Get an agent's access control list | Kibana API documentation

Get an agent's access control list Added in 9.5.0

GET /api/agent_builder/agents/{id}/acl

Spaces method and path for this operation:

get /s/{space_id}/api/agent_builder/agents/{id}/acl

Refer to Spaces for more information.

Get the access control list (ACL) for a specific agent. Callers without permission to manage the ACL receive can_manage: false and an empty entries list — the principal list itself is sensitive. To learn more about agents, refer to the agents documentation.

[Required authorization] Route required privileges: agentBuilder:read.

Path parameters

id string Required

The unique identifier of the agent whose ACL to retrieve.

Responses

200 application/json

Indicates a successful response
404 application/json

Not Found — no agent with this ID is visible to the caller. Matches the existing agentNotFound shape, so unprivileged callers cannot probe for hidden agents.

GET /api/agent_builder/agents/{id}/acl

curl \
  -X GET "${KIBANA_URL}/api/agent_builder/agents/{id}/acl" \
  -H "Authorization: ApiKey ${API_KEY}"

GET kbn://api/agent_builder/agents/{id}/acl

Response examples (200)

Example response for a caller without manage permission — the principal list is hidden and `entries` is always empty.

{
  "acl": {
    "entries": []
  },
  "can_manage": false
}

Example response for a caller who can manage the ACL — the agent has two grantees.

{
  "acl": {
    "entries": [
      {
        "name": "alice",
        "role": "editor",
        "type": "user"
      },
      {
        "name": "bob",
        "role": "user",
        "type": "user"
      }
    ]
  },
  "can_manage": true
}

Response examples (404)

{
  "attributes": {
    "trace_id": "8d4f2a3b-1c5e-4a9b-9f0d-2e6c1a3d4f5e"
  },
  "error": "Not Found",
  "message": "Agent custom-agent-id not found",
  "statusCode": 404
}