Roles and permissions for AgentFlow Unstructured
Learn more about the roles and permissions that control access to templates, sources, pipelines, and batch runs in AgentFlow Unstructured.
AgentFlow Unstructured uses role-based access control to manage user permissions across the various components of the feature. Access is assigned by role and determines whether a user can create extraction templates, manage document sources, configure pipelines, run batch jobs, and review processing results.
Access areas
The following table describes the main access areas in AgentFlow Unstructured.
| Area | What it covers |
|---|---|
| Templates | Extraction template design, including parsing, extraction, mapping, schema browsing, and defining target Reltio tenant for data creation |
| Sources | Document source connections, including Amazon S3 and Google Cloud Storage, file access, and connection testing |
| Pipelines | Pipeline configuration, scheduling, and pipeline settings |
| Batch runs | Pipeline execution, monitoring, document processing status, and extracted entity review |
Permission types
The following table describes the permissions used across AgentFlow Unstructured resources.
| Permission | Meaning |
|---|---|
| Create | Create a new template, source, pipeline, or batch run |
| Read | View configurations, runs, and results |
| Update | Modify an existing configuration or re-execute a pipeline. |
| Delete | Remove a configuration |
| Execute | Perform an action such as testing a source connection or running a pipeline for document processing |
Role access matrix
The following table summarizes the customer-facing roles for AgentFlow Unstructured.
| Role | Templates | Sources | Pipelines | Batch runs |
|---|---|---|---|---|
ROLE_ADMIN_AFU | Full access | Full access | Full access | Full access |
ROLE_AFU_DOCAI_ADMIN | Full access | No access | Full access | Full access |
ROLE_AFU_TEMPLATE_DESIGNER | Full access | Read-only | No access | No access |
ROLE_AFU_PIPELINE_MANAGER | No access | Read-only | Full access | No access |
ROLE_AFU_PIPELINE_OPERATOR | No access | Read-only | No access | Create, read, update, and execute |
ROLE_AFU_SOURCE_MANAGER | No access | Full access | No access | No access |
ROLE_AFU_PIPELINE_VIEWER | Read-only | No access | Read-only | Read-only |
ROLE_AFU_VIEWER | Read-only | Read-only | Read-only | Read-only |
Role access details
The following table describes access behavior for specific AgentFlow Unstructured roles.
| Role or area | Access behavior |
|---|---|
ROLE_ADMIN_AFU | Applies to customer-facing AgentFlow Unstructured resources only |
ROLE_AFU_TEMPLATE_DESIGNER | Includes read access to sources so template authors can review source configurations while working with sample documents |
ROLE_AFU_PIPELINE_MANAGER | Includes read access to sources so pipeline configurators can select and review source configurations |
ROLE_AFU_PIPELINE_OPERATOR | Includes read access to sources so operators can review the source used by a batch run |
ROLE_AFU_PIPELINE_OPERATOR | Does not include delete access for batch run history |
ROLE_AFU_PIPELINE_VIEWER | Can view templates, pipelines, and batch runs, but cannot view sources |
ROLE_AFU_VIEWER | Provides read-only access across customer-facing AgentFlow Unstructured resources |
Common role assignments
The following table lists common role combinations for typical users.
| Persona | Assigned roles |
|---|---|
| Tenant admin | ROLE_ADMIN_AFU |
| Data engineer | ROLE_AFU_DOCAI_ADMIN + ROLE_AFU_SOURCE_MANAGER |
| Template author | ROLE_AFU_TEMPLATE_DESIGNER |
| Pipeline configurator | ROLE_AFU_PIPELINE_MANAGER + ROLE_AFU_SOURCE_MANAGER |
| Operations user | ROLE_AFU_PIPELINE_OPERATOR + ROLE_AFU_PIPELINE_VIEWER |
| Auditor or stakeholder | ROLE_AFU_VIEWER |
Assigning roles and tenants to users
Use the User Management application in Console to assign AgentFlow Unstructured roles to users. User Management lets you create user accounts, assign roles, and assign tenant access.
For a new user, create the new user account, select the AgentFlow Unstructured roles, and then assign the relevant AgentFlow Unstructured tenant or tenants.
For an existing user, edit the user account and then update the assigned AgentFlow Unstructured roles and AgentFlow Unstructured tenant access on the Edit user page.