Principal–Actor Model
No user access → no agent access. Agents cannot bootstrap access; they can only exercise already-granted access.
An agent cannot have more rights than the human (or org) it represents. Otherwise it becomes a privilege-escalation backdoor.
The Rule
- No user access → no agent access — If the principal has no access, the agent has none
- Agent access is derived — Always derived from (and limited by) principal access
- Agent access is delegated — The principal must explicitly delegate a subset of permissions
Terminology
| Term | Definition |
|---|---|
| Principal | The user or org that owns the agent — the real account with permissions |
| Actor | The agent — a tool the principal owns/controls |
| Delegation grant | The app's record that this principal allowed this agent to perform these intents |
Verification Logic
Server MUST enforce:
subis a real user in the app (or org member)subhas permission forint(via RBAC/ABAC)actis allowed to act forsub(delegation record)
ALLOW if UserPermits(sub, int) AND DelegationPermits(sub, act, int)
Onboarding Flow
- Step A — User logs in normally (OIDC/password). App knows userId.
- Step B — User creates/links agent. Registry stores agentId, ownerUserId, publicKey, status.
- Step C — User grants delegation. Registry stores ownerUserId, agentId, allowedIntents, expiresAt.
The agent is now owned and scoped. No user access → no agent access.