Skip to content

[Agent Builder] Update agent builder RBAC docs #5313

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
machadoum wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[Agent Builder] Update agent builder RBAC docs #5313

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
82dc3d3
Update agent builder RBAC docs
machadoum Feb 27, 2026
c34360a
Add version
machadoum Feb 27, 2026
5928bed
Clarify structure and language
leemthompo Feb 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 40 additions & 7 deletions explore-analyze/ai-features/agent-builder/permissions.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,40 @@ This feature requires the appropriate {{stack}} [subscription](https://www.elast

### {{kib}} privileges

{{agent-builder}} access control is managed by the `agentBuilder` {{kib}} feature:
{{agent-builder}} access control is managed by the `agentBuilder` {{kib}} feature. Assign either `Read` or `All` based on what users need to do.

- "Read" access to the `agentBuilder` feature: Required to use agents, send chat messages, view tools, and access conversations.
- "All" access to the `agentBuilder` feature: Required to create, update, or delete custom agents and tools.
- "Read" access to the "Actions and Connectors" feature: Required to use AI connectors with agents.
::::{applies-switch}

:::{applies-item} { stack: ga 9.4+, serverless: ga }
#### `Read`

Required to use agents, send chat messages, view tools, and access conversations.

Instead of `All`, you can pair `Read` with individual sub-features for more granular control over what users can manage:

- `Manage agents`: Create, update, or delete custom agents.
- `Manage tools`: Create, update, or delete custom tools.

#### `All`

The broadest access level. Grants everything in `Read`, plus the ability to create, update, or delete custom agents and tools. Includes both management sub-features by default.
:::

:::{applies-item} { stack: ga 9.2-9.3 }
#### `Read`

Required to use agents, send chat messages, view tools, and access conversations.

#### `All`

The broadest access level. Grants everything in `Read`, plus the ability to create, update, or delete custom agents and tools.
:::

::::

:::{note}
If the agent uses AI connectors, also grant `Read` access to the {{connectors-feature}} feature.
:::

Learn more about [{{kib}} privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md).

Expand Down Expand Up @@ -87,7 +116,7 @@ POST /_security/role/agent-builder-full
{
"application": "kibana-.kibana",
"privileges": [
"feature_agentBuilder.all",
"feature_agentBuilder.all", <1>
"feature_actions.read"
],
"resources": ["space:default"]
Expand All @@ -96,8 +125,12 @@ POST /_security/role/agent-builder-full
}
```

:::{tip}
For read-only access, use `feature_agentBuilder.read` instead of `feature_agentBuilder.all`.
1. For read-only access, use `feature_agentBuilder.read` instead of `feature_agentBuilder.all`. [Learn more](#kib-privileges).

:::{note}
:applies_to: {"stack": "ga 9.4+", "serverless": "ga"}

For granular access, pair `feature_agentBuilder.read` with only the sub-feature privileges needed. To learn more, refer to [Kibana privileges](#kib-privileges).
:::

### Grant access with API keys
Expand Down
Loading