Abstract

Flat role-based access control — admin / user / viewer — does not scale to a platform hosting many independently-developed domains (CRM, communications, finance, documents, AI personas) that appear and disappear at runtime and share resources across domain boundaries. Hardcoding a capability map forces a code deploy for every new permission; scattering per-domain access-control lists duplicates safety-critical logic and drifts. This publication describes a resource-provider RBAC model for AI-agent platforms in which each domain module registers its own resource catalogue at boot — resource types, each with a set of actions and a schema — into a central registry. Every permission is a tuple domain:resourceType:action. Roles are sets of permission patterns with * wildcards (crm:*:*, *:*:read). Role assignments bind a principal — user, group, API token, or AI persona — to a role at a scope path in a resource hierarchy. Authorization is resolved by walking the scope path from the queried node toward the root, unioning the permission patterns of all assignments encountered, expanding role-template {scope} placeholders against the assignment scope, and testing the requested tuple against the union with three-axis wildcard matching. The defining property is the resolver-invariant registration contract: adding a domain, a resource type, or an action requires no change to the resolver, the schema, the roles, or any deploy. We present architecture, a state-machine and data-flow view, a full relational data model, a worked cross-domain sharing example with a sequence diagram, a STRIDE-style threat model, semantic alignment to NIST RBAC, XACML, Google Zanzibar and Azure Resource Manager, an evaluation methodology, a clean-room Node.js reference implementation that reduces the method to practice, and one independent plus sixteen dependent claims. The publication is intentionally public to bar later patenting by others.

Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.

Download

Share

COinS