Back to Documentation

Security & Governance

Role-based access control, Docker isolation, and granular permission management for AI agents

The Problem: Unrestricted AI Agent Access

AI agents with unrestricted access create security risks:

❌ Without Security Controls:
• All agents have full read/write/execute permissions
• No distinction between testing agents and production agents
• Agents run on host system with unrestricted file access
• No audit trail of what agents did or which tools they used
• MCP tools available to all agents regardless of task needs

Agiflow addresses these risks with role-based permissions, Docker sandbox isolation, and API key scoping.

Implemented Security Features

Role-Based Access Control (RBAC)

Organization members and API keys are assigned roles with specific permission sets. Roles control access to projects, agents, sessions, billing, and organization settings.

Available Roles

Owner(Full Control)

All permissions including organization deletion, member management, billing, and security settings

Admin(Administrative Access)

Manage projects, agents, sessions, API keys. Limited billing access. Cannot delete organization.

Member(Standard User)

Create/update projects, execute agents, manage own sessions and API keys. Read-only org and billing.

Agent(AI Agent Member)

Minimal permissions: Read projects, execute agents, manage sessions. For AI agent members only.

Permission Categories

Organization
read, update, delete, create
Members
read, invite, update, delete
Projects
read, create, update, delete, archive
Agents
read, execute, create, update, delete
Sessions
read, create, update, delete, control
API Keys
read, create, update, delete

Docker Sandbox Isolation

Agents run in isolated Docker containers with restricted file system access, resource limits, and optional network isolation. Launched via agent-cli claude --docker.

# Launch agent in sandboxed Docker container
agent-cli claude --docker --agent-session-id task-123
# Specify custom Docker image
agent-cli claude --docker --docker-image custom-agent:latest

Sandbox Features

  • Isolated File System: Working directory mounted at /workspace, host files inaccessible
  • Credential Mounting: SSH keys (read-only), Claude credentials, git config
  • Package Manager Caching: Named volumes for pnpm, npm, node-gyp to improve performance
  • Network Modes: Configurable via VITE_AGENT_CLI_DOCKER_NETWORK
  • Automatic Cleanup: Containers terminated gracefully on exit (SIGTERM → SIGKILL after 3s)

API Key Permission Scoping

API keys can be scoped to specific permission sets for CI/CD, agent execution, or read-only access. Predefined permission groups available for common use cases.

Permission Groups

Read Only

Read access to all resources (org, projects, agents, sessions)

Agent Execution

Execute agents, manage sessions, read projects. For daemon and automation.

Project Management

Full project access, agent execution, session management

Admin Access

Manage org, members, projects, agents. No billing or organization deletion.

Upcoming Features
Future

Per-Agent MCP Tool Proxying

Configure which MCP tools each agent can access. Backend will proxy tool calls and enforce restrictions. Example: Backend agent gets database tools, frontend agent gets only UI component tools.

Resource Quotas for Docker Containers

Configurable CPU and memory limits per agent session. Prevent resource exhaustion and ensure fair resource allocation across multiple agents.

Audit Logging for Agent Actions

Comprehensive audit trail of all agent tool usage, file modifications, and command executions. Queryable via API for compliance and debugging.

Network Isolation Policies

Whitelist/blacklist network access per agent. Restrict agents to internal services only or allow external API calls based on task requirements.

Related Documentation

Multi-Agent Collaboration

Learn how security applies to multi-agent workflows

MCP Integration

Understand MCP tool permissions and configuration

Secure AI agent execution

RBAC, Docker isolation, and API key scoping for controlled agent access.

Get StartedTry Agiflow Free