Roles and Permissions

Welcome to Noorle!

Account: Acme Corp
Owner: alice@acme.com (you)

Next: Invite team members

Console → Settings → Team
├─ Add Member
│  ├─ Email: bob@acme.com
│  ├─ Role: Developer
│  │  (choose: Owner, Admin, Developer, Member)
│  └─ [Send Invite]
│
└─ Bob receives email
   ├─ Click to accept
   ├─ Automatically has Developer role
   └─ Can now create agents, gateways, etc.

User: Developer
Role: Developer (can create agents)

Agent: Research Bot (created by this user)
├─ Permissions: Full (create, read, update, delete)

Agent: Support Bot (created by someone else)
├─ Permissions: Execute only
   (can run it, but not modify)

Gateway: Public Research (shared)
├─ Permissions: Read, Execute
   (can see tools, run them, but not attach capabilities)

Role: Admin
Scope: account
Permissions: create_agent, delete_agent, manage_users

→ Can create/delete any agent in account
→ Can manage all users

User: Developer
Resource: Agent "DataBot"
Permissions: execute, read

→ Can run DataBot
→ Can view DataBot
→ Cannot modify DataBot

Team: Data Team
Resources: All agents tagged "data-pipeline"
Permissions: read, execute

→ All Data Team members can see/run these agents
→ Cannot modify (would need manage permission)

Console → Settings → Team → Custom Roles

Create Role: "Pipeline Engineer"
├─ Can create agents (scope: tagged with "pipeline")
├─ Can execute agents
├─ Can manage API keys (own only)
├─ Cannot delete agents
├─ Cannot access customer data
└─ [Save]

Assign role to: charlie@acme.com

API Key created by: alice (Admin)

Scope: entire account
├─ Permissions: all

Can be scoped to:
├─ Single gateway
├─ Single agent
├─ Specific actions (read, execute, manage)
├─ Time-limited (expires after N days)

API Key: databot-read-only
├─ Creator: alice (Admin)
├─ Scope: Agent "DataBot"
├─ Permissions: read, execute
├─ Expires: 2024-06-30
│
→ Can only read/execute DataBot
→ Cannot create/modify anything
→ Automatically expires

User: bob (Developer)
App: "Analytics Dashboard"
Requested scope: read offline_access

Effective permissions:
├─ Can read only (inherited from user)
├─ Cannot execute (not in scope)
├─ Cannot create (not in scope)
│
→ Even if bob is Admin, app only gets "read"

Agent: "Customer Analysis"
Owner: alice

Share with:
├─ bob@acme.com (Execute, Read)
├─ data-team@acme.com (Execute, Read)
└─ finance-team@acme.com (Read only)

Permissions:
├─ bob can run agent and view results
├─ data-team can run agent and view results
├─ finance-team can only view results (read-only)

Account Level
├─ alice (Owner) → Full control

Gateway Level
├─ Research Gateway
   ├─ alice (inherited: Owner)
   ├─ bob (Developer, shared)
   └─ charlie (Member, shared)

Capability Level
├─ Web Search (attached to Research Gateway)
   ├─ alice can manage/execute
   ├─ bob can execute
   └─ charlie can execute

Agent using Gateway + Capability
├─ alice full control
├─ bob can execute (via gateway + agent share)
├─ charlie can execute (via gateway + agent share)

Audit Log:
├─ 2024-03-22 10:00 | alice | added bob as Admin
├─ 2024-03-22 10:05 | alice | shared Agent "DataBot" with charlie
├─ 2024-03-22 10:10 | bob | created Agent "Report"
├─ 2024-03-22 10:15 | alice | removed charlie from "Data Team"
├─ 2024-03-22 10:20 | bob | executed Agent "DataBot"
└─ 2024-03-22 10:25 | alice | rotated API key

Full history preserved. Searchable by:
├─ User
├─ Action type
├─ Resource
├─ Time range

1. Create account with Developer role
2. Can create own agents and gateways
3. Cannot see others' resources initially
4. Grant read access to shared agents if needed

1. Create account with Member role
2. Share specific agent to execute
3. They can run agent, view results
4. They cannot create or modify anything
5. Revoke access when done

1. Create account with Admin role
2. Can manage team members
3. Can view all resources
4. Can create agents on behalf of team
5. Can moderate access

1. List all resources owned by person
2. Transfer ownership to another team member
3. Remove their account access
4. Revoke API keys
5. Verify in audit log