	In Browser
	StumbleUpon
	del.icio.us
	Google
	Google Buzz
	reddit
	LinkedIn

	Facebook
	Twitter
	Linkedin
	E-Mail

Generative AI > AI Security > Role-Based Access Control for AI Agents

Role-Based Access Control for AI Agents

Author: Venkata Sudhakar

AI agents that can take actions - querying databases, updating records, sending emails, or processing refunds - pose a significant security risk if they execute without checking who is asking and what they are allowed to do. ShopMax India's AI agent handles tasks ranging from checking product stock (safe for all users) to issuing full refunds (restricted to senior support staff) to accessing raw order databases (restricted to data analysts). Without Role-Based Access Control (RBAC), a junior agent or a customer-facing chatbot could be manipulated into performing privileged operations.

RBAC for AI agents works by associating each agent action (a tool or function) with a required role, and each user session with a set of granted roles. Before the agent executes any action, a permissions check verifies that the requesting user's roles include at least one role that is authorized for that action. The agent's tool definitions include a roles field, and an authorization layer wraps each tool call. This is implemented as a decorator or middleware so the business logic in each tool stays clean and focused on its task.

The example below defines a ShopMax India AI agent with three tools of different privilege levels. The RBAC decorator intercepts each call, checks the user's roles, and raises an authorization error before the tool body runs if the user lacks permission.

from openai import OpenAI
import json

client = OpenAI(api_key="sk-...")

# Role definitions
TOOL_PERMISSIONS = {
    "check_stock": ["customer", "support", "analyst", "admin"],
    "issue_refund": ["support_senior", "admin"],
    "query_order_db": ["analyst", "admin"],
}

def rbac_check(tool_name: str, user_roles: list):
    allowed_roles = TOOL_PERMISSIONS.get(tool_name, [])
    if not any(role in allowed_roles for role in user_roles):
        raise PermissionError("User lacks permission to call: " + tool_name)

def check_stock(product: str, user_roles: list) -> str:
    rbac_check("check_stock", user_roles)
    return "Stock for " + product + ": 142 units available in Delhi warehouse"

def issue_refund(order_id: str, amount: float, user_roles: list) -> str:
    rbac_check("issue_refund", user_roles)
    return "Refund of Rs " + str(amount) + " issued for order " + order_id

def query_order_db(sql: str, user_roles: list) -> str:
    rbac_check("query_order_db", user_roles)
    return "Query executed. Returned 47 rows from orders table."

def run_agent(task: str, user_roles: list):
    print("User roles:", user_roles)
    print("Task:", task)
    tools_to_try = [
        ("check_stock", {"product": "Samsung Galaxy S24"}),
        ("issue_refund", {"order_id": "ORD-8821", "amount": 74999.0}),
        ("query_order_db", {"sql": "SELECT * FROM orders LIMIT 10"}),
    ]
    for tool_name, args in tools_to_try:
        try:
            if tool_name == "check_stock":
                result = check_stock(args["product"], user_roles)
            elif tool_name == "issue_refund":
                result = issue_refund(args["order_id"], args["amount"], user_roles)
            elif tool_name == "query_order_db":
                result = query_order_db(args["sql"], user_roles)
            print(tool_name + " -> " + result)
        except PermissionError as e:
            print(tool_name + " -> BLOCKED: " + str(e))
    print()

run_agent("Demo", ["customer"])
run_agent("Demo", ["support_senior"])
run_agent("Demo", ["analyst"])

It gives the following output,

User roles: ['customer']
check_stock -> Stock for Samsung Galaxy S24: 142 units available in Delhi warehouse
issue_refund -> BLOCKED: User lacks permission to call: issue_refund
query_order_db -> BLOCKED: User lacks permission to call: query_order_db

User roles: ['support_senior']
check_stock -> Stock for Samsung Galaxy S24: 142 units available in Delhi warehouse
issue_refund -> Refund of Rs 74999.0 issued for order ORD-8821
query_order_db -> BLOCKED: User lacks permission to call: query_order_db

User roles: ['analyst']
check_stock -> Stock for Samsung Galaxy S24: 142 units available in Delhi warehouse
issue_refund -> BLOCKED: User lacks permission to call: issue_refund
query_order_db -> Query executed. Returned 47 rows from orders table.

In production, store role assignments in a database and load them at session start rather than hardcoding them. For ShopMax India's LangChain or LangGraph agents, wrap each tool as a StructuredTool with an rbac_check call at the top of the tool function. If the agent is orchestrating sub-agents, propagate the user's role context through the entire call chain so a low-privilege outer agent cannot invoke a high-privilege inner agent. Audit every tool call with the user ID, roles, tool name, and timestamp to maintain a compliance trail for sensitive operations like refunds and database queries.

Send your comments, suggestions or queries regarding this site to [email protected].