autonomy rbac role create

Create a custom RBAC role

Synopsis

Creates a new custom role with the specified permissions.

Predefined roles (operator, analyst, auditor, integrator) cannot be redefined.

CONSTRAINT C-07: The role name must not be “admin”, “superuser”, “root”, or “system”. No role may grant mutation authority over edge runtimes.

Known permissions:

fleet:read fleet status grid activation:read activation timeline events telemetry:read OTel event stream lock:read BLAKE3 fingerprint chain release_channel:read release channel viewer (read-only) wal:read WAL buffer inspection policy_eval:read policy evaluation results audit_history:read full audit history (auditor only) signature:verify re-run BLAKE3 verify on artifacts bundle:build bundle builder UI (produces download only) cert:read certificate list/check-revocation cert:manage certificate issue/rotate/revoke/sync rbac:manage RBAC role creation and role assignment simulation:run policy simulation sandbox

Usage

autonomy rbac role create [flags]

Options

      --by string            operator identity creating this role (for audit)
      --description string   human-readable description
      --name string          role name (required)
      --permissions string   comma-separated permissions (required; see --help for valid values)
      --rbac-dir string      RBAC store directory (default: AUTONOMY_RBAC_DIR or XDG state path)

See also

• autonomy rbac role — Create, list, and assign roles