Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion modules/control/pages/permissions-overview.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
:learning-objective-3: Identify which built-in role grants the permissions a user or service account needs

// Source: `cloudv2` `pkg/permissions/permissions_constants.go`, `apps/aigw/internal/llm/authz.go`, `apps/aigw/internal/mcp/authz.go`, and `apps/ai-agent/internal/agent/authorization.go` on origin/main, verified 2026-05-18.
// Transcript permissions and the TranscriptReader role verified against cloudv2 commit 6dfd3b3 (PR #26829), 2026-06-08.
// TODO: confirm screenshots of the role-binding flow in the Cloud UI once UX-790 (Console-side fine-grained authZ) ships.

The Agentic Data Plane uses Redpanda's role-based access control (RBAC) to gate every API call. Each LLM provider, MCP server, agent, pipeline, knowledge base, and governance endpoint enforces a specific permission, and you assign permissions to users and service accounts by binding them to a role. This page explains the three-layer model so you can pick the right built-in role for a workload, or compose your own.
Expand Down Expand Up @@ -34,6 +35,7 @@ ADP permissions live in the following families, named by the namespace prefix:
* `dataplane_adp_mcpserver_*`: Manage and call MCP servers (CRUD plus runtime operations like `tools_call` and `resources_read`).
* `dataplane_adp_llmprovider_*`: Manage LLM providers and proxy LLM requests through AI Gateway. The `_invoke` permission is what your applications need at runtime.
* `dataplane_adp_agent_*` and `dataplane_adp_agent_credential_*`: Manage declarative AI agents and the OIDC credentials issued to them.
* `dataplane_adp_transcript_*`: Read agent conversation transcripts. Granted by the dedicated TranscriptReader role (and Admin), not by Writer or Reader, because transcripts carry full conversation content.
* `dataplane_adp_spending_*`: Read AI spending data for governance and cost reporting.
* `dataplane_aiagent_a2a_*`: Invoke agent-to-agent (A2A) operations on running agents.
* `dataplane_aigateway_*`: Manage enterprise AI Gateway features (rate limits, spend limits, guardrails, model providers, audit, pricing, IAM).
Expand All @@ -47,7 +49,7 @@ For the full list of permissions and which built-in role grants each one, see xr

== Built-in roles

ADP includes the following built-in roles. Admin, Writer, and Reader are general-purpose. The remaining roles are narrow Invoker roles for runtime-only access.
ADP includes the following built-in roles. Admin, Writer, and Reader are general-purpose. The remaining roles are narrow: a set of Invoker roles for runtime-only access, plus TranscriptReader for reading agent conversation transcripts.

[cols="1,3"]
|===
Expand All @@ -62,6 +64,9 @@ ADP includes the following built-in roles. Admin, Writer, and Reader are general
|*Reader*
|Read-only access (`_get` and `_list`) across the same APIs, plus MCP runtime read operations such as `resources_list` and `prompts_get`. No create, update, delete, or invoke. Use for auditors, evaluators, and stakeholders who need visibility without mutation rights.

|*TranscriptReader*
|Transcript reads only: `dataplane_adp_transcript_get` and `dataplane_adp_transcript_list`. Transcripts carry full conversation content, so this access is granted through a dedicated role rather than bundled into Reader or Writer. Use for users and service accounts that read agent conversation transcripts. Provisioned for organizations with an ADP cluster.

|*AIAgentInvoker*
|A2A runtime only: `message_send`, `message_stream`, and the task lifecycle (`get`, `list`, `cancel`, `subscribe`). Use for service accounts that consume agents over A2A but should not manage them.

Expand Down
33 changes: 33 additions & 0 deletions modules/control/pages/permissions-reference.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
:learning-objective-3: Identify the operation each permission gates

// Source: `cloudv2` `pkg/permissions/permissions_constants.go` on origin/main, verified 2026-05-18.
// Transcript permissions and the TranscriptReader role verified against cloudv2 commit 6dfd3b3 (PR #26829), 2026-06-08.

Every Redpanda ADP API call enforces a single permission. This reference lists every ADP-namespaced permission, the operation it gates, and which built-in role grants it.

Expand All @@ -28,6 +29,8 @@ Each table column means the same thing across every namespace.

The Admin role grants every permission and is omitted from individual rows for brevity. Permissions that only resolve on ADP-enabled clusters carry no separate mark; the gating is automatic.

The transcript namespace adds a TranscriptReader column in place of the Invoker column. Those permissions are granted by a dedicated role, not by the general-purpose Writer and Reader roles.

