Roles & access

SARB has four kinds of principal. Who you are decides what you can see and change — and every security-relevant action is written to an append-only audit log.

The four principals

PrincipalWhat it isWhat it can do
AdminA signed-in user with the admin roleEverything a member can, plus manage users, invitations, groups, tenant variables, email settings, and the audit log; sees every agent, credential, and run in the tenant.
MemberA signed-in user with the member roleCreate and run agents and credentials; see resources that are their own, shared with a group they're in, or tenant-visible. Cannot manage users, groups, or tenant settings.
Machine tokenA personal access token (PAT)Tenant-trusted automation: reads and writes all agents, credentials, and runs in its tenant, but cannot manage users, groups, invitations, settings, or variables. Treat it like a tenant-wide key.
EmbedderA signed tenant assertion from a host appSame tenant-trusted access as a machine token, established by a signed assertion rather than a token.

Visibility: private, shared, tenant

Every agent and credential a member creates is private by default — only its owner and admins see it. The owner can share it: with specific groups (optionally granting edit), or with the whole tenant.

  • Private — the owner and admins only.
  • Shared — the owner, admins, and members of the named groups; a group can be view-only or allowed to edit.
  • Tenant — every member of the tenant.

Machine tokens and embedder assertions are tenant-trusted: they bypass visibility filtering and see everything in their tenant. RBAC is a concern of human sessions.

Runs follow their agent

A run's inputs, outputs, step traces, live event stream, and downloadable files are visible exactly to whoever can see the run's agent — reading or cancelling a run by its id is refused if you cannot see the agent. Holding a run id is not, by itself, permission to read it.

Publishing checks use-rights

You can only publish an agent that uses credentials you're allowed to use. Referencing another user's private credential is refused at publish time — never silently run with access you don't have.

Everything is audited

Logins, credential and agent changes, sharing changes, invitations, publishes, run cancellations, blob downloads, and admin actions all land in an append-only audit log — actor, action, and IP — with secrets excluded by construction. Admins read it under Audit.