Skip to main content

Roles

Roles group permissions together. Instead of assigning individual policies to each subject, assign a role and the subject inherits all the role's policies. A subject can have multiple roles. Roles work for any subject — users, services, or AI agents.

How roles work

  1. Create a role (e.g., editor)
  2. Assign policies to the role (e.g., "can read and write documents")
  3. Assign the role to subjects (e.g., Alice gets the editor role)

Now Alice can read and write documents — through the role-based access path.

Examples

RoleTypical policies
viewerRead-only access to resources
editorRead + write access
adminFull access including delete
agent-readonlyRead tools only — no write or delete
agent-restrictedApproved tools only, no destructive actions