Roles and Permissions Reference
Every Redpanda ADP API call enforces a single permission. This reference lists every ADP-namespaced permission, the operation it gates, and which built-in role grants it.
Use this reference to:
-
Look up an ADP permission by namespace
-
Find which built-in role grants a specific permission
-
Identify the operation each permission gates
For an explanation of how permissions, roles, and role bindings fit together, see Control Who Can Do What.
How to read this reference
Each table column means the same thing across every namespace.
-
The Permission column is the exact string the API enforces. Use it in custom-role definitions and role bindings.
-
The Operation column is the user-facing action this permission gates.
-
The Writer, Reader, and Invoker columns indicate whether the built-in role grants this permission, marked with a check mark. The Invoker column also names which Invoker sub-role (when applicable) grants the permission.
The Admin role grants every permission and is omitted from individual rows for brevity. Permissions that only resolve on ADP-enabled clusters carry no separate mark; the gating is automatic.
The transcript namespace adds a TranscriptReader column in place of the Invoker column. Those permissions are granted by a dedicated role, not by the general-purpose Writer and Reader roles.
MCP server permissions
The dataplane_adp_mcpserver_* permissions gate both server management (CRUD) and the MCP protocol calls a client makes against a running server.
| Permission | Operation | Writer | Reader | Invoker |
|---|---|---|---|---|
|
Register a new MCP server |
✓ |
||
|
Modify an existing MCP server’s configuration |
✓ |
||
|
Delete an MCP server |
✓ |
||
|
View one MCP server’s configuration |
✓ |
✓ |
|
|
List MCP servers |
✓ |
✓ |
|
|
Initialize an MCP session against a server |
✓ |
✓ |
MCPInvoker |
|
Health-check an MCP server |
✓ |
✓ |
MCPInvoker |
|
List resources a server exposes |
✓ |
✓ |
MCPInvoker |
|
List resource templates a server exposes |
✓ |
✓ |
MCPInvoker |
|
Read a resource from a server |
✓ |
✓ |
MCPInvoker |
|
List prompts a server exposes |
✓ |
✓ |
MCPInvoker |
|
Retrieve a prompt from a server |
✓ |
✓ |
MCPInvoker |
|
List tools a server exposes |
✓ |
✓ |
MCPInvoker |
|
Invoke a tool on an MCP server |
✓ |
MCPInvoker |
|
|
Adjust an MCP server’s log level |
✓ |
A legacy dataplane_mcpserver_* namespace mirrors these permissions and is still enforced by older proto versions. The Writer and Reader built-in roles include both namespaces, so existing role bindings continue to work without modification.
LLM provider permissions
The dataplane_adp_llmprovider_* permissions gate AI Gateway provider configuration and the runtime proxy that forwards LLM requests upstream.
| Permission | Operation | Writer | Reader | Invoker |
|---|---|---|---|---|
|
Create an LLM provider |
✓ |
||
|
View one LLM provider’s configuration |
✓ |
✓ |
|
|
List LLM providers |
✓ |
✓ |
|
|
Modify an LLM provider’s configuration |
✓ |
||
|
Delete an LLM provider |
✓ |
||
|
Proxy LLM requests through AI Gateway at runtime |
✓ |
LLMProviderInvoker |
Agent management permissions
The dataplane_adp_agent_* permissions gate declarative agent configuration.
| Permission | Operation | Writer | Reader |
|---|---|---|---|
|
Create a declarative agent |
✓ |
|
|
View one agent’s configuration |
✓ |
✓ |
|
List agents |
✓ |
✓ |
|
Modify an agent’s configuration |
✓ |
|
|
Delete an agent |
✓ |
Agent credential permissions
The dataplane_adp_agent_credential_* permissions gate the OIDC client credentials an agent uses for outbound calls.
| Permission | Operation | Writer | Reader |
|---|---|---|---|
|
Issue a new OIDC client credential for an agent |
✓ |
|
|
List an agent’s credentials |
✓ |
✓ |
|
Revoke an agent credential |
✓ |
Agent trigger permissions
The dataplane_adp_agent_trigger_* permissions gate triggers that start an agent in response to an external event, such as an incoming message or a schedule. See Trigger Agents from External Channels.
| Permission | Operation | Writer | Reader |
|---|---|---|---|
|
Create a trigger on an agent |
✓ |
|
|
View a trigger on an agent |
✓ |
✓ |
|
List triggers on agents |
✓ |
✓ |
|
Modify a trigger on an agent |
✓ |
|
|
Delete a trigger on an agent |
✓ |
A further dataplane_adp_agent_trigger_report_health permission lets internal trigger observers report trigger health. No tenant-facing role grants it.
