Module: role

Role Module

Defines agent capabilities, permission boundaries, and behavioral identities (RBAC).

Status: Frozen

Usage Boundary: This page provides an evaluative summary and a canonical schema excerpt for convenience. The authoritative, versioned specification remains on docs.mplp.io. MPGC does not issue certifications, badges, or endorsements; adoption and conformance are self-assessed by the adopting organization.

Definition

Protocol Role

The normative responsibility of this module.

The Role module defines the identity and capability boundaries for agents and humans in MPLP.

It establishes who can do what — the RBAC (Role-Based Access Control) layer that governs permissions across all protocol operations.

Within the MPLP lifecycle, Role is responsible for:

  • Declaring agent identities with named roles,
  • Specifying capabilities (permissions) in a structured format,
  • Enabling authorization checks before sensitive operations,
  • Providing accountability by linking actions to roles.

Role does not perform actions; it provides the normative identity contract that authorization layers enforce.

Architecture

Interaction Model

Dependencies and event emissions.

The Role module operates as the identity and authorization layer referenced by all execution modules.

Dependents (Modules that reference Role)

  • Plan: Steps MAY specify an agent_role for assignment.
  • Collab: Participants MUST be associated with a Role.
  • Confirm: Approval requests are tied to requested_by_role and decided_by_role.
  • Dialog: Message senders are identified by role.

Emissions & Observability

  • Role assignments and capability changes MUST be traceable.
  • Authorization failures MUST be logged with the attempting role.

Usage in Golden Flows

The Role module enables authorization in:

  • Golden Flow 03 — Multi-Agent Task Coordination
  • Golden Flow 05 — Human-in-the-Loop Collaborative Review
  • Golden Flow 07 — Role-Based Access Control Enforcement

Compliance

Normative Constraints

MUST / SHOULD / MUST NOT requirements.

The following constraints are normative and MUST be enforced by any MPLP-conformant implementation:

  1. A Role MUST have a unique role_id and name.
  2. Capabilities MUST follow the resource.action format.
  3. Authorization checks MUST verify role capabilities before allowing operations.
  4. A deprecated Role MUST NOT be assigned to new participants.
  5. Role assignments MUST be traceable and auditable.
  6. Capability inheritance or delegation MUST be explicitly declared.

Failure to meet these constraints results in a non-conformant execution.

Specification

Canonical Schema

The normative JSON structure for this module.

{
  "required": [
    "meta",
    "role_id",
    "name"
  ],
  "optional": [
    "description",
    "capabilities",
    "created_at",
    "updated_at",
    "trace",
    "events",
    "governance"
  ],
  "capabilityFormat": "resource.action (e.g., plan.create)"
}

Behavior

Lifecycle

Valid states and transitions.

Status Enum

activeinactivedeprecated

Quick Links

View Full Spec← Back to Modules

Evaluation Path

Governance → Compliance → Golden Flows → Adoption Signals

Enterprise Guide Governance Compliance Golden Flows Adoption