Skip to main content

Overview

Role-Based Access Control (RBAC) in Bifrost Enterprise provides fine-grained access management for your organization. RBAC allows you to define roles with specific permissions, controlling what users can view, create, update, or delete across all Bifrost resources. Key Benefits:
  • Principle of Least Privilege - Grant users only the permissions they need
  • Centralized Access Management - Manage all permissions from a single interface
  • Audit-Ready - Track who has access to what for compliance requirements
  • Flexible Role Design - Use system roles or create custom roles for your organization
RBAC integrates seamlessly with Identity Provider authentication, automatically assigning roles based on your IdP groups and claims.

Roles & Permissions

Navigate to GovernanceRoles & Permissions in the Bifrost dashboard to manage roles.
Roles & Permissions management interface showing system roles

System Roles

Bifrost includes three pre-configured system roles that cover common access patterns:
RolePermissionsDescription
Admin42Full access to all resources and operations
Developer27CRUD access to technical resources, view access to logs and cluster
Viewer14Read-only access to all resources
System roles cannot be deleted, but their permissions can be customized to fit your organization’s needs.

Custom Roles

Create custom roles when system roles don’t match your organizational structure. Custom roles are useful for:
  • Specialized Teams - Create roles for QA, Security, or Compliance teams
  • Project-Based Access - Limit access to specific resources per project
  • Temporary Access - Grant limited permissions for contractors or auditors
To create a custom role:
  1. Click Add Role in the top-right corner
  2. Enter a Role Name (e.g., “Auditor”, “QA Team”)
  3. Add a Description explaining the role’s purpose
  4. Click Create Role
  5. Assign permissions using the Manage Permissions dialog

Resources & Operations

RBAC permissions are defined as combinations of Resources and Operations.

Protected Resources

Bifrost protects access to the following resources:
ResourceDescription
LogsRequest and response logs
ModelProviderAI model provider configurations
ObservabilityMonitoring and metrics dashboards
PluginsPlugin configurations and management
VirtualKeysVirtual key management
UserProvisioningUser and group provisioning settings
UsersUser account management
AuditLogsAudit trail and compliance logs
GuardrailsConfigGuardrail configurations
GuardrailRulesIndividual guardrail rules
ClusterCluster configuration and nodes
SettingsWorkspace settings
MCPGatewayMCP Gateway configurations
AdaptiveRouterAdaptive routing settings

Operations

Each resource supports up to four operations:
OperationDescription
ViewRead-only access to view the resource
CreateAbility to create new instances of the resource
UpdateAbility to modify existing resources
DeleteAbility to remove resources

Managing Permissions

To assign or modify permissions for a role:
  1. Navigate to GovernanceRoles & Permissions
  2. Click the menu icon (•••) on the role you want to modify
  3. Select Manage Permissions
Manage Permissions dialog showing resource-based permission assignment
The Manage Permissions dialog provides a two-panel interface: Left Panel - Resources:
  • Lists all available resources
  • Shows the count of enabled permissions per resource (e.g., “4/4 permissions”)
  • Click a resource to view its permissions
Right Panel - Permissions:
  • Displays available operations for the selected resource
  • Toggle switches to enable/disable each permission
  • Shows operation descriptions for clarity

Assigning Permissions

  1. Select a Resource from the left panel
  2. Toggle the operations you want to enable for this role
  3. Repeat for other resources as needed
  4. Click Save Permissions to apply changes
The footer shows the total permissions count (e.g., “42 of 42 permissions selected”) to help track the role’s access level.

Best Practices

Role Design

  • Start with System Roles - Use Admin, Developer, and Viewer as templates
  • Follow Least Privilege - Only grant permissions that are necessary
  • Document Role Purpose - Use clear descriptions to explain each role’s intent
  • Review Regularly - Audit role assignments quarterly

Permission Strategies

For Development Teams: 
Developer role + specific resource access based on team focus
- Frontend team: VirtualKeys (View), Logs (View), Observability (View)
- Backend team: ModelProvider (CRUD), Plugins (CRUD), Logs (View)
For Security/Compliance Teams: 
Custom "Auditor" role with:
- AuditLogs (View)
- Logs (View)
- GuardrailsConfig (View)
- Users (View)
For Operations Teams: 
Custom "Ops" role with:
- Cluster (CRUD)
- Observability (View)
- Logs (View)
- Settings (View, Update)

Integration with Identity Providers

When using Okta or Microsoft Entra for authentication, roles can be automatically assigned based on:
  • IdP Groups - Map identity provider groups to Bifrost roles
  • App Roles - Sync application roles from your IdP
  • Claims - Use custom claims to determine role assignment
Users authenticated via SSO receive their role assignments automatically on first login, with permissions synchronized on each session.

API Access

Roles and permissions can also be managed via the API: List all roles: 
curl -X GET http://localhost:8080/api/roles \
  -H "Authorization: Bearer <admin_token>"
Get role permissions: 
curl -X GET http://localhost:8080/api/roles/{role_id}/permissions \
  -H "Authorization: Bearer <admin_token>"
Update role permissions: 
curl -X PUT http://localhost:8080/api/roles/{role_id}/permissions \
  -H "Authorization: Bearer <admin_token>" \
  -H "Content-Type: application/json" \
  -d '{
    "permission_ids": [1, 2, 3, 4, 5]
  }'
Create a custom role: 
curl -X POST http://localhost:8080/api/roles \
  -H "Authorization: Bearer <admin_token>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Auditor",
    "description": "Read-only access for compliance auditing"
  }'

Next Steps