Enable Role Masking for Agents

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Use a system property to enable the role masking feature.

    Use the identity.agent.role_masking.enabled system property to enable the role masking feature. Role masking limits the roles that an AI agent uses when executing tasks. This configuration helps to prevent unnecessary access to resources not needed within the context of an agent. When this property isn't set to true, agents automatically inherit all roles from the user invoking them, potentially increasing the risk of privilege escalation and accidental data exposure.

    Ensure that the identity.agent.role_masking.enabled system property exists in the System Properties [sys_properties] table and is set to a value of true.

    More information

    Attribute Description
    Configuration name identity.agent.role_masking.enabled
    Configuration type System Properties (/sys_properties_list.do)
    Data type Boolean
    Recommended value true
    Default value true
    Fallback value false
    Category Access control
    Security risk
    • Severity score: 5
    • CVSS score: Medium
    • Security risk details: When this property isn’t set to true, agents automatically inherit all roles from the user invoking them. It may increase the risk of privilege escalation and accidental data exposure.
    Functional Impact If misconfigured, restrictive role masking may block intended access to a resource.
    Dependencies and prerequisites None