No users can execute outside the scope of the credentials and permissions that admins and data owners have explicitly granted.
The vast majority of Credal’s action providers are user-scoped. This means that the credentials of the user executing the action are used when accessing the action provider. Thus, in a standard action configuration¹, it’s impossible for the invoking user to perform an operation that they were not already authorized to do directly in the provider, without Credal.
These action providers, including Salesforce, GitHub, and Notion, are considered low-risk and thus have minimal restrictions.
For these providers, the access pattern centers not around individual users, but around different credentials¹. These credentials are attached directly to actions, allowing anyone with access to an agent with that action to use the associated credentials.
This is an unusual access pattern and is considered to be higher-risk than user-scoped action usage because it enables users to perform actions that they may not have permissions for in the underlying system.
Admin Guidance: Only enable action-scoped credential providers if you are confident they are safe for your organization. Users who can access agents with these actions will be able to execute operations using the shared credentials, regardless of their individual permissions in the underlying system.
Providers in this category include:
¹There are instances where you’d want to have multiple credentials for a provider used in different actions, such as when you need a credential per role in each system.
One special case of an action-scoped credential provider is our OpenAPI action provider, which contains an action (“Webhook”) that can be configured to make an arbitrary API request. Due to the risk posed by arbitrary changes to the specification, only admins can modify and publish these actions.
Human Approval is a layer on top of Credal’s action security model that enables additional action governance and unlocks more complex action use cases. You can also control what information the AI sees and fills in using Action Parameters — including locking fields to fixed values or injecting user identity automatically.
Separately from respecting the permissions of a user in an action provider’s underlying system, it’s often important to be able to double-check an agent’s work before performing an operation in that system. For instance, a user may want to validate the phrasing used when invoking an action to modify a Notion document on company expense policies.
In other cases, it may be desirable for users to kick off an action invocation despite not having the permissions in the underlying system to execute that action. Using the human approval flow, it’s possible to request for someone with those permissions to approve the action and execute it on the original user’s behalf.
Learn more about this flow: Human Approval Options
We’re actively developing additional security and governance capabilities. If you’d like early access to any of these features, please contact us at support@credal.ai: