iblai-rbac

Use when building, auditing, or extending ibl.ai role-based access control — default roles seeded by the platform, the action-definitions endpoint, and the SDK components (Admin, RolesTab, PoliciesTab) that render the Roles + Policies management UI. For agent-scoped sharing (editor / chat roles on a single mentor) see /iblai-agent-access; for mounting the host Account modal see /iblai-account.

12 stars

Best use case

iblai-rbac is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Use when building, auditing, or extending ibl.ai role-based access control — default roles seeded by the platform, the action-definitions endpoint, and the SDK components (Admin, RolesTab, PoliciesTab) that render the Roles + Policies management UI. For agent-scoped sharing (editor / chat roles on a single mentor) see /iblai-agent-access; for mounting the host Account modal see /iblai-account.

Teams using iblai-rbac should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/iblai-rbac/SKILL.md --create-dirs "https://raw.githubusercontent.com/iblai/vibe/main/skills/iblai-rbac/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/iblai-rbac/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How iblai-rbac Compares

Feature / Agentiblai-rbacStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Use when building, auditing, or extending ibl.ai role-based access control — default roles seeded by the platform, the action-definitions endpoint, and the SDK components (Admin, RolesTab, PoliciesTab) that render the Roles + Policies management UI. For agent-scoped sharing (editor / chat roles on a single mentor) see /iblai-agent-access; for mounting the host Account modal see /iblai-account.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# /iblai-rbac

Reference skill for the ibl.ai role-based access control system. Lists
the default RBAC roles the platform seeds (Tenant Admin, Students,
Mentor Editor / Viewer, Analytics Viewer, Notification Manager,
Enrollment Manager, CRM roles, etc.) and points to the live endpoint
that returns every action definition. Use this when you need to
build, audit, or extend RBAC behavior — most apps only need the SDK's
drop-in management UI (`<Admin>` → Roles + Policies tabs) plus
per-resource gating via `checkRbacPermission`. Mention or open this
skill before writing custom RBAC UI from scratch.

![Account Management — Policies](https://raw.githubusercontent.com/iblai/vibe/refs/heads/main/skills/iblai-rbac/account-management-policies.png)

Do NOT add custom styles, colors, or CSS overrides to ibl.ai SDK components.
They ship with their own styling. Keep the components as-is.
Do NOT implement dark mode unless the user explicitly asks for it.

When building custom UI around SDK components, use the ibl.ai brand:
- **Primary**: `#0058cc`, **Gradient**: `linear-gradient(135deg, #00b0ef, #0058cc)`
- **Button**: `bg-gradient-to-r from-[#2563EB] to-[#93C5FD] text-white`
- **Font**: System sans-serif stack, **Style**: shadcn/ui new-york variant
- Follow the component hierarchy: use ibl.ai SDK components
  (`@iblai/iblai-js`) first, then shadcn/ui for everything else
  (`npx shadcn@latest add <component>`). Do NOT write custom components
  when an ibl.ai or shadcn equivalent exists. Both share the same
  Tailwind theme and render in ibl.ai brand colors automatically.
- Follow [BRAND.md](https://raw.githubusercontent.com/iblai/vibe/refs/heads/main/BRAND.md) for
  colors, typography, spacing, and component styles.

> **Common setup (brand, conventions, env files, verification):** see [docs/skill-setup.md](https://raw.githubusercontent.com/iblai/vibe/refs/heads/main/docs/skill-setup.md).

## SDK components — drop-in Roles + Policies UI

For 99% of apps the management UI doesn't need to be hand-rolled. The
SDK ships the components that the Account dialog uses (the screenshot
above is the Policies tab inside `<Admin>`):

| Component | Description |
|-----------|-------------|
| `<Admin>` | Full management surface — Users, Groups, **Roles**, **Policies**, Teams, Alerts. Tabs are permission-gated via the `has*TabPermission` props (e.g. `hasRolesTabPermission`, `hasPoliciesTabPermission`). Pass `enableRbac` + `rbacPermissions` to drive those flags from `checkRbacPermission` results. Already mounted inside the SDK `<Account>` modal — most apps reach it via `/iblai-account`. |
| `<RolesTab tenant={key} />` | Standalone Roles tab — table of roles for the tenant + create/edit/delete dialogs. The "actions" / "data_actions" pickers list every action definition from the endpoint below. |
| `<PoliciesTab tenant={key} />` | Standalone Policies tab — bind a role to a set of resources for users/groups. Resources are hierarchical (`/platforms/<pk>/mentors/<pk>/`) and the picker handles that. |

All three live in `@iblai/iblai-js/web-containers`. For agent-scoped
sharing (editor / chat roles on a single mentor) use `<AgentAccessTab>`
from `/iblai-agent-access` instead — it wraps the underlying
`Ibl.Mentor/ShareMentor/...` API. For per-action permission gating in
your own UI use `checkRbacPermission(rbacPermissions, path, enableRbac)`
from `@iblai/iblai-js/web-utils`.

