MeshGuardMeshGuard
MeshGuardRBACAccess ControlEnterprise

Granular RBAC: Who Controls Your Agent Governance?

MG

MeshGuard

2026-04-29 · 3 min read

The "Everyone Is Admin" Problem

We have seen this pattern at nearly every organization we work with. The team starts small: three engineers, one MeshGuard workspace, everyone has full admin access. It works fine until it doesn't.

Then the team grows. A compliance analyst needs read access to audit logs but accidentally modifies a production policy. A junior engineer deletes an alert channel while exploring the dashboard. A contractor with full API key access leaves the company and nobody revokes the credential for weeks.

The root cause is not carelessness. It is a permissions model that offers only two modes: full access or no access. Governance platforms need the same granularity you expect from your cloud provider's IAM.

Today we are announcing granular role-based access control in MeshGuard, a five-role model designed for how teams actually operate around agent governance.

The Five-Role Model

Each role is purpose-built for a common persona in the governance workflow:

Viewer. Read-only access to agents, policies, audit logs, and dashboards. Ideal for compliance analysts, executives, and external auditors who need visibility without the ability to change anything.

Operator. Everything a Viewer can do, plus the ability to acknowledge alerts, trigger manual policy evaluations, and export reports. Designed for on-call engineers and SOC analysts who respond to incidents but should not modify governance configuration.

Author. Everything an Operator can do, plus the ability to create and edit policies, agent definitions, and alert channels. Authors can draft governance configuration, but their changes require approval from a Publisher or Admin before taking effect in production.

Publisher. Everything an Author can do, plus the ability to approve and deploy governance changes to live environments. Publishers act as the gatekeepers between drafted configuration and running policy. This role maps naturally to team leads and senior engineers.

Admin. Full workspace control, including RBAC management, workspace settings, API key administration, billing, and SSO configuration. Reserved for platform owners.

Setting It Up

Assign roles through the dashboard or via the API:

# Invite a compliance analyst with Viewer access
meshguard rbac assign \
  --email auditor@company.com \
  --role viewer \
  --workspace prod

# Promote a team lead to Publisher
meshguard rbac assign \
  --email lead@company.com \
  --role publisher \
  --workspace prod

Roles are scoped per workspace, so the same person can be an Admin in the development workspace and a Viewer in production. This lets teams experiment freely in lower environments while maintaining strict controls where it matters.

Approval Workflows

The Author and Publisher separation enables a built-in approval workflow. When an Author creates or modifies a policy, the change enters a pending state visible to Publishers. Publishers review the diff, run the change through test suites in the Policy Playground, and approve or reject it with a comment.

This workflow produces a complete audit trail: who proposed the change, who approved it, and when it was deployed. Compliance teams get the documentation they need without adding manual processes.

API Key Scoping

RBAC extends to API keys. When you generate a key, you assign it a role, and the key inherits exactly those permissions. A CI/CD pipeline that only needs to validate configurations gets a Viewer-scoped key. A Terraform pipeline that deploys changes gets a Publisher-scoped key. No key has more access than its job requires.

meshguard apikey create \
  --name "ci-validation" \
  --role viewer \
  --workspace prod

Why This Matters

Governance is only trustworthy if the governance layer itself is governed. Unrestricted access to your policy engine is a risk multiplier: a single misconfiguration can weaken protections across your entire agent fleet. Granular RBAC ensures that the people and systems interacting with MeshGuard have exactly the permissions they need and nothing more.

RBAC is available now on all MeshGuard plans. Visit docs.meshguard.app/rbac to configure roles for your workspace.

Ready to govern your agents?

MeshGuard gives you identity, policy, and audit for every AI agent in your ecosystem.

Talk to ScoutRead the Docs

Related Posts

MeshGuardCompliance2026-04-29

Compliance on Demand: MeshGuard's New Report Generator

Auditors are asking about your AI agent governance. MeshGuard's report generator produces SOC 2, ISO 27001, NIST AI RMF, and custom compliance reports from your live governance data.

MeshGuardGetting Started2026-04-29

Get Started with MeshGuard in 5 Minutes

Install the SDK, register an agent, create a governance policy, and see your first audit log entry -- all in under five minutes.

MeshGuardGitHub Actions2026-04-29

Shift Left on Agent Governance: MeshGuard GitHub Action

Catch governance misconfigurations before they reach production. The MeshGuard GitHub Action validates policies, tests agent configurations, and gates deployments in your CI/CD pipeline.

Back to all posts