RBAC listing with Infinity AI (Tech Preview) 
Use natural-language prompts in Infinity AI to query users, user groups, roles, and permissions in AppViewX. Listing is read-only no RBAC data changes when you run a listing query. To list RBAC entities, type a prompt in Infinity AI. Infinity AI returns a paginated grid. Refine the prompt to narrow the results.
- AppViewX InfinityAI assistant is disabled by default.
- To grant access, see Assign permissions and certificate groups with Infinity AI. To remove access, see Unassign roles and permissions with Infinity AI.
- Infinity AI RBAC queries are not supported when subdelegation is enabled.
- Infinity AI maintains context within a single chat session. Running a large number of queries in the same session may degrade context accuracy, which can result in incomplete or inaccurate RBAC results. If results appear inconsistent, start a new chat session and rerun the query.
Overview
Infinity AI lets you query the four RBAC entity types in AppViewX by typing a question in plain English. Results are returned as paginated, searchable grids with entity-specific columns.
The columns in each result grid depend on the entity type returned.
| Entity returned | Standard columns |
|---|---|
| Users | User name |
| User groups | User group name, Description |
| Roles | Role name, Description |
| Permissions | Permission name, Description |
Every result grid supports the same controls.
- Pagination: Move forward and backward through the full dataset.
- In-grid search: Search by the primary column of the result entity (for example, user name or role name). Search does not apply to relationship columns.
Key capabilities
- Natural-language querying for RBAC entities.
- Consistent grid responses with pagination and in-grid search.
- Intelligent OR / AND handling within a single entity type.
- Guided permission resolution before any data is fetched.
- Clear separation between supported and unsupported query patterns.
Query Types
Use the following steps to run any listing query.
Run a listing query
- Open the Infinity AI pane.
- Type a question that names the entity you want to see and, optionally, one or more filters.
- If your prompt mentions a permission, confirm the permission name that Infinity AI resolves it to.
- Browse the result grid. Use the pagination controls to move through pages, or type into the search box to narrow results.
- Refine with a follow-up prompt if needed.
Sample use cases
Use these prompts as quick starting points. Each prompt resolves to one entity type and returns a paginated grid.
| Goal | Sample prompt | Returned entity |
|---|---|---|
| See every user | List all users | Users |
| See every user group | Show all user groups | User groups |
| See every role | Get all roles | Roles |
| See every permission | Show all permissions | Permissions |
| Find users in a user group | Show users in the DevOps user group | Users |
| Find roles a user holds | What roles does john.doe have? | Roles |
| Find permissions in a role | List all permissions in the CLM Requester role | Permissions |
| Find user groups with a permission | User groups with renewal access | User groups |
Scenarios
The following sections describe the four query patterns that Infinity AI supports, with example prompts and expected responses.
Scenario 1 List all records of an entity
Use a plain prompt with no filters when you want every record of one entity type. Results are paginated.
Example prompts
- List all users
- Show all user groups
- Get all roles
- Show all permissions
Response
You: List all users
Infinity AI: 500 users found. Showing 1–50 of 500.
Columns: User Name
[grid]Scenario 2 Filter results by one related entity
Filter any entity by exactly one related entity. The response is a paginated grid with the standard columns for the result entity. No relationship column is added.
| Result entity | Filter by | Example prompt |
|---|---|---|
| Users | User group | Show users in the DevOps user group |
| Users | Role | List users who have the CLM Requester role |
| Users | Permission | Show users with enrollment access |
| User groups | User | Which user groups does john.doe belong to? |
| User groups | Role | Show user groups assigned to the Admin role |
| User groups | Permission | User groups with renewal access |
| Roles | User | What roles does john.doe have? |
| Roles | User group | Show roles assigned to the DevOps user group |
| Roles | Permission | Which roles include revocation access? |
| Permissions | User | What permissions does john.doe have? |
| Permissions | User group | Show permissions available to the QA Team user group |
| Permissions | Role | List all permissions in the CLM Requester role |
Scenario 3 Combine multiple values of the same entity
When your prompt names several values of the same entity type, Infinity AI evaluates them as either a union (OR) or an intersection (AND).
Use OR to see entities that match any value. Returns entities that match at least one of the named values. Infinity AI adds a relationship column so you can see which queried value each row matches. Each result appears once.
Example: users in either of two groups
You: Show users who are in UserGroup1 or UserGroup2| User name | User groups |
|---|---|
| user1 | UserGroup1, UserGroup2 |
| user2 | UserGroup1 |
| user3 | UserGroup2 |
Example: user groups with either of two permissions
You: Show user groups with renewal access or enrollment access| User group | Description | Permissions |
|---|---|---|
| DevOps Team | DevOps access group | Enroll Certificate, Renew Certificate |
| QA Team | Quality assurance group | Renew Certificate |
| Ops Team | Operations group | Enroll Certificate |
Use AND to see entities that match every value. Returns only entities that match all named values. The grid shows standard columns only no relationship column.
