Platform Documentation
Platform Documentation
Breadcrumbs

AI Assistants

RunWhen AI Assistants provide contextual help to users working inside a workspace. Each assistant can answer questions, recommend next steps, and execute troubleshooting tasks — but always within the strict permissions granted to the user and to the workspace.

AI Assistants are assigned permissions. Instead, they operate entirely under the Role-Based Access Control (RBAC) model of the workspace and the user who is interacting with them.

How RBAC Applies to AI Assistants

AI Assistants inherit and respect existing access boundaries:

  1. Assistants can only access SLXs, workflows, secrets, and data that the requesting user is allowed to access.
    They cannot elevate privileges, view hidden resources, or call automation outside the user’s role.

  2. Actions executed by an assistant run under the user’s identity.
    When an assistant triggers a Runbook, workflow, or investigation step, the platform treats this exactly as if the user executed the action directly.

  3. Assistants cannot view or reference resources in other workspaces.
    Workspace isolation applies fully — assistants remain confined to the user’s current workspace.

  4. Assistants cannot retrieve secrets directly.
    They can use workflows that rely on secret-backed configurations, but only through the same secure execution pipeline the user has access to. Secrets are never exposed in responses.

  5. Auditability is preserved.
    All AI-triggered actions produce the same audit logs, run history, and RBAC checks as manual actions. This ensures traceability and compliance.

What AI Assistants Can Do — Within RBAC

Because they follow RBAC strictly, assistants can:

  • Suggest appropriate SLXs, Runbooks, or workflows based on what the user is allowed to see

  • Execute tasks or checks only if the user’s role permits execution

  • Provide insights from map data, task results, and summaries that the user could view manually

  • Recommend next steps based on the user’s accessible operational context

What AI Assistants Cannot Do

  • Access or summarize SLXs that the user does not have permission to view

  • Run workflows or automation steps that the user cannot execute directly

  • Cross workspace boundaries or merge context from other tenants

  • Reveal secrets or bypass secure configuration handling

Summary

AI Assistants enhance the RunWhen experience by helping users navigate and operate on their environment more effectively. Their design ensures that AI never becomes a new attack surface: all actions, data access, and automation remain fully governed by workspace-scoped RBAC and the permissions of the requesting user.