Principals & Roles

Every action is performed by an identified principal. Roles provide default permission sets.

Principal Types

PrincipalId	Badge	Use Case
LocalUser(String)	Local	Desktop operator
RemoteUser	Remote	WebSocket client with session
LlmAgent	LLM	Claude-powered AI agent
ControlAgent(String)	Agent	Autonomous control agent (HVAC, Aviation)
SdkClient	SDK	External data source via QUIC
System	System	Internal system operations

Role	Level	Default Permissions
Admin	3	All permissions (42/42)
Operator	2	Full ControlBus, all LLM tools, reports, config load, network
Viewer	1	View-only: state, audit, policies, agents, metrics, reports
LlmAgent	—	Query state, manage panes, fly camera, workspace (no commands)
ControlAgent	—	Issue commands, view state, view agents only
SdkClient	—	IngestConnect only
Custom(String)	—	Empty — all permissions via explicit grant

User overrides > Group overrides > Group role defaults > User role defaults. Higher-hierarchy roles cannot be overridden by group membership.

Reach out for help with integration, deployment, or custom domain codecs.