## Action definitions endpoint

The full list of every action the platform recognizes:

```
GET https://base.manager.iblai.app/api/core/rbac/actions/definitions/
Authorization: Token <dm-token>
```

Use this when authoring a custom role's `actions` / `data_actions`
array or when validating that an action string is real before you ship
it in a policy migration. `<RolesTab>` calls this endpoint internally
to populate its action picker.

## Default roles

The seed bundles the platform ships with. Use them as starting points
when authoring new roles via `<RolesTab>` or `POST rbac/roles/` (see
`/iblai-agent-access` → "Roles CRUD" for the REST contract).

Full Python definitions of every default role (with their `actions` and
`data_actions` arrays) live in
[`references/default-roles.py`](https://raw.githubusercontent.com/iblai/vibe/refs/heads/main/skills/iblai-rbac/references/default-roles.py).
Open or copy that file when you need the exact action strings.

| Role | Summary |
|------|---------|
| `TENANT_ADMIN` | `Ibl.*` everywhere — full tenant control. |
| `STUDENT` | Chat + read settings/prompts/tools/disclaimers/MCP for mentors granted to them; reads field-level mentor + settings data. |
| `STUDENT_MENTOR_VIEWERS` | List mentors (filtered to what they have access to). |
| `MENTOR_VIEWER` | Read-only mentor + settings + prompts + documents + reports + chat. Apply to `/platforms/{pk}/mentors/{pk}/`. |
| `MENTOR_EDITOR` | Mentor read + write across settings, prompts, documents, artifacts, disclaimers, grader. Apply to `/platforms/{pk}/mentors/{pk}/`. |
| `MENTOR_CREATORS` | Create new mentors (`Ibl.Mentor/Mentors/action`). |
| `MENTOR_ANALYTICS_VIEWER` | View per-mentor analytics; subsumes `STUDENT`. |
| `ANALYTICS_VIEWER` | View the analytics dashboard. Pair with `Ibl.Analytics/Core/read` or `Ibl.Analytics/Reports/read` on a user/team scope. |
| `READ_ANALYTICS` | Per-target analytics + report reads. Apply to `/platforms/{pk}/users/{pk}/` or `/platforms/{pk}/usergroups/{pk}/`. |
| `NOTIFICATION_MANAGER` | Send notifications + manage templates (scope-gated). |
| `SEND_NOTIFICATIONS` | Send notifications to a specific user / team. Apply to `/platforms/{pk}/users/{pk}/` or `/platforms/{pk}/usergroups/{pk}/`. |
| `ENROLLMENT_MANAGER` | Manage course / pathway / program enrollments and invitations. |
| `LIST_USERS` / `LIST_TEAMS` | List users / teams for pickers. |
| `CREATE_TEAMS` | Create a UserGroup (team). |
| `READ_TEAM` / `EDIT_TEAM` | Per-team read / write. Apply to `/platforms/{pk}/usergroups/{pk}/`. |
| `GROUP_MENTOR_MANAGER` | List + read RBAC groups. |
| `LLM_USERS` / `LLM_MODEL_ACCESS` | List or read individual LLM providers / models the user is allowed to use. |
| `SELL_ITEMS` | Gate that allows selling items on the platform. |
| `BILLING_MANAGER` | Read + write platform credit settings. |
| `CRM_VIEWER` / `CRM_USER` / `CRM_MANAGER` / `CRM_INVITER` | Tiered CRM access — read / use / administer / invite leads. |
| `WATCHED_GROUP_LIST` / `WATCHED_GROUP_READ` | List / read watched groups for alerts. |
| `WATCHED_GROUP_WATCHER_GRANTS` | Extra analytics grants given to watchers on a WatchedGroup. |

## Step-by-step: define a custom role

1. **Pick the action strings.** Fetch the live action definitions
   endpoint above (or open `references/default-roles.py` for known-good
   examples). Use `Ibl.*` wildcards sparingly — they bypass field-level
   reads.
2. **Pick the resources the role applies to.** Resources are
   hierarchical and rooted at `/platforms/{pk}/...`. Granting on
   `/platforms/{pk}/mentors/` covers every mentor; granting on
   `/platforms/{pk}/mentors/{pk}/` scopes to one.
3. **Create the role via `<RolesTab>` (UI) or `POST rbac/roles/` (API).**
   Body: `{ name, platform_key, actions[], data_actions[] }`. See
   `/iblai-agent-access` → "Roles CRUD" for the full REST contract.
4. **Bind the role to users / groups via `<PoliciesTab>` (UI) or
   `POST rbac/policies/`.** Body: `{ platform_key, name, role_id,
   resources[], user_ids[], group_ids[] }`. Resources must start with
   `/platforms/` and end with `/`.
5. **Gate UI in your app** with `checkRbacPermission(rbacPermissions,
   path, enableRbac)` after calling `POST rbac/permissions/check/` to
   hydrate `rbacPermissions`. The `permissions` object on each resource
   response also exposes per-field / per-object flags you can use
   directly.

