Assign permissions and roles with Infinity AI

Use natural-language prompts in Infinity AI to grant permissions to users, user groups, and roles in AppViewX. Infinity AI always routes the grant through the correct path role attached to a user group even when you phrase the request in terms of a user.

To assign permissions and roles, type a prompt in Infinity AI. Infinity AI confirms the request, asks for any missing details, displays a summary, and applies the change after you confirm.

Note: To query RBAC entities, see RBAC listing with Infinity AI. To remove access, see Unassign roles and permissions with Infinity AI.

Overview

In AppViewX, permissions flow through roles, and roles attach to user groups. Infinity AI manages this routing internally. Request the access you need, and Infinity AI builds the required role-and-user-group path.

Infinity AI supports four assignment operations.

Table 1. Assignment operations
Operation What it does
Add permission to a user Grants a permission to a specific user through their user group.
Add permission to a user group Grants a permission directly to one or more user groups.
Add permissions to an existing role Expands the access scope of an existing custom role.
Assign a role to user groups Maps an existing role directly to one or more user groups.

Background processing

  • Workflows. For workflow-backed permissions (Enroll, Renew, Revoke, and so on), Infinity AI creates the resource AVX_INFINITY_RESOURCE_<UserGroupName> if it does not exist, attaches the required workflows, and grants form access inside those workflows.
  • Dependent permissions. When you add a permission through a role, Infinity AI also includes any permissions that the selected one depends on, so the role is fully functional.
  • Approval access. For supported permissions, Infinity AI asks at the end whether to grant approval access (approve and implement) for the user group.
Note: Resources and workflow configurations cannot be created or modified directly through Infinity AI. They are always managed internally as part of an assignment.

Query Types

Each assignment operation follows the same flow: state the access you need, let Infinity AI resolve the details, and confirm the summary before the change is applied.

Run an assignment

  1. Open the Infinity AI pane from the platform header.
  2. Type a prompt that names the access you want and the target (user, user group, or role).
  3. Confirm the permission(s) that Infinity AI resolves from your prompt.
  4. Provide any missing context when asked for example, the user group(s) to route through, or whether to use an existing role or create a new one.
  5. Review the summary and confirm.
  6. If Infinity AI prompts for approval access on applicable permissions, choose whether to grant it.
Tip: Use exact entity names (user names, user group names, role names) when you know them. This skips the disambiguation step.

Sample use cases

Use these prompts as quick starting points. Each prompt maps to one of the four assignment operations.

Table 2. Quick-start prompts
Sample prompt Operation
Give john.doe enrollment access Add permission to a user
Grant renewal access to the DevOps user group Add permission to a user group
Add revocation access to the QA Team and Ops Team user groups Add permission to a user group
Add enrollment access to the Cert Ops role Add permissions to an existing role
Assign the CLM Requester role to the DevOps and QA Team user groups Assign a role to user groups

Scenarios

The following sections describe each assignment operation in detail, with a sample prompt and the expected conversation.

Scenario 1 Add a permission to a user

Use this when you want to grant one or more permissions to a specific user. Permissions cannot attach to users directly, so Infinity AI looks up the user's user groups and routes the grant through one of them.

Steps

  1. Type a prompt that names the user and the access you want for example, Give john.doe enrollment access.
  2. Confirm the permission(s) that Infinity AI proposes.
  3. Select up to five user groups (from the user's memberships) through which the permission should be granted.
  4. Choose to use an existing role or create a new one.
  5. Review the summary and confirm.
  6. Decide whether to grant approval access for any newly added permissions.