Example: users in both groups
You: Show users who are in both UserGroup1 and UserGroup2| User name |
|---|
| user1 |
Example: roles that hold both permissions
You: Roles that have both renewal and enrollment access| Role | Description |
|---|---|
| CLM Requester | Certificate lifecycle role |
| Full Access Role | All certificate permissions |
Scenario 4 Combine filters across different entity types
When your prompt mixes different entity types, Infinity AI always combines them with AND. OR can still apply within the values of a single entity type. No relationship column is returned.
| Prompt | Roles with renewal access that are assigned to DevOps or QA Team |
| Filter 1 (permission) | Renewal |
| Filter 2 (user groups) | DevOps OR QA Team |
| Logic | OR within user groups; AND across entity types |
| Result | Roles that have renewal permission AND are assigned to either DevOps or QA Team. Columns: Role name, Description. |
| Prompt | Show permissions available to users in the DevOps group who also have the Admin role |
| Filter 1 (user group) | DevOps |
| Filter 2 (role) | Admin |
| Logic | AND across entity types |
| Result | Permissions held by users who are in DevOps AND hold the Admin role. Standard permission grid. |
Product behavior
Result grid behavior
- Each result grid contains exactly one entity type.
- Standard columns are determined by the result entity (see Overview).
- Pagination lets you move forward and backward through the full dataset.
- In-grid search matches only the primary column of the result entity. Relationship columns are not searchable.
- OR queries within one entity type add a relationship column; AND queries do not.
Permission resolution
When you filter by a permission, Infinity AI runs a permission resolution step before fetching data.
- You enter a query with a permission-based filter (for example, roles with enrollment access).
- Infinity AI presents the closest matching permissions in a selection view.
- You select or confirm the appropriate permission(s).
- Infinity AI fetches data based on the confirmed selection.
All-or-nothing permission matching
Each high-level permission (for example, Network Discovery Manage) is backed by several internal access rules. An entity (role, user, or user group) qualifies only if it holds every internal rule. Partial matches do not qualify.
Example: Network Discovery Manage Requires Server Certificate Submit, Client Certificate Submit, and Code-Signing Certificate Submit. A role must hold all three to qualify.
The Network Discovery Manage use case allows adding,
updating, and deleting network discovery configuration details.
It is backed by eight internal access rules. An entity qualifies
only if it holds all eight
rules.certificate:certificatediscovery:network:networks:add_modify,
certificate:certificatediscovery:network:networks:delete,
certificate:certificatediscovery:network:excluded_network:add_modify,
certificate:certificatediscovery:network:excluded_network:delete,
certificate:certificatediscovery:network:excluded_ports:add_modify,
certificate:certificatediscovery:network:excluded_ports:delete,
certificate:certificatediscovery:network:settings:add_modify,
certificate:certificatediscovery:network:settings:delete
| Role | Permissions held | Qualifies |
|---|---|---|
| role1 | networks:add_modify only (1 of 8) | No |
| role2 | All 8 Network Discovery Manage permissions | Yes |
| role3 | All 8 Network Discovery Manage permissions + others | Yes |
| role4 | networks:add_modify only (4 of 8) | No |
Result: role1 and role4 are excluded; role2 and role3 are returned.
Example: Renew Server Certificates use case allows renewing an existing server certificate. It is backed by one core ACF permission and two additional permissions. An entity qualifies only if it holds the core permission. The additional permissions support supplementary actions such as viewing columns and exporting data.
| Type | Permission |
|---|---|
| Server Certificate Actions Renew Core (ACF) | certificate:servercertificateactions:renew |
| Server columns (Additional) | certificate:server:columns |
| Server export (Additional) | certificate:server:export |
Prompt:
Show roles with Renew Server Certificates
access
| Role | Permissions held | Qualifies |
|---|---|---|
| role1 | No Core permission | No |
| role2 | Core permission with no additional permissions | Yes |
| role3 | Core permission (+ additional permissions) | Yes |
Result: role1 is excluded. role2 and role3 are returned.
approvalApplicable is set to
true for this use case. Renew requests
are routed through the
certificate_renew_request approval
workflow before the renewal is processed. A role must have the
renew permission and be included in the approval workflow to
complete the operation.Product limitations
Unsupported query patterns
- Cross-entity OR Infinity AI does not support OR (union) logic across different entity types (for example, role OR user group).
- Mixed-entity result grids A single grid returns only one entity type. Infinity AI cannot mix users and user groups in the same grid.
- Search across relationship columns In-grid search matches only the primary column of the result entity.
- Partial-permission matches Entities that hold only some of a permission's internal rules are not returned.
Unsupported example prompts
- Show permissions that the CLM Requester role or the DevOps user group have.
- List roles that user john.doe has or that are in the QA Team user group.
Reason. Each prompt requires merging results across different entity filters with OR, which is not supported.
Recommended workarounds
- Run separate queries for each entity type and review the results side by side.
- Use AND (intersection) instead. For example: Show permissions that the CLM Requester role and the DevOps user group both have.
