaining security while providing flexibility in user-platform interaction.
If you are an Application Developer, refer to the topics on OAuth and Generate an access token.