Agent Governance

How approval flows, collection policies, and role-based access control work when managing infrastructure through the agent

Overview

Every infrastructure change the agent makes goes through the same governance layer as the rest of Bluebricks. This page covers how approval flows, policies, and permissions work in conversation.

The approval flow

When you ask the agent to make a change, the conversation follows a consistent cycle:

You describe the change: "Scale the EKS cluster in staging to 5 nodes"
The agent runs a plan: it generates the proposed changes and shows the plan output inline, including what will be created, updated, or destroyed
You review: read the plan directly in the conversation. For changes that open a pull request, see Reading a Bluebricks PR for how to interpret the output
You approve or reject: tell the agent to proceed or cancel
The agent applies or stops: on approval, the changes are applied. On rejection, nothing happens

The agent never auto-approves. Even when no policies require explicit approval, the agent presents the plan and wait for your confirmation before applying.

How collection policies surface

Collections and blueprints are part of the Bluebricks orchestration layer: collections group cloud providers with governance rules, and blueprints are the deployable units of infrastructure code. Collection owners and administrators can attach policies to collections that control what can be deployed and under what conditions.

When the agent plans a change, these policies are evaluated automatically. If a policy blocks or pauses the run, the agent explains what happened directly in the conversation.

Owner Approval

When a collection requires owner approval, the agent pauses after the plan and tells you that a collection owner must approve before the changes can be applied. If you are an owner, you can approve in the conversation. If not, the agent tells you who can.

Cost Limit

If the projected cost of a change exceeds the collection's cost limit, the agent shows the estimated cost and explain that the limit was exceeded. The change can still proceed with owner approval.

Allowed Blueprints

If you request a deployment using a blueprint or version that is not allowed in the target collection, the agent explains which constraints apply and which blueprints are available.

For full details on configuring collection policies, see Policies.

RBAC in conversation

The agent inherits your permissions. It cannot do anything you could not do yourself through the Bluebricks app or CLI.

If you lack permission to approve a run, the agent tells you and identifies who can approve
If you lack permission to deploy to a collection, the agent explains why the request was blocked
The agent never escalates privileges or bypasses role restrictions

For details on roles and permission configuration, see Roles and Permissions.

Audit trail

Every approval, rejection, and action taken through the agent is recorded. The task history captures the full conversation, including the plan output, your decision, and the result. This complements the run-level audit trail in the orchestration platform, giving you a complete record across both interfaces.

Last updated 29 days ago

Was this helpful?

Good night

hashtagOverview

hashtagThe approval flow

hashtagHow collection policies surface

hashtagOwner Approval

hashtagCost Limit

hashtagAllowed Blueprints

hashtagRBAC in conversation

hashtagAudit trail