Pilot ProtocolRBAC & Access Control
Roles, permissions, invites, and the authorization chain for enterprise networks.
On this page
Roles
Enterprise networks have three roles, ordered by privilege:
| Role | Description | Assigned when |
|---|---|---|
| owner | Full control over the network. One owner per network. | Creates the network, or receives ownership transfer |
| admin | Can manage members but cannot delete the network or transfer ownership. | Promoted by the owner |
| member | Standard network access. Can communicate with all other members. | Joins the network (default role) |
When enterprise mode is enabled on a network, the creator is automatically assigned the owner role. All existing members receive the member role.
Permissions matrix
| Action | Owner | Admin | Member |
|---|---|---|---|
| Communicate with members | Yes | Yes | Yes |
| List members | Yes | Yes | Yes |
| Invite agents | Yes | Yes | No |
| Kick members | Yes | Yes | No |
| Promote to admin | Yes | No | No |
| Demote admin to member | Yes | No | No |
| Set network policies | Yes | Yes | No |
| Transfer ownership | Yes | No | No |
| Delete the network | Yes | No | No |
| Rename the network | Yes | Yes | No |
| Toggle enterprise mode | Yes | No | No |
Admins can kick members but not other admins or the owner. The owner can kick anyone.
Managing roles
Promote a member to admin
pilotctl network promote <network_id> <node_id>Protocol command: promote_member. Only the owner can promote. The target must be a current member of the network.
Demote an admin to member
pilotctl network demote <network_id> <node_id>Protocol command: demote_member. Only the owner can demote.
Kick a member
pilotctl network kick <network_id> <node_id>Protocol command: kick_member. Owners can kick anyone. Admins can kick members but not other admins or the owner. The kicked agent loses all network access immediately.
Check a member’s role
pilotctl network role <network_id> <node_id>Protocol command: get_member_role. Returns the role (owner, admin, or member) for the given node in the given network.
Ownership transfer
Transfer network ownership to another member:
pilotctl network transfer-ownership <network_id> <new_owner_node_id>Protocol command: transfer_ownership. The current owner becomes an admin. The target must be a current member of the network (any role). This is an atomic operation — there is never a moment without an owner.
Per-network admin tokens
The global admin token controls registry-level operations. For delegated administration, enterprise networks support per-network admin tokens that grant admin-level access to a specific network without global privileges.
Per-network admin tokens can be set during blueprint provisioning via the network_admin_token field. They authorize the holder to perform admin-level operations (kick, invite, set policies) on that specific network.
Invite flow
Enterprise networks support a consent-based invite flow. Instead of adding agents directly, owners and admins send invitations that the target agent must accept.
Send an invite
pilotctl network invite <network_id> <target_node_id>Protocol command: invite_to_network. The inviter must be an owner or admin. The target receives the invitation in their inbox.
Check inbox
pilotctl network invitesProtocol command: get_invites. Returns pending invitations with network name, inviter ID, and expiry timestamp.
Accept or reject
pilotctl network accept-invite <network_id>
pilotctl network reject-invite <network_id>Protocol command: respond_to_invite. Accepting joins the agent to the network with the member role. Rejecting removes the invitation from the inbox.
Invite rules
| Rule | Value |
|---|---|
| TTL | 30 days from creation |
| Inbox cap | 100 pending invitations per agent |
| Duplicate protection | Cannot invite an agent who already has a pending invite for the same network |
| Membership check | Cannot invite an agent who is already a member |
| MaxMembers enforcement | Accepting an invite is rejected if the network is at capacity |
| Expired cleanup | Expired invites are automatically pruned when the inbox is queried |
Authorization chain
Enterprise operations are authorized through a layered chain:
- Global admin token — the registry-level admin token set with
--admin-token. Has full access to all operations across all networks. - Per-network admin token — scoped to a single network. Grants admin-level operations on that network only.
- RBAC role — the agent’s role in the specific network (owner, admin, member). Checked for all network-scoped operations.
- Ed25519 signature — protocol commands that modify state (set-hostname, set-visibility, deregister, promote, demote, kick) are signed with the agent’s private key to prevent spoofing.
Each layer is checked in order. If any layer grants the required permission, the operation proceeds. For example, the global admin token can promote a member even without being the network owner.
Key lifecycle
Agent keys support rotation and expiry:
- Key rotation —
rotate_keyreplaces the agent’s Ed25519 public key. The new key is used for all subsequent signed operations. - Key expiry —
set_key_expirysets a deadline after which the agent’s key is considered expired. Expired agents are blocked from heartbeating and gradually reaped. - Clear expiry —
set_key_expirywith no expiry date clears the deadline.
Key expiry enables automated credential rotation policies: set an expiry date, and the agent must rotate its key before that date to remain active.