Unassign roles and permissions with Infinity AI

Use natural-language prompts in Infinity AI to remove a role from a user group or to remove permissions from a role. Each operation runs pre-validation, walks you through impact analysis, and applies the change only after you confirm.

To unassign RBAC entities, type a prompt in Infinity AI. Infinity AI validates the request, prompts you to review the impact, displays a summary, and removes access after you confirm.

Note: To query RBAC entities, see RBAC listing with Infinity AI. To grant access, see Assign permissions and roles with Infinity AI.

Overview

Infinity AI supports two unassignment operations, each limited to a single target per request:
  • Unassign Role from User Group: Removes one role from one target user group per request.
  • Unassign Permissions from Role: Removes up to five permissions from one target role per request.
Table 1. Unassignment operations
Operation What it does
Unassign a role from a user group Removes one role from one user group, with impact analysis and your confirmation.
Remove permissions from a role Removes up to five permissions from one role, with validation and dependency checking.

Built-in safeguards

  • Pre-validation. Confirms the entities exist, counts are within limits, the role is actually assigned (or the permissions actually exist in the role), and protected entities are not targeted.
  • Impact Analysis: Provides a preview of the changes before they are applied.
    • Unassign Role from User Group: Shows the permissions that will be lost and the users who will be affected.
    • Remove Permissions from Role: Shows the user groups that will be impacted by the permission removal.
    Offers to show you the permissions that will be removed and the users who will be affected, before any change is made.
  • Dependency checks. When you remove permissions from a role, Infinity AI blocks any selection that would break a permission another permission in the same role depends on.
  • Summary and confirmation. Always shows a clear summary of what will change, and waits for you to confirm before applying it.
Important: Unassignment is destructive. Once you confirm, access is removed for every affected user. Use the impact-analysis prompts to check the blast radius first.

Query Types

Both unassignment operations follow the same flow: state what to remove, let Infinity AI run pre-validation and impact analysis, and confirm the change.

Run an unassignment

  1. Open the Infinity AI pane, then enter a prompt specifying the role and user group (or the role and permissions) you want to unassign.
  2. Wait for Infinity AI to complete pre-validation. If validation fails, adjust your prompt and try again.
  3. When prompted, choose whether to review the impact (permissions that will be removed, affected users, mapped user groups).
  4. Review the summary and confirm to apply the change.
  5. Impacted user groups will be displayed when the user confirms the action.
Tip: Use exact entity names. Infinity AI matches names case-insensitively, but exact names skip disambiguation.

Sample use cases

Use these prompts as quick starting points. Each prompt maps to one of the two unassignment operations.

Table 2. Quick-start prompts
Sample prompt Operation Supported?
"Unassign Certificate_Viewer role from PKI_Users group" Unassign a role from a user group Yes
"Remove View Certificate permission from Certificate_Manager" Remove permissions from a role Yes (if no dependencies)
"Remove View and Enroll from Certificate_Manager" Remove permissions from a role Yes (2 permissions)
"Unassign Certificate_Viewer and Certificate_Manager from PKI_Users" Unassign a role from a user group No multiple roles
"Unassign Certificate_Viewer from PKI_Users and Cert_Admins" Unassign a role from a user group No multiple user groups
"Unassign role from admin usergroup" Unassign a role from a user group No admin user group is protected
"Remove 6 permissions from Certificate_Manager" Remove permissions from a role No exceeds limit of 5
"Remove View from Certificate_Manager and PKI_Admin" Remove permissions from a role No multiple roles

Scenarios

The following sections describe each unassignment operation in detail, with the steps and the expected conversation.

Scenario 1 Unassign a role from a user group

Use this when a user group no longer needs a role for example, after a project ends or during offboarding cleanup.

Pre-validation

Before proceeding, Infinity AI runs these checks:

  • User group count must be 1.
  • The user group must exist.
  • Role count must be 1.
  • The role must exist.
  • The user group must not be the admin user group.
  • The role must actually be assigned to the user group.

Steps

  1. Type a prompt for example, "Unassign Certificate_Viewer from PKI_Users".
  2. Wait for Infinity AI to complete pre-validation.
  3. When asked, choose whether to view the permissions that the role will remove.
  4. When asked, choose whether to view the users in the user group who will be affected.
  5. Review the summary and confirm.

Example

You:"Unassign Certificate_Viewer from PKI_Users"
Infinity AI:Step 1 Pre-validation passed.
Infinity AI:Step 2 View the permissions that will be removed with this role?
You:Yes
Infinity AI:[permission list]
Infinity AI: View the users in PKI_Users who will be affected?
You:Yes
Infinity AI:[affected users]
Infinity AI:Step 3 Summary
Role "Certificate_Viewer" will be removed from user group "PKI_Users".
Proceed with unassignment?
You:Yes
Infinity AI:Step 4 Done.
Note: Impact-analysis steps are sequential and user-driven. Infinity AI never shows the impact automatically each step requires your confirmation.