== MCP server permissions

The `dataplane_adp_mcpserver_*` permissions gate both server management (CRUD) and the MCP protocol calls a client makes against a running server.
Expand Down Expand Up @@ -232,6 +235,33 @@ The `dataplane_adp_agent_credential_*` permissions gate the OIDC client credenti
|
|===

[[transcript-permissions]]
== Transcript permissions

The `dataplane_adp_transcript_*` permissions gate read access to agent conversation transcripts. Because transcripts carry the full content of an agent's conversations (system prompts, user messages, tool arguments, and model output), these permissions stay out of the broad Writer and Reader defaults. Only the dedicated TranscriptReader role and Admin grant them. See xref:monitor:transcripts.adoc[] for what a transcript records.

[cols="2,2,1,1,1"]
|===
|Permission |Operation |Writer |Reader |TranscriptReader

|`dataplane_adp_transcript_get`
|View a single agent conversation transcript
|
|
|✓

|`dataplane_adp_transcript_list`
|List agent conversation transcripts
|
|
|✓
|===

[NOTE]
====
Transcript access is no longer bundled with agent read access. A principal that can view an agent's configuration through `dataplane_adp_agent_get` cannot read that agent's transcripts unless it also holds the TranscriptReader role (or Admin). Grant TranscriptReader to the users and service accounts that need to read conversation content.
====

== Spending permissions

The `dataplane_adp_spending_*` permissions gate the governance APIs that surface AI spend, request counts, and token volume. See xref:control:budgets.adoc[] for what spending data ADP records automatically.
Expand Down Expand Up @@ -449,6 +479,9 @@ The `dataplane_knowledgebase_*` permissions gate retrieval-augmented generation
|*Reader*
|Auditors and evaluators who need visibility without mutation rights. Grants `_get` and `_list` plus MCP runtime read methods.

|*TranscriptReader*
|Users and service accounts that read agent conversation transcripts. Grants `dataplane_adp_transcript_get` and `dataplane_adp_transcript_list`, which stay out of the Writer and Reader roles because transcripts carry full conversation content. Provisioned for organizations with an ADP cluster.

|*AIAgentInvoker*
|Service accounts that send messages to agents over A2A without managing them.

Expand Down
3 changes: 2 additions & 1 deletion modules/monitor/pages/concepts.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -316,7 +316,8 @@ The `redpanda.otel_traces` topic has a predefined retention policy. Configuratio
The topic persists even after all agents and MCP servers are deleted, allowing you to retain historical trace data for analysis.

Transcripts may contain sensitive information from your tool inputs and outputs. Review the data in transcripts before sharing or exporting to external systems.
// TODO: Re-add guidance on ACL scoping for `redpanda.otel_traces` once the standalone-ADP permission model lands. Today's wording assumed users manage topic ACLs on their own Redpanda Cloud cluster, which won't apply when ADP is a separate product surface.

Read access to transcript data is governed by the TranscriptReader role rather than by topic ACLs on `redpanda.otel_traces`. See xref:control:permissions-reference.adoc#transcript-permissions[Transcript permissions].

== Transcripts compared to audit logs

Expand Down
5 changes: 2 additions & 3 deletions modules/monitor/pages/transcripts.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ After reading this page, you will be able to:
== Prerequisites

* xref:connect:create-agent.adoc[Running agent] or xref:connect:create-server.adoc[MCP server] with at least one execution
* Permission to read the `redpanda.otel_traces` glossterm:topic[] that backs the Transcripts view
* The xref:control:permissions-reference.adoc#transcript-permissions[TranscriptReader role] (or Admin). Transcript reads are not part of the default Reader or Writer roles.

== Open the Transcripts view

Expand Down Expand Up @@ -191,8 +191,7 @@ For long-running conversations, accept some reconstruction; for short conversati
=== Transcript missing entirely

* Confirm the agent or MCP server actually ran: Check its logs and the corresponding session or task topic.
* Confirm your user has read access to `redpanda.otel_traces`.
// TODO: Replace with the standalone-ADP permission model once available.
* Confirm your user holds the TranscriptReader role (or Admin). Transcript reads require the `dataplane_adp_transcript_get` and `dataplane_adp_transcript_list` permissions, which are not part of the default Reader or Writer roles. See xref:control:permissions-reference.adoc#transcript-permissions[Transcript permissions].
* Confirm the feature flag enabling Transcripts is on for your environment.

== Next steps
Expand Down