Security & Permissions

Multi-Layer Security for AI Agents

SyncNow AI Features use a sophisticated multi-layer permission model to ensure AI agents respect both SyncNow access controls and your work system security policies. Every query is validated at multiple levels before returning data.

---

Overview

AI agent security operates on two independent layers:

1. Layer 1: SyncNow AIAgentPermission - Controls what AI features users can access
2. Layer 2: Work System Permissions - Validates actual permissions in Jira, Azure DevOps, ServiceNow, etc.

Both layers must approve before data is returned. This "secure by default" approach ensures:

• ✅ Users only see data they're authorized to access
• ✅ AI agents cannot bypass existing security policies
• ✅ Full audit trail of all AI agent actions
• ✅ Granular control over AI capabilities

---

Permission Layers Explained

Layer 1: SyncNow AIAgentPermission

What it controls: Which AI features a user or group can use within SyncNow.

Permissions:

Permission	Description	Default
AI Query	Ask questions to AI agents	❌ Disabled

Example:

User Sarah has: AI Query ✓
→ Sarah can query work items across connected work systems

---

Layer 2: Work System Permissions

What it controls: Which data from work systems (Jira, Azure DevOps, etc.) the user can see.

How it works:

1. User asks AI agent a question
2. AI agent queries the work system API using the user's credentials
3. Work system applies its native permission model
4. Only authorized data is returned

Example:

User John asks: "Show me all issues in project SECURE-PROJ"

Work System Check (Jira):
- John's Jira account → Not a member of SECURE-PROJ
- Jira returns: Permission Denied

AI Response:
"You don't have access to project SECURE-PROJ. Please contact your Jira administrator."

---

How Permissions Are Checked

Query Flow

┌─────────────────┐
│  User Query     │
│  "Show me..."   │
└────────┬────────┘
         │
         ▼
┌─────────────────────────────┐
│ Layer 1: AIAgentPermission  │
│ Does user have AI Query?    │
└─────────┬───────────────────┘
          │ ✓ Yes
          ▼
┌─────────────────────────────┐
│ Layer 2: Work System Check  │
│ Query Jira using user's     │
│ credentials and permissions │
└─────────┬───────────────────┘
          │
          ├─ ✓ Has access → Return data
          │
          └─ ✗ No access → "Permission Denied"

---

Permission Scenarios

Scenario 1: Full Access

User: Alice
AIAgentPermission: AI Query ✓
Jira Permission: Admin of all projects
Azure DevOps Permission: Project Collection Administrator

Query:

Show me all critical bugs from Jira and Azure DevOps

Result:

✓ Layer 1: Alice has AI Query permission
✓ Layer 2 (Jira): Alice has access to all projects
✓ Layer 2 (Azure DevOps): Alice has access to all projects

Response: 45 critical bugs
- Jira: 28 bugs
- Azure DevOps: 17 bugs

---

Scenario 2: Partial Access

User: Bob
AIAgentPermission: AI Query ✓
Jira Permission: Member of DEV project only
Azure DevOps Permission: No access to Security area

Query:

Show me all confidential issues from Jira and Azure DevOps

Result:

✓ Layer 1: Bob has AI Query permission
✓ Layer 2 (Jira): Bob has access to DEV project (12 items)
✗ Layer 2 (Azure DevOps): Bob lacks access to Security area (0 items)

Response: 12 confidential issues from Jira DEV project
⚠ Note: Some Azure DevOps results hidden due to permissions

---

Scenario 3: No AI Permission

User: Carol
AIAgentPermission: AI Query ✗ (not granted)
Jira Permission: Admin (doesn't matter)
Azure DevOps Permission: Admin (doesn't matter)

Query:

Show me all my assigned work items

Result:

✗ Layer 1: Carol does not have AI Query permission

Response: "You don't have permission to use AI Query features. 
Contact your SyncNow administrator to request access."

(Layer 2 is never checked because Layer 1 failed)

---

Scenario 4: No Work System Access

User: Dave
AIAgentPermission: AI Query ✓
Jira Permission: None (not a Jira user)
Azure DevOps Permission: Basic access (public repos only)

Query:

Show me issues from the PRIVATE-PROJ project

Result:

✓ Layer 1: Dave has AI Query permission
✗ Layer 2 (Jira): Dave has no Jira account
✗ Layer 2 (Azure DevOps): PRIVATE-PROJ is not accessible

Response: "No results found. You may not have access to the requested projects.
- Jira: No account configured
- Azure DevOps: Access denied to PRIVATE-PROJ"

