This is a submission for the Permit.io Authorization Challenge: AI Access Control

What We Built

🚀 SkyRulers – AI-Powered Drone Parts Ordering with Fine-Grained Access Control

We built an e-commerce web app who's workflows from making an order to receiving confirmation all are controlled by AI! We leveraged React for a beautiful and responsive front end and spring boot for an AI powered back end. However when AI is the back-bone of your back-end there needs to be some safeguards. Keep reading to see how we accomplished this!

🔐 Authorization with Permit.io

SkyRulers integrates Permit.io for robust RBAC (Role-Based Access Control) to securely manage actions performed by human users and AI agents in the ordering workflow.

👤 User Authorization Model

🧑‍💼 Supervisor (Auto-approved for this demo)

Permissions:

• Approve or reject part substitutions.
• View all emails and order history.

Capabilities:

• Manage Orders: Approve or reject orders and substitutions.
• Review Substitutions: Approve or modify suggested part substitutions.
• Monitor Emails: Track all emails related to orders and substitutions.
• Audit Logs: Access logs for full accountability.

🧑 Client (User)

Permissions:

• Approve quotes.
• Place orders.
• Interact with order-related emails.

Restrictions:

• ❌ Cannot modify orders or substitutions directly.

Capabilities:

• Approve Quotes: Accept or reject final quotes sent by the system.
• Track Orders: View status and history of past orders.
• Email Interaction: Respond to order and quote emails.

🤖 AI Agent Authorization Model

Each AI agent in the system has a distinct role with tightly scoped permissions.

🧠 PartPickerAI

Parses emails and suggests part substitutions.

Permissions:

• read_emails
• suggest_substitution
• send_emails

🧠 ApprovalAgent

Handles approval workflow initiation and communication.

Permissions:

• read_emails
• suggest_substitution
• initiate_approval_workflow
• send_emails

🤖 BuilderBot

Finalizes orders after necessary approvals.

Permissions:

• read_emails
• send_emails
• create_order
• modify_orders

🧩 AI Capabilities Explained

🔁 Workflow Diagram

📊 View the full workflow diagram →

✅ Example Authorization Workflow

1. Order Request

   • PartPickerAI receives an email → parses it and suggests substitutions.
   • ApprovalAgent reads and sends the substitution to the Supervisor.

2. Supervisor Approval (Auto-approved in this build)

   • Approves or rejects substitutions.
   • Approved orders move forward.

3. Client Approval

   • BuilderBot generates a quote and sends it via email.
   • Client must approve it.

4. Finalize Order

   • Once approved, BuilderBot finalizes the order and sends confirmation.

⚙️ Permit.io Implementation Summary

Note: Due to time constraints and limited Java SDK documentation, some features are pending full integration.

✅ What’s Implemented:

• Basic Permit.io integration in AI agent services.
• Authorization checks for inventory access.

🔧 Planned Features:

• Full enforcement of role-based permissions.
• Real-time permission updates from Permit.io dashboard.
• Dynamic AI access control.
• Detailed audit logging for AI and human actions.

📌 Permit.io Setup Steps (Summary)

1. Create Roles in Permit.io Dashboard:

   • supervisor, client, PartPickerAI, ApprovalAgent, BuilderBot

2. Define Permissions:

   • Use Permit.io’s policy builder to assign granular capabilities.

3. Enforce Permissions in Code:

   • Using Permit SDK’s .check() method to gate critical actions.

4. Enable Audit Logs:

   • Activate logging for transparency and traceability.

📬 Feedback & Contributions

Pull requests welcome! If you have suggestions or improvements for integrating advanced AI authorization in Java using Permit.io, feel free to contribute.

🔗 Related Resources

• Permit.io Java SDK Docs
• Spring Boot Starter Guide
• Gemini AI for Java

Demo

Project Repo

TEAM MEMBERS: @albajarazeth,@mariano_gongora_ee3aff3bd