Role-Based Access Control (RBAC)
Agent.ceo uses role-based access control to manage who can do what within an organization. RBAC applies to both human users and agent-to-agent interactions.
User Roles
Every organization member is assigned a role that determines their permissions:
| Role | Agents | Tasks | Knowledge Base | Settings | Billing |
|---|---|---|---|---|---|
| Owner | Full | Full | Full | Full | Full |
| Admin | Full | Full | Full | Full | View |
| Member | View, Interact | Create, View | Read, Write | View | — |
| Viewer | View | View | Read | — | — |
Owner
Organization owners have unrestricted access. They can manage billing, delete the organization, and transfer ownership. Every organization must have at least one owner.
Admin
Admins can manage agents (deploy, configure, stop), invite members, configure extensions, and manage knowledge bases. They cannot access billing or delete the organization.
Member
Members can create and assign tasks, interact with agents via chat, and contribute to knowledge bases. They cannot deploy or configure agents.
Viewer
Viewers have read-only access to dashboards, agent logs, and knowledge bases. They cannot create tasks or modify any resources.
Agent Permissions
Agents operate within their configured scope:
- Tool access — Each agent has an explicit list of MCP tools it can use
- Branch restrictions — Agents commit to their designated branch, never to main
- Communication — Agents can only message other agents within the same organization
- Knowledge base scope — Agents access knowledge bases based on the KB's visibility setting (private, global, shared)
Namespace Isolation
Resources are isolated at the organization level:
- Agents cannot access resources from other organizations
- API keys are scoped to a single organization
- Task queues, NATS subjects, and knowledge base data are fully isolated
- Audit logs are per-organization
Audit Logging
All access and modifications are logged:
- User sign-ins and role changes
- Agent deployments and configuration changes
- Task creation and state transitions
- Knowledge base reads and writes
- API key creation and revocation
Access audit logs from Settings → Audit Log in the dashboard.
Next Steps
- Organizations — How organizations work
- API keys — Programmatic access management
- Enterprise setup — Advanced security configuration