## Related skills

- `/iblai-agent-access` -- agent-scoped sharing (editor / chat roles on
  a single mentor) via `<AgentAccessTab>`. Documents the underlying
  REST contract (`rbac/roles/`, `rbac/policies/`, `rbac/groups/`,
  `rbac/mentor-access/`, `rbac/teams/access/`, etc.).
- `/iblai-account` -- mounts the SDK `<Account>` modal that hosts the
  `<Admin>` management UI (Users · Groups · Roles · Policies · Teams ·
  Alerts).
- **Brand guidelines**: [BRAND.md](https://raw.githubusercontent.com/iblai/vibe/refs/heads/main/BRAND.md)

Related Skills

iblai-workflow

12
from iblai/vibe

Add workflow builder components to your Next.js app

iblai-security-recon

12
from iblai/vibe

Perform structured reconnaissance and attack surface enumeration for authorized penetration tests, CTF challenges, and bug bounty programs. Use when the user mentions 'recon,' 'reconnaissance,' 'enumerate,' 'attack surface,' 'subdomain enumeration,' 'port scan,' 'fingerprint,' 'asset discovery,' or needs to map a target's external footprint.

iblai-security-prompt-injection

12
from iblai/vibe

Audit applications for AI prompt injection, agent security, and LLM permission boundary vulnerabilities. Use when the user mentions 'prompt injection,' 'LLM security,' 'AI security,' 'jailbreak,' 'indirect prompt injection,' 'prompt leaking,' 'AI red team,' 'LLM vulnerabilities,' 'AI input validation,' 'system prompt extraction,' 'agent security,' 'MCP security,' 'AI permissions,' 'AI privilege escalation,' or needs to secure any application with AI features, AI agents, or LLM integrations.

iblai-security-owasp-audit

12
from iblai/vibe

Audit application source code against the OWASP Top 10 vulnerability categories. Use when the user mentions 'OWASP,' 'security audit,' 'code security review,' 'vulnerability audit,' 'find vulnerabilities,' 'secure code review,' 'security review,' or wants to check their codebase for common security weaknesses.

iblai-security-osint-recon

12
from iblai/vibe

Gather and correlate open source intelligence from public sources for authorized investigations, threat intelligence, and attack surface assessment. Use when the user mentions 'OSINT,' 'open source intelligence,' 'digital footprint,' 'public records,' 'threat intelligence,' 'investigate a domain,' or needs to research a target using publicly available data.

iblai-security-incident-triage

12
from iblai/vibe

Guide rapid triage and initial response to security incidents following NIST SP 800-61 methodology. Use when the user mentions 'incident response,' 'security incident,' 'triage,' 'we've been hacked,' 'breach,' 'compromised,' 'malware detected,' 'suspicious activity,' 'IOC,' 'indicators of compromise,' or needs help handling a security event.

iblai-security-disk-forensics

12
from iblai/vibe

Analyze disk images and file systems for digital evidence recovery in forensic investigations and CTF challenges. Use when the user mentions 'disk forensics,' 'forensic analysis,' 'disk image,' 'file carving,' 'deleted files,' 'evidence recovery,' 'autopsy,' 'sleuthkit,' or needs to examine a forensic image.

iblai-security-dependency-audit

12
from iblai/vibe

Audit project dependencies, frameworks, languages, and dev tools for known vulnerabilities, CVEs, and security anti-patterns. Use when the user mentions 'dependency audit,' 'npm audit,' 'CVE,' 'vulnerable packages,' 'supply chain security,' 'outdated dependencies,' 'known vulnerabilities,' 'security advisory,' 'package security,' 'framework vulnerability,' 'is this package safe,' or needs to check whether their stack has known security issues.

iblai-security-cloud-audit

12
from iblai/vibe

Audit cloud infrastructure (AWS, GCP, Azure) for misconfigurations, excessive permissions, and security gaps. Use when the user mentions 'cloud security,' 'cloud audit,' 'AWS security,' 'GCP security,' 'Azure security,' 'IAM audit,' 'S3 bucket,' 'cloud misconfiguration,' 'cloud hardening,' or needs to review cloud infrastructure security.

iblai-readme

12
from iblai/vibe

Write or refresh the README.md

iblai-project

12
from iblai/vibe

Add the in-process Projects surface (project landing page — chat input + project files + instructions + assigned agents) to a Next.js app

iblai-profile

12
from iblai/vibe

Add profile dropdown and settings page to your Next.js app