---

Configuring AIAgentPermission

For Individual Users

1. Navigate to User Management

   • Go to Settings → Users & Permissions

2. Select User

   • Click on the user you want to configure

3. Assign AI Permissions

   • Under AI Permissions section:
     • ☑ AI Query - Enable AI querying

4. Save Changes

   • Click Save
   • User can immediately start using granted permissions

---

For Groups

1. Navigate to Group Management

   • Go to Settings → Groups

2. Select or Create Group

   • e.g., "Development Team", "Project Managers"

3. Assign AI Permissions to Group

   • Set permissions for the entire group
   • All group members inherit these permissions

4. Add Users to Group

   • Users automatically receive group AI permissions

Example Groups:

Group	AI Query
Developers	✓
Project Managers	✓
Read-Only Users	✗

---

Work System Permission Integration

How SyncNow Validates Work System Permissions

AI agents use the same credentials and API access that your connectors use. This means:

• ✅ Respects all native work system security rules
• ✅ No separate permission model to maintain
• ✅ Changes in work system permissions are immediately reflected
• ✅ Supports all work system permission types (projects, areas, sprints, etc.)

Supported Work Systems

Work System	Permission Model	Supported
Jira	Project roles, issue security	✓ Full
Azure DevOps	Area paths, iteration paths, security namespaces	✓ Full
ServiceNow	ACLs, data policies	✓ Full
GitHub	Repository access, team membership	✓ Full
GitLab	Project members, groups	✓ Full

---

Audit Trail

All AI agent actions are logged for security and compliance.

What Is Logged

• User identity - Who made the query
• Timestamp - When the query was made
• Query text - What was asked
• Permission checks - Results of both layers
• Data accessed - Which work systems and projects
• Response summary - Number of items returned

Viewing Audit Logs

1. Navigate to Audit Logs

   • Go to Settings → Audit Logs

2. Filter by AI Agent Activity

   • Select Activity Type → "AI Agent Query"

3. View Details

   • Click any log entry to see full details

Example Audit Entry:

Timestamp: 2026-02-18 14:32:15 UTC
User: alice@company.com
Permission: AI Query
Query: "Show me all critical bugs from Jira"
Layer 1: APPROVED (AI Query permission)
Layer 2: APPROVED (Jira projects: DEV, QA, PROD)
Results: 45 items returned
Work Systems: Jira (45)

---

Best Practices

1. Principle of Least Privilege

Only grant AI Query permission to users who need it.

2. Use Groups for Easier Management

Create permission groups instead of configuring users individually.

Example:

Group: "Engineering"    → AI Query: ✓
Group: "Read-Only"      → AI Query: ✗

3. Review Permissions Regularly

Audit AI permissions quarterly or when roles change.

4. Leverage Work System Security

Don't duplicate permission rules—let work systems enforce their own security.

5. Enable Audit Logging

Always keep audit logs enabled for compliance and troubleshooting.

6. Test Permissions

Have users test their AI access after configuration changes.

---

Troubleshooting

"Permission denied" errors

Check Layer 1:

1. Go to Settings → Users & Permissions
2. Verify user has AI Query permission
3. Check group memberships

Check Layer 2:

1. Verify user can access the data in the work system directly (Jira, Azure DevOps, etc.)
2. Test work system permissions outside of AI features
3. Ensure connector credentials are current

Some results are missing

Possible causes:

• User has partial access (some projects but not all)
• Work system permissions changed recently
• Data exists in projects/areas user cannot access

Solution:

• Review work system permissions
• Use more specific queries targeting accessible projects

"No results found" but data should exist

Verify:

1. User has AIAgentPermission (Layer 1)
2. User has work system access (Layer 2)
3. Connector is active and syncing
4. Query syntax is correct

---

Security FAQs

Can AI agents access more data than users?

No. AI agents always query using the user's credentials and can only access data the user has permission to see.

What happens if work system permissions change?

Immediate effect. AI agents check permissions in real-time, so changes in Jira, Azure DevOps, etc. are reflected instantly.

Can admins see other users' queries?

Yes, via audit logs. SyncNow administrators can view all AI agent activity in the audit log for security and compliance.

Are API tokens secure?

Yes. Connector credentials are encrypted at rest and in transit. AI agents use the same secure credential storage as normal sync operations.

Can I restrict AI agents to specific projects?

Yes, at the work system level. Configure the connector credentials with limited project access, and AI agents will inherit those restrictions.

Do AI permissions affect normal SyncNow sync?

No. AIAgentPermission only controls AI features. Regular sync processes and UI access are unchanged.

---

---

What's Next?

• Best Practices - Security optimization
• AI Knowledge Base - How work item data is indexed for AI queries

---

Multi-layer security ensures AI agents are both powerful and safe. For enterprise security requirements, contact your SyncNow representative.