Skip to main content

Step 6: Enforce RBAC

Apply fine-grained access control so that each agent receives only the permissions it needs.

Assign Roles and Scopes

  1. Navigate to Administration > RBAC > Role Bindings
  2. Create a role binding for the agent:
    • Subject: Select the agent's client identity
    • Role: Assign the appropriate role (e.g., data-processor)
    • Scope: Optionally restrict to a specific scope (e.g., project:ml-pipeline)

Configure Allowed Scopes on the Client

  1. Navigate to Administration > Clients
  2. Select the agent client
  3. Under Allowed Scopes, add only the scopes the agent should be able to request in its token

Verify via OAuth Scopes Page

  1. Open the OAuth Scopes page
  2. Confirm the scopes are correctly defined and associated with the agent's roles
  3. Test that permissions are properly enforced by requesting a token and verifying its claims

Trust Delegation

Once RBAC is enforced, the agent receives a delegated token containing only the permissions bound to its assigned roles. The agent cannot request or escalate beyond these scopes.

See Trust Delegation for the full flow, including token verification and SDK integration examples.