Corral
Learn > Documentation

Stay updated

Back to site

Permissions & Access Control

Corral uses a hierarchical permission model that controls who can access, configure, and publish AI agents.

Global Roles

Two global roles control access at the instance level, assigned as Entra ID app role assignments:

RoleWhat It Grants
ManagementAccess to the admin console and management APIs
Workspace.CreatorAbility to create new workspaces

Global roles are assigned in your Entra ID admin portal on the Corral app registration.

Node-Level Permissions

Within a workspace, permissions are scoped to nodes — projects and apps in the workspace hierarchy. Each node can have its own permission assignments.

PermissionWhat It Allows
ReadView the app/project and its configuration
ReadAndWriteRead + modify configuration (intelligence, connections, channels)
ReadAndPublishReadAndWrite + publish versions to production
ReadAndAssignPermissionsRead + manage who has access to this node
AllFull control

Permission Subjects

Permissions can be assigned to three subject types:

  • Users — individual Entra ID users
  • OpenID Applications — service principals for programmatic access (client credentials)
  • Invitations — pending access for users not yet in the system

Scope

Permissions are assigned per-node. They are not inherited from parent projects. If a user has ReadAndWrite on a project, that doesn’t automatically grant ReadAndWrite on apps within it.

This section is a work in progress.

Domain Enforcement

Workspaces can be associated with verified email domains via WorkspaceDomain. When domain enforcement is enabled:

  • Users from the verified domain are routed to the correct workspace on login
  • Domain users must have the Management role to access administrative functions

This ensures that organizational boundaries are respected — users from your domain land in your workspace, not someone else’s.

First User Setup

When Corral is deployed:

  1. The deploying user completes admin consent for the Entra ID app registration
  2. On first login, they create a workspace and are granted full permissions
  3. They assign Management role to other admins via Entra ID
  4. Admins assign per-app permissions to team members

Client Credentials

For programmatic access, Corral provides a full OAuth 2.0 client credentials API:

  • Create and manage client credentials at the project or app level
  • Two scopes: Management (admin APIs) and Consumer (end-user interaction)
  • Secret rotation via POST /{'{'}clientId{'}'}/regenerate-secret

Client credentials are permission subjects — they receive the same per-node permissions as users.

See Client Credentials & OAuth →.