autonomy rbac role create

Create a custom RBAC role

Synopsis

Creates a new custom role with the specified permissions.

Predefined roles (operator, analyst, auditor, integrator) cannot be redefined.

CONSTRAINT C-07: The role name must not be "admin", "superuser", "root", or
"system". No role may grant mutation authority over edge runtimes.

	Known permissions:
  fleet:read            fleet status grid
  activation:read       activation timeline events
  telemetry:read        OTel event stream
  lock:read             BLAKE3 fingerprint chain
  release_channel:read  release channel viewer (read-only)
  wal:read              WAL buffer inspection
  policy_eval:read      policy evaluation results
  audit_history:read    full audit history (auditor only)
  signature:verify      re-run BLAKE3 verify on artifacts
  bundle:build          bundle builder UI (produces download only)
  cert:read             certificate list/check-revocation
  cert:manage           certificate issue/rotate/revoke/sync
  rbac:manage           RBAC role creation and role assignment
  simulation:run        policy simulation sandbox

Usage

autonomy rbac role create [flags]

Options

      --by string            operator identity creating this role (for audit)
      --description string   human-readable description
      --name string          role name (required)
      --permissions string   comma-separated permissions (required; see --help for valid values)
      --rbac-dir string      RBAC store directory (default: AUTONOMY_RBAC_DIR or XDG state path)

See also

• autonomy rbac role — Create, list, and assign roles