1. Add RBAC Config to the Worker Manager
Add aniii-worker-manager entry with RBAC config to your engine config file. At minimum you need a port and an expose_functions list inside rbac:
iii-config.yaml
api:: on port 49135 with no authentication.
2. Write an Auth Function
For production, authenticate workers by registering a function that validates credentials from the WebSocket upgrade request. The function receives anAuthInput and must return an AuthResult.
- Node / TypeScript
- Python
- Rust
Function Registration Prefix
The auth function can optionally return afunction_registration_prefix string. When present, the engine automatically prefixes every function ID registered by this worker with {prefix}::. Trigger registrations also auto-prefix the function_id they reference. When the engine dispatches a function invocation back to the worker, the prefix is stripped so the worker SDK finds the correct local handler. This provides transparent namespace isolation per session without the worker needing to manage prefixes.
Update your config to reference the auth function:
iii-config.yaml
3. Write a Middleware Function (Optional)
A middleware sits between the worker and the target function. Use it for validation, rate limiting, audit logging