Example

You:Give john.doe enrollment access
Infinity AI:Step 1 Found permission: Enroll Certificate. Confirm?
You:Yes
Infinity AI:Step 2 Validation passed.
Infinity AI:Step 3 john.doe belongs to: QA Team, DevOps Team. Select user group(s).
You:QA Team
Infinity AI:Step 4 Use an existing role or create a new one?
You:Existing role
Infinity AI:Roles with Enroll Certificate: CLM Requester, Cert Enrollers.
You:CLM Requester
Infinity AI:Assigning CLM Requester also grants its other permissions to QA Team.
Review them first?
You:No, proceed.
Infinity AI:Summary
• Permission: Enroll Certificate
• Role: CLM Requester
• Target user group: QA Team
Confirm?
You:Yes
Infinity AI:Step 5 CLM Requester assigned to QA Team.
Infinity AI:Step 6 Workflow setup done internally.
Infinity AI:Step 7 Enroll Certificate supports approval access.
Grant approval access to QA Team?
You:Yes
Infinity AI:Approval access granted.

Scenario 2 Add a permission to a user group

Use this when you want to grant permissions directly to one or more user groups, without a user as the entry point. The flow matches the user flow from the role- selection step onwards.

Steps

  1. Type a prompt for example, Grant renewal access to the DevOps user group.
  2. Confirm the permission(s) that Infinity AI proposes.
  3. Choose to use an existing role or create a new role. If you create a new role, accept or modify the suggested name and description.
  4. Review the summary and confirm.
  5. Decide whether to grant approval access for any newly added permissions.

Example

You:Grant renewal access to the DevOps user group
Infinity AI:Step 1 Found permission: Renew Certificate. Confirm?
You:Yes
Infinity AI:Step 2 Validation passed. DevOps exists. No duplicate permissions.
Infinity AI:Step 3 Use an existing role or create a new one?
You:Create a new role
Infinity AI:Suggested: DevOps Renewer Grants renewal access to certificates.
Accept or modify?
You:Accept
Infinity AI:Summary
• Permission: Renew Certificate
• New role: DevOps Renewer
• Target user group: DevOps
Confirm?
You:Yes
Infinity AI:Step 4 Role created and assigned.
You:No
Infinity AI:Done.

Scenario 3 Add permissions to an existing role

Use this when you want to expand a custom role you have already built. The change applies to every user group the role is mapped to.

Important: Permissions cannot be added to pre-shipped (out-of-the-box) roles. Only custom roles support permission addition through Infinity AI.

Steps

  1. Type a prompt for example, Add enrollment access to the Cert Ops role.
  2. Confirm the permission(s) that Infinity AI proposes.
  3. Optionally review the user groups currently mapped to the role.
  4. Review the summary and confirm.

Example

You:Add enrollment access to the Cert Ops role
Infinity AI:Step 1 Found permission: Enroll Certificate. Confirm?
You:Yes
Infinity AI:Step 2 Role: Cert Ops. Identified from query.
Infinity AI:Step 3 Adding Enroll Certificate to Cert Ops affects every user group
currently mapped to it. Review them?
You:Yes
Infinity AI:User groups: QA Team, Ops Team
You:Proceed
Infinity AI:Step 4 Summary
• Permission to add: Enroll Certificate
• Role: Cert Ops
• Affected user groups: QA Team, Ops Team
Confirm?
You:Yes
Infinity AI:Step 5 Permissions added. Workflow setup done internally for
QA Team and Ops Team.
Note: Approval access is not prompted in this flow.

Scenario 4 Assign a role directly to user groups

Use this when you want to map an existing role to one or more user groups in a single step. This is the fastest way to give a team a known bundle of access.

Steps

  1. Type a prompt for example, Assign the CLM Requester role to the DevOps and QA Team user groups.
  2. Optionally review the role's full permission list.
  3. Review the summary and confirm.

Example

You:Assign the CLM Requester role to the DevOps and QA Team user groups
Infinity AI:Step 1 Role: CLM Requester. User groups: DevOps, QA Team.
Infinity AI:Step 2 Assigning CLM Requester grants all its permissions to both groups.
Review the permissions?
You:No, proceed
Infinity AI:Step 3 Summary
• Role: CLM Requester
• Target user groups: DevOps, QA Team
• Effect: All permissions in CLM Requester will be granted to both groups
Confirm?
You:Yes
Infinity AI:Step 4 Role assigned. Workflow setup done internally for DevOps and QA Team.
Note: Approval access is not prompted in this flow.

