Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.poolside.ai/llms.txt

Use this file to discover all available pages before exploring further.

Overview

To control access in your organization, you manage three layers:
  • Authentication, which verifies the identity of a user or service account by using identity providers or API keys.
  • Authorization, which determines what authenticated identities can do by using role-based access control (RBAC).
  • Configuration, which determines what agents can do at runtime based on the intersection of agent configuration and user permissions.

Authentication

Before Poolside grants access, it verifies the identity of the user or service account making the request. You can authenticate users through your identity provider and authenticate service accounts with API keys. Authentication verifies who is making a request, but it does not grant access on its own. The authorization layer handles all access decisions. For more information, see Users, User provisioning, Identity Management API, and API keys.

Authorization

After a user or service account authenticates, authorization determines what it can do in your organization. Poolside uses a role-based access control (RBAC) model with the following components:
  • Users represent individual people or service accounts.
  • Teams group users and act as the primary unit for access assignment.
  • Roles define sets of permissions.
  • Permissions grant specific actions on defined resources, such as agents or repositories.
You do not assign permissions directly to users or service accounts. Instead, you assign roles to teams, and identities inherit permissions through their team memberships. For more information, see Roles, Teams, and Users.

Key characteristics

  • Least privilege: Roles have no permissions by default and grant access only when explicitly configured.
  • Combined access: Users who belong to multiple teams receive the combined permissions of all assigned roles.
  • Resource scope: Permissions can apply to entire resource types or to specific resource instances.

Configuration

Configuration determines what agents can do at runtime. Agent configuration specifies potential capabilities, such as which tools an agent can invoke or which resources it can interact with. User permissions define what the person running the agent can access.
At runtime, Poolside enforces the intersection of agent configuration and user permissions. An agent cannot perform actions outside the user’s authorized scope, even if the agent is configured with broader capabilities. This lets you define powerful agent behaviors while maintaining strict security boundaries.
For more information, see Managed agents.

Set up organization access

Use the following steps to configure access for your organization:
  1. Create roles with the required permissions. See Roles.
  2. Create teams and assign roles to them. See Teams.
  3. Add users to teams, configure automated user provisioning with System for Cross-domain Identity Management (SCIM), or use the Identity Management API to sync team membership from another system. See Users or User provisioning.