Documentation Index
Fetch the complete documentation index at: https://docs.getbifrost.ai/llms.txt
Use this file to discover all available pages before exploring further.
Overview
Role-Based Access Control (RBAC) in Bifrost Enterprise provides fine-grained access management for your organization. RBAC allows you to define roles with specific permissions, controlling what users can view, create, update, or delete across all Bifrost resources.
Key Benefits:
- Principle of Least Privilege - Grant users only the permissions they need
- Centralized Access Management - Manage all permissions from a single interface
- Audit-Ready - Track who has access to what for compliance requirements
- Flexible Role Design - Use system roles or create custom roles for your organization
RBAC integrates seamlessly with User Provisioning (SCIM), automatically assigning roles based on your IdP groups and claims.
Roles & Permissions
Navigate to Governance → Roles & Permissions in the Bifrost dashboard to manage roles.
System Roles
Bifrost includes three pre-configured system roles that cover common access patterns:
| Role | Permissions | Description |
|---|
| Admin | 42 | Full access to all resources and operations |
| Developer | 27 | CRUD access to technical resources, view access to logs and cluster |
| Viewer | 14 | Read-only access to all resources |
Custom Roles
Create custom roles when system roles don’t match your organizational structure. Custom roles are useful for:
- Specialized Teams - Create roles for QA, Security, or Compliance teams
- Project-Based Access - Limit access to specific resources per project
- Temporary Access - Grant limited permissions for contractors or auditors
To create a custom role:
- Click Add Role in the top-right corner
- Enter a Role Name (e.g., “Auditor”, “QA Team”)
- Add a Description explaining the role’s purpose
- Click Create Role
- Assign permissions using the Manage Permissions dialog
Resources & Operations
RBAC permissions are defined as combinations of Resources and Operations.
Protected Resources
Bifrost protects access to the following resources:
| Resource | Description |
|---|
| Logs | Request and response logs |
| ModelProvider | AI model provider configurations |
| Observability | Monitoring and metrics dashboards |
| Plugins | Plugin configurations and management |
| VirtualKeys | Virtual key management |
| UserProvisioning | User and group provisioning settings |
| Users | User account management |
| AuditLogs | Audit trail and compliance logs |
| GuardrailsConfig | Guardrail configurations |
| GuardrailRules | Individual guardrail rules |
| Cluster | Cluster configuration and nodes |
| Settings | Workspace settings |
| MCPGateway | MCP Gateway configurations |
| AdaptiveRouter | Adaptive routing settings |
Operations
Each resource supports up to four operations:
| Operation | Description |
|---|
| View | Read-only access to view the resource |
| Create | Ability to create new instances of the resource |
| Update | Ability to modify existing resources |
| Delete | Ability to remove resources |
Managing Permissions
To assign or modify permissions for a role:
- Navigate to Governance → Roles & Permissions
- Click the menu icon (•••) on the role you want to modify
- Select Manage Permissions
The Manage Permissions dialog provides a two-panel interface:
Left Panel - Resources:
- Lists all available resources
- Shows the count of enabled permissions per resource (e.g., “4/4 permissions”)
- Click a resource to view its permissions
Right Panel - Permissions:
- Displays available operations for the selected resource
- Toggle switches to enable/disable each permission
- Shows operation descriptions for clarity
Assigning Permissions
- Select a Resource from the left panel
- Toggle the operations you want to enable for this role
- Repeat for other resources as needed
- Click Save Permissions to apply changes
The footer shows the total permissions count (e.g., “42 of 42 permissions selected”) to help track the role’s access level.
Best Practices
Role Design
- Start with System Roles - Use Admin, Developer, and Viewer as templates
- Follow Least Privilege - Only grant permissions that are necessary
- Document Role Purpose - Use clear descriptions to explain each role’s intent
- Review Regularly - Audit role assignments quarterly
Permission Strategies
For Development Teams:
Developer role + specific resource access based on team focus
- Frontend team: VirtualKeys (View), Logs (View), Observability (View)
- Backend team: ModelProvider (CRUD), Plugins (CRUD), Logs (View)
Custom "Auditor" role with:
- AuditLogs (View)
- Logs (View)
- GuardrailsConfig (View)
- Users (View)
Custom "Ops" role with:
- Cluster (CRUD)
- Observability (View)
- Logs (View)
- Settings (View, Update)
Integration with Identity Providers
When using User Provisioning (SCIM) with Okta, Entra, Zitadel, Keycloak, or Google Workspace, roles can be automatically assigned based on:
- IdP Groups - Map identity provider groups to Bifrost roles
- App Roles - Sync application roles from your IdP
- Claims - Use custom claims to determine role assignment
Users authenticated via SSO receive their role assignments automatically on first login, with permissions synchronized on each session.
API Access
Roles and permissions can also be managed via the API:
List all roles:
curl -X GET http://localhost:8080/api/roles \
-H "Authorization: Bearer <admin_token>"
curl -X GET http://localhost:8080/api/roles/{role_id}/permissions \
-H "Authorization: Bearer <admin_token>"
curl -X PUT http://localhost:8080/api/roles/{role_id}/permissions \
-H "Authorization: Bearer <admin_token>" \
-H "Content-Type: application/json" \
-d '{
"permission_ids": [1, 2, 3, 4, 5]
}'
curl -X POST http://localhost:8080/api/roles \
-H "Authorization: Bearer <admin_token>" \
-H "Content-Type: application/json" \
-d '{
"name": "Auditor",
"description": "Read-only access for compliance auditing"
}'
Next Steps
