RBAC & Permissions

Role-based access control — system roles, permission model, and Azure AD group mapping.

Current behavior: the schema and permission helpers support owner/admin/member/viewer roles today. The browser SSO callback currently creates tenant users and assigns the default in-app role; automatic Azure AD group-to-role mapping is not fully enforced in the checked-in callback flow yet.

System Roles

Four roles are seeded automatically when a tenant is created:

Role	Description
`owner`	All permissions including `manage_tenant`.
`admin`	All permissions except `manage_tenant`.
`member`	Create/use agents, read/write own memories, read team memories.
`viewer`	Read-only access to sessions and memories. No agent execution.

Permission Structure

interface RbacPermissions {
  agents: {
    create: boolean
    delete: boolean
    configure: boolean
    use_templates: string[]  // template slugs or "*"
  }
  memory: {
    read_own: boolean
    read_team: boolean
    read_org: boolean
    write: boolean
    delete: boolean
    share: boolean
  }
  tools: {
    allowed: string[]   // tool names or "*"
    denied: string[]
  }
  admin: {
    manage_users: boolean
    manage_roles: boolean
    manage_templates: boolean
    manage_providers: boolean
    view_audit_log: boolean
    manage_tenant: boolean
  }
  cost: {
    monthly_limit_usd?: number
    per_request_limit_usd?: number
  }
}

A user's effective permissions are the union of all their assigned roles. Wildcard "*" in tools.allowed grants all tools.

Azure AD Group Mapping

The intended contract is to map Azure AD group object IDs to OIAB roles in tenant settings. That schema shape exists, but the checked-in browser callback flow does not yet auto-apply those mappings on login.

Target settings shape:

PATCH /v1/admin/tenant
{
  "settings": {
    "groupRoleMapping": {
      "00000000-0000-0000-0000-000000000001": "admin",
      "00000000-0000-0000-0000-000000000002": "member",
      "00000000-0000-0000-0000-000000000003": "viewer"
    }
  }
}

Today, role assignment after browser SSO is still handled in-app rather than by a finished groups-claim mapping pipeline.

Managing Roles

View current roles

GET /v1/admin/roles

Create a custom role

POST /v1/admin/roles
{
  "name": "data-team",
  "permissions": {
    "agents": { "create": true, "use_templates": ["data-engineer"] },
    "memory": { "read_own": true, "read_team": true, "write": true },
    "tools": { "allowed": ["bash", "read", "write"], "denied": [] },
    "admin": { "manage_users": false, "manage_roles": false, "manage_templates": false, "manage_providers": false, "view_audit_log": false, "manage_tenant": false }
  }
}

Assign a role to a user

POST /v1/admin/users/:userId/roles
{ "roleId": "uuid-of-role" }

Checking Permissions at Runtime

import { resolveUserPermissions, canUseTool, canReadMemory } from "@orginabox/core/rbac"

const perms = await resolveUserPermissions(db, userId, tenantId)
if (canUseTool(perms, "bash")) {
  // allow
}