Transcript permissions
The dataplane_adp_transcript_* permissions gate read access to agent conversation transcripts. Because transcripts carry the full content of an agent’s conversations (system prompts, user messages, tool arguments, and model output), these permissions stay out of the broad Writer and Reader defaults. Only the dedicated TranscriptReader role and Admin grant them. See See What Your Agent Did for what a transcript records.
| Permission | Operation | Writer | Reader | TranscriptReader |
|---|---|---|---|---|
|
View a single agent conversation transcript |
✓ |
||
|
List agent conversation transcripts |
✓ |
|
Transcript access is no longer bundled with agent read access. A principal that can view an agent’s configuration through |
Spending permissions
The dataplane_adp_spending_* permissions gate the governance APIs that surface AI spend, request counts, and token volume. See Set Up Budgets for what spending data ADP records automatically.
| Permission | Operation | Writer | Reader |
|---|---|---|---|
|
Read AI spending data for governance and cost reports |
✓ |
✓ |
Budget permissions
The dataplane_adp_budget_* permissions gate per-agent LLM spend budgets. See Set a budget.
| Permission | Operation | Writer | Reader |
|---|---|---|---|
|
Create a budget |
✓ |
|
|
View a budget and its current-period spend |
✓ |
✓ |
|
List budgets |
✓ |
✓ |
|
Modify a budget |
✓ |
|
|
Delete a budget |
✓ |
Guardrail permissions
The dataplane_adp_guardrail_* permissions gate guardrail policies that screen LLM requests and responses. See How Guardrails Work.
| Permission | Operation | Writer | Reader |
|---|---|---|---|
|
Create a guardrail policy |
✓ |
|
|
View one guardrail policy’s configuration |
✓ |
✓ |
|
List guardrail policies |
✓ |
✓ |
|
Modify a guardrail policy |
✓ |
|
|
Delete a guardrail policy |
✓ |
A2A runtime permissions
The dataplane_aiagent_a2a_* permissions, along with dataplane_adp_a2a_invoke, gate agent-to-agent (A2A) runtime traffic. The AIAgentInvoker built-in role grants every A2A permission.
| Permission | Operation | Writer | Reader | Invoker |
|---|---|---|---|---|
|
Invoke an A2A agent |
✓ |
AIAgentInvoker |
|
|
Send a message to an agent |
✓ |
AIAgentInvoker |
|
|
Open a streaming message connection to an agent |
✓ |
AIAgentInvoker |
|
|
Read one A2A task |
✓ |
✓ |
AIAgentInvoker |
|
List A2A tasks |
✓ |
✓ |
AIAgentInvoker |
|
Cancel an A2A task |
✓ |
AIAgentInvoker |
|
|
Subscribe to A2A task events |
✓ |
AIAgentInvoker |
|
|
Read an agent’s extended agent card |
✓ |
✓ |
AIAgentInvoker |
Pipeline permissions
The dataplane_pipeline_* permissions gate Redpanda Connect pipelines used by ADP for ingestion and transformation. The PipelineInvoker role grants only the runtime invocation permissions.
| Permission | Operation | Writer | Reader | Invoker |
|---|---|---|---|---|
|
Create a pipeline |
✓ |
||
|
View one pipeline’s configuration |
✓ |
✓ |
|
|
List pipelines |
✓ |
✓ |
|
|
Modify a pipeline’s configuration |
✓ |
||
|
Delete a pipeline |
✓ |
||
|
Start a stopped pipeline |
✓ |
||
|
Stop a running pipeline |
✓ |
||
|
Invoke a pipeline through the gateway endpoint |
✓ |
PipelineInvoker |
|
|
Send OTLP traces to a pipeline over gRPC |
✓ |
PipelineInvoker |
|
|
Send OTLP traces to a pipeline over HTTP |
✓ |
PipelineInvoker |
Knowledge base permissions
The dataplane_knowledgebase_* permissions gate retrieval-augmented generation (RAG) knowledge bases.
| Permission | Operation | Writer | Reader |
|---|---|---|---|
|
Create a knowledge base |
✓ |
|
|
View one knowledge base’s configuration |
✓ |
✓ |
|
List knowledge bases |
✓ |
✓ |
|
Modify a knowledge base’s configuration |
✓ |
|
|
Delete a knowledge base |
✓ |
Built-in roles summary
| Role | Use case |
|---|---|
Admin |
Cluster operators who configure providers, agents, MCP servers, pricing, and IAM. Grants every permission. |
Writer |
Developers who build and modify ADP resources. Grants full CRUD on every ADP-namespaced API plus pipeline and knowledge-base management. |
Reader |
Auditors and evaluators who need visibility without mutation rights. Grants |
TranscriptReader |
Users and service accounts that read agent conversation transcripts. Grants |
AIAgentInvoker |
Service accounts that send messages to agents over A2A without managing them. |
MCPInvoker |
Service accounts that call MCP tools and read MCP resources without managing the servers. |
LLMProviderInvoker |
Applications that proxy LLM requests through AI Gateway. Grants only |
PipelineInvoker |
Clients that produce telemetry or send data into Connect pipelines without managing them. |
