Skip to main content

Overview

Genesis Data Agents provides enterprise-grade security controls through a multi-layered approach to access management. Administrators can control what users can see, which agents they can interact with, and what actions agents can perform on behalf of users.

Users and Roles Management

The Users and Roles Management interface provides a centralized location for managing all security configurations. Access this through the Genesis UI sidebar under Config → Users & Roles.

Key Features

User Management

View and manage user roles and permissions across your organization

Role Definitions

Create and customize roles with granular permission controls

Agent Access

Control which agents users can interact with based on their roles

Tool Access

Manage which tools are available to different roles

Role Configuration

Editing Roles

When editing a role, you’ll have access to four main configuration sections:
Name: The role identifier (e.g., “admin”, “user”, “data_analyst”)Description: A clear explanation of the role’s purpose and intended users
Controls what users with this role can access within the Genesis UI, including:
  • access_config_panel: Access to configuration panel
  • access_pulse_panel: Access to monitoring panel
  • manage_users: Manage users and roles
  • manage_agents: Create/update/delete agents
  • manage_connections: Manage database connections
  • manage_secrets: Manage secrets and credentials
  • view_all_threads: View all chat threads
  • view_all_secrets: View all secrets
Specify which data agent that users with this role can interact with.

You can:
  • Grant access to specific agents by selecting them individually
  • Restrict access by leaving agents unselected
  • Update agent access as your organization’s needs evolve
Control which secrets stored in the Genesis Secret Vault are accessible to this role. This ensures sensitive credentials are only available to authorized users.
Define which tools agents can use when acting on behalf of users with this role.
By default, all tools are allowed for backward compatibility. Administrators should review and restrict tool access based on security requirements.
Configuration Options:
  • Select specific tools to allow
  • Use “Select All” and then remove specific tools to create an allowlist
  • Remove tool access entirely to create the most restrictive permissions

Three-Layer Tool Control System

Genesis implements a sophisticated three-layer approach to tool access control, providing defense-in-depth security:

Layer 1: Tool Configuration (Agent Toolbox)

An agent must have a tool in its toolbox to use it. This is the foundational layer of tool access.
How it works:
  • Each agent has a configured set of tools available in its toolbox
  • By default, agents can add tools to themselves dynamically as needed
  • Administrators can disable the “Allow Agents to Add Tools to Itself” setting to prevent self-service tool addition
Use Case: Limit agent capabilities at the agent definition level, ensuring agents only have tools relevant to their purpose.

Layer 2: RBAC Tool Usage Control (Primary Access Control)

This is the main access control layer. Both the agent AND the user must have roles that allow access to a tool for it to be used.
How it works:
  • Each role has a defined set of tools it’s permitted to use
  • Administrators can include or exclude any tool for any role
  • Dual Authorization: Just because an agent has a tool doesn’t mean it can use it—both the agent’s role and the user’s role must permit access
Example Scenario: 
Agent "DataAnalyst" has the `query_database` tool in its toolbox (Layer 1 ✓)
User "John" has role "Viewer" (Layer 2 check)
Agent "DataAnalyst" has role "Analyst" (Layer 2 check)

If "Viewer" role does NOT allow `query_database`:
→ Tool execution is BLOCKED (even though agent has it)

If both "Viewer" and "Analyst" roles allow `query_database`:
→ Tool execution is ALLOWED
Configuration: Navigate to Users & Roles → Edit Role → Tool Access to configure tool permissions for each role.

Layer 3: High-Risk Tools Toggle (System-Level Override)

This system-wide toggle provides an additional safety layer by blocking high-risk tools regardless of other configurations.
How it works:
  • Independent control that overrides Layer 1 and Layer 2
  • Blocks specific tools identified as high-risk (currently hard-coded, more will be added)
  • When enabled, high-risk tools are completely blocked system-wide
Current High-Risk Tools (more being added):
  • Python code execution tools
  • System command execution tools
  • File system modification tools
  • Database write/delete operations
Override Behavior: Even if:
  • ✓ An agent has the tool configured (Layer 1)
  • ✓ Both agent and user roles allow the tool (Layer 2)
If the High-Risk Tools toggle is enabled, the tool will be blocked. Configuration: Navigate to Users & Roles → Security Settings and toggle “Block High-Risk Tools”.
While Layer 2 (RBAC) can achieve the same blocking effect, Layer 3 provides a convenient single-switch control for quickly disabling dangerous operations across your entire Genesis environment.

Built-in Roles

Genesis provides default roles for common use cases:

Admin

Default Role for Eve AgentFull access to all features, agents, tools, and administrative functions. Use sparingly and only for trusted administrators.

User

Default Role for New AgentsStandard user access with configurable agent and tool permissions. New agents created in the system automatically receive this role.

Current User Information

View your own role assignments and permissions by navigating to Users & Roles → Current User Information. This section shows:
  • Your assigned roles
  • Permissions granted to you
  • Agents you have access to
  • Tools you’re authorized to use

Security Best Practices

1

Apply Least Privilege

Grant users and agents only the minimum permissions required for their functions. Start with restrictive permissions and add access as needed.
2

Review Tool Access Regularly

Periodically audit which tools are enabled for each role. Remove access to tools that are no longer needed.
3

Enable High-Risk Tools Toggle

For production environments, consider enabling the High-Risk Tools toggle to prevent dangerous operations unless explicitly needed.
4

Use Role-Based Agent Assignment

Assign agents to roles based on their intended purpose. Specialized agents should have restricted tool access aligned with their function.
5

Monitor Agent Tool Usage

Regularly review which tools agents are attempting to use. Unusual tool access patterns may indicate misconfigurations or security concerns.
6

Secure Secrets Properly

Leverage the Secret Access configuration to ensure sensitive credentials are only available to roles that absolutely require them.

Creating Custom Roles

To create a new role tailored to your organization’s needs:
  1. Navigate to Users & Roles in the Genesis UI
  2. Click Create New Role
  3. Configure the four main sections:
    • Basic Information: Name and description
    • Permissions: UI and system access
    • Agent Access: Which agents this role can use
    • Tool Access: Which tools are permitted
  4. Click Save to activate the role
Custom roles can then be assigned to users and agents as needed.

Agent Role Assignment

All agents are assigned roles just like users:
  • Eve (the primary Genesis agent) has the admin role by default
  • New agents are automatically assigned the user role
  • Administrators can assign additional roles to agents as needed
  • Agent role permissions are enforced in conjunction with user role permissions (Layer 2)
Remember: An agent having a tool and being allowed to use it are two different things. The agent’s role permissions must align with the user’s role permissions for tool execution to succeed.

FAQ

The agent will immediately lose access to that tool. Any in-progress operations using that tool will fail, and future attempts to use it will be blocked.
Yes! Use the Agent Access section when editing a role to specify exactly which agents users with that role can interact with.
Layer 2 (RBAC) provides granular, role-based control over individual tools. Layer 3 (High-Risk Toggle) is a system-wide emergency switch that blocks specific high-risk tools regardless of role permissions. Layer 3 is simpler but less flexible.
By default, yes—agents can add tools to their toolbox. However, even if they add a tool (Layer 1), they still need role permission to use it (Layer 2). Admins can also disable self-service tool addition entirely.
Navigate to Users & Roles → Security Settings. The interface lists all high-risk tools that will be blocked when the toggle is enabled. This list will expand as more tools are identified as high-risk.