Scenario 2 Remove permissions from a role

Use this when you want to take permissions off a role for example, to fix an audit finding or apply least-privilege.

Pre-validation

Before proceeding, Infinity AI runs these checks:

  • Permissions count must be 5 or fewer.
  • Role name count must be exactly 1.
  • The role must exist.
  • The selected permissions must currently exist in the role.
  • None of the selected permissions can be a dependency that other permissions in the same role rely on.

Steps

  1. Type a prompt for example, "Remove some permissions from Certificate_Manager role".
  2. Review the relevant permissions that Infinity AI lists, then select up to five to remove.
  3. Wait for Infinity AI to complete pre-validation and dependency validation. If a dependency blocks the removal, adjust your selection.
  4. Review the summary and confirm.
  5. Impacted user groups will be displayed when the user confirms the action.

Example: successful removal

You:"Remove some permissions from Certificate_Manager role"
Infinity AI:Step 1 Relevant permissions in Certificate_Manager:
1. Certificate View
2. Renew Server Certificate
3. Enroll Certificate
4. Revoke Certificate
Select up to 5 permissions to remove.
You:Remove 2 and 4
Infinity AI:Step 2–4 Pre-validation and dependency checks passed.
Infinity AI:Step 5 Permissions removed successfully from Certificate_Manager role.

Example: dependency block

Role: Certificate_Manager
Permissions in role:
- Certificate View(other permissions depend on this)
- Renew Server Certificate(depends on Certificate View)
- Enroll Certificate(depends on Certificate View)

You:"Remove Enroll Certificate and Certificate View from Certificate_Manager"
Infinity AI:Validation passed for: Enroll Certificate.
Warning: Certificate View is a dependent permission for other
permissions in this role. It cannot be removed.
Adjust your selection.
Note: Infinity AI does not name the specific permission that depends on the one you tried to remove. Identify it from the role's permission list and decide whether to remove the dependent permission first.

Product behavior

Pre-validation behavior

Pre-validation runs before any change is made. If any check fails, the operation stops with a clear explanation and no data is modified.

Table 3. Pre-validation checks by operation
Operation Checks performed
Unassign role from user group One user group; user group exists; one role; role exists; user group is not the admin user group; role is actually assigned to the user group.
Remove permissions from role Five or fewer permissions; exactly one role; role exists; permissions currently exist in the role; no dependent-permission violations.

Impact analysis behavior

Impact analysis is sequential and user-driven. Infinity AI never shows the impact automatically; each step is a separate prompt that you must answer before the next one appears.

  • For role unassignment, Infinity AI offers the permissions list and the affected users list in that order.
  • For permission removal from a role, Infinity AI lists the relevant permissions assigned to the role for selection. The response also displays the affected user groups before the permissions are removed.
  • You can decline any impact step and go straight to the summary.

Dependent-permission validation

Some permissions require other permissions to function. For example, both Renew Server Certificate and Enroll Certificate depend on Certificate View. Infinity AI blocks the removal of any permission that other permissions in the same role depend on.

Reporting limitation. Infinity AI warns when a permission cannot be removed because it is a dependency, but does not name the dependent permission. The warning is generic by design.

Background

  • Some dependent permissions are not separate RBAC definitions.
  • Internal access-control (ACF) rules are not exposed to users.
  • Only use case names are shown to users, not the underlying permission structure.
  • If the depending permission is not a separate RBAC definition, there is no clear way to reference it in the warning.

Admin user group protection

Infinity AI cannot unassign any role from the admin user group. The check runs during pre-validation and rejects the operation immediately, with no impact analysis or summary step.

Summary and confirmation

Both operations end with a summary that names the role, the user group (or affected permissions), and the change that will be applied. No data is modified until you confirm.

Product limitations

Per-operation limits

Table 4. Unassignment limits at a glance
Operation Maximum per request Notes
Unassign role from user group 1 role, 1 user group Admin user group is protected.
Remove permissions from role 5 permissions, 1 role Dependent-permission validation applies.

Unsupported operations

  • Unassigning multiple roles in a single request.
  • Unassigning a role from multiple user groups in a single request.
  • Unassigning roles from the admin user group.
  • Removing more than five permissions in a single request.
  • Removing permissions from more than one role in a single request.
  • Removing a permission that other permissions in the same role depend on.
  • Removing certificate-group access from a user or user group through unassignment prompts.

Dependency-reporting limitation

  • Infinity AI warns when a permission cannot be removed because it is a dependency, but it does not name the dependent permission(s).
  • To work around this, open the role's permission list, identify the dependent permission(s) manually, and remove them first.