Skip to main content

Authorization & Access Control

ART combines RBAC (Role-Based Access Control) and ABAC (Attribute-Based Access Control) to provide both structured role management and fine-grained permission control.

RBAC defines permissions through roles assigned to users. Roles determine the operations and resources accessible to a user within the platform or runtime communication layer.

ABAC extends authorization by applying contextual scopes and attributes to permissions. This enables administrators to define more granular access boundaries based on operational requirements, environments, resources, or permission scopes.

By combining RBAC and ABAC, ART provides centralized authorization management while maintaining flexible and scalable access control.

The authorization system is divided into two independent layers:

Application Authorization

Application authorization governs access to the ART platform and administrative resources. This includes access control for workspace management, billing, subscriptions, environments, agent builder resources, ADK configuration, and other platform-level operations.

Permissions are assigned to application users through roles and scoped attributes managed within the workspace.

  • Workspace management: When a new user registers and creates a workspace, they automatically become the workspace owner and are granted administrative privileges for that workspace. Workspace owners have full administrative control over workspace resources and authorization configurations.

  • User Management: Workspace administrators can invite additional users into the workspace and manage their access permissions. Administrators can:

    • Invite or remove users
    • Assign or revoke roles
    • Define permission scopes and attributes
    • Control access to platform resources and operations
    • Manage organization-level administrative permissions

  • Role and permission management: Admin can create the roles to assign to the Authorization policies are enforced centrally across all platform resources associated with the workspace.

Connection User Authorization

Connection user authorization governs access to real-time communication resources used through WebSocket connections.

This authorization layer controls how connection users interact with channels, including:

  • Channel subscription permissions
  • Message publishing permissions
  • Read-only access
  • Full channel access

Permissions are enforced using role assignments and channel-level access mappings configured by workspace administrators.