Role-Based Access Control
The Context Graph enforces fine-grained RBAC on all API endpoints using the ContextGraphAuthorizer. Permissions follow the IAM service resource:action pattern, and visibility levels dynamically filter response data based on the user's permission set.
Overview
RBAC ensures that users only see data appropriate to their role. A viewer sees aggregate trace outcomes, while an admin sees full reasoning text, token counts, and embedding details. The authorizer resolves the appropriate visibility level from the user's JWT-derived permissions.
Source: data-plane/ai-service/src/context_graph/security/authorization.py
Permissions
| Permission | Description |
|---|---|
context_graph:traces:read | Read trace summaries |
context_graph:thinking:read | Read detailed thinking steps |
context_graph:decisions:read | Read decision outcomes |
context_graph:patterns:read | Read discovered patterns |
context_graph:metrics:read | Read analytics metrics |
context_graph:embeddings:read | Read embedding vectors |
context_graph:feedback:write | Submit feedback signals |
context_graph:patterns:manage | Create and manage patterns |
context_graph:admin | Full admin access |
context_graph:export | Export data |
Visibility Levels
Permissions map to visibility levels that control response detail:
| Level | Fields Included | Required Permissions |
|---|---|---|
SUMMARY | trace_id, status, outcome, duration, timestamps | traces:read |
STANDARD | + session_id, actor, goal, path, cost, tags | decisions:read |
DETAILED | + thinking steps, token counts, metadata | thinking:read |
FULL | + API calls, embedding IDs, raw data | admin or thinking:read + embeddings:read |
Field Sets by Visibility
SUMMARY Fields
trace_id, tenant_id, status, outcome, total_duration_ms, started_at, completed_at, step_count, api_call_count
STANDARD Fields
All SUMMARY fields plus: session_id, actor_urn, goal, path_taken, model_ids_used, total_cost_usd, avg_confidence, tags
DETAILED Fields
All STANDARD fields plus: steps, total_thinking_tokens, total_input_tokens, total_output_tokens, metadata
FULL Fields
All DETAILED fields plus: api_calls, input_embedding_id, output_embedding_id, thinking_embedding_id
Sensitive Field Masking
At non-FULL visibility levels, sensitive step fields are masked:
| Field | Masked At |
|---|---|
reasoning | SUMMARY and STANDARD |
input_summary | SUMMARY and STANDARD |
output_summary | SUMMARY and STANDARD |
Resolution Order
The authorizer resolves visibility level using the following priority:
context_graph:admin-- FULL visibilitycontext_graph:thinking:read+context_graph:embeddings:read-- FULL visibilitycontext_graph:thinking:read-- DETAILED visibilitycontext_graph:decisions:read-- STANDARD visibilitycontext_graph:traces:read-- SUMMARY visibility
Usage in API Endpoints
from context_graph.security.authorization import get_context_graph_authorizer
authorizer = get_context_graph_authorizer()
visibility = authorizer.get_visibility_level(user_permissions)
filtered_response = authorizer.filter_trace_response(trace_data, visibility)