Roles
Roles group permissions together. Instead of assigning individual policies to each subject, assign a role and the subject inherits all the role's policies. A subject can have multiple roles. Roles work for any subject — users, services, or AI agents.
How roles work
- Create a role (e.g.,
editor) - Assign policies to the role (e.g., "can read and write documents")
- Assign the role to subjects (e.g., Alice gets the
editorrole)
Now Alice can read and write documents — through the role-based access path.
Examples
| Role | Typical policies |
|---|---|
viewer | Read-only access to resources |
editor | Read + write access |
admin | Full access including delete |
agent-readonly | Read tools only — no write or delete |
agent-restricted | Approved tools only, no destructive actions |