Product behavior

Permission routing

Permissions in AppViewX flow only through roles, and roles attach only to user groups. Whatever you ask for, Infinity AI routes the grant through this path: permission → role → user group.

  • If you name a user, Infinity AI looks up the user's user groups and routes through the user group(s) you select.
  • If you name a user group, Infinity AI assigns a role to that user group.
  • If you name a role, Infinity AI either expands the role or maps it to user groups.

Dependent permissions

When you add a permission through a role (existing or new), Infinity AI silently includes any permissions that the selected one depends on. The confirmation summary shows only the permissions you selected.

Workflow setup

For permissions linked to workflows, Infinity AI automatically performs these actions after you confirm:

  • Creating a new role: Retrieve workflows associated with the newly added permissions.
  • Adding permissions to an existing role: Retrieve workflows associated with all permissions assigned to the role.
  • Creates the user-group resource AVX_INFINITY_RESOURCE_<UserGroupName> if it does not already exist.
  • Adds the required workflows to the resource.
  • Grants form access within those workflows.

All of this runs automatically in the background and does not require any action from you.

Approval access

Approval access is evaluated only after a successful permission grant, and only for the permissions you selected in the current operation not for other permissions the role may already contain.

Table 3. Approval-access prompts by flow
Flow Approval access prompted?
Add permission to a user Yes for newly selected permissions
Add permission to a user group Yes for newly selected permissions
Add permissions to an existing role No
Assign a role to user groups No

Duplicate-permission checks

  • User flow. If the user already has all selected permissions, the operation stops. If only some are present, Infinity AI asks whether to continue with the remaining ones.
  • Single user group. Same behavior as the user flow.
  • Multiple user groups. The duplicate check is skipped, because one group may already have a permission that another does not.

Existing role versus new role

When you grant permissions to a user or user group, Infinity AI asks whether to use an existing role or create a new one.

  • Existing role. Infinity AI lists roles that already contain the selected permission(s). After you choose, Infinity AI warns that the role's other permissions will also be granted to the target user group(s) and offers to show them.
  • New role. Infinity AI suggests a name and description based on the selected permissions. You can accept or modify them. The new role is created with only the selected permissions (plus their dependencies).

Product limitations

Per-operation limits

Table 4. Operation limits
Operation Maximum per request
Add permission to a user 1 user, 5 permissions, 5 user groups
Add permission to a user group 5 user groups, 5 permissions
Add permissions to an existing role 1 role, 5 permissions; role must be mapped to 5 or fewer user groups
Assign a role to user groups 5 roles, 5 user groups
Note: If a custom role is currently mapped to more than five user groups, adding permissions to it is blocked entirely. This prevents performance issues caused by bulk workflow operations across many user groups.

Unsupported actions

Table 5. Unsupported assignment actions
Action Note
Creating users Use the AppViewX UI.
Creating user groups Use the AppViewX UI.
Mapping a user to a user group Use the AppViewX UI.
Creating or mapping resources explicitly Resources are managed internally only.
Assigning a permission directly to a user or user group (without a role) All permissions must flow through roles.
Assigning a role directly to a user Roles attach only to user groups.
Adding permissions to pre-shipped (OOB) roles Only custom roles support permission addition.
Bulk operations across many entities Run separate operations.

Blocking conditions

  • If the user (or single user group) already has all the selected permissions, the operation is blocked. The workflow configuration cannot be resumed separately from the permission check.
  • If the target custom role is mapped to more than five user groups, adding permissions to it is blocked.
  • Validation failures (missing entities, exceeded limits, OOB role) stop the operation with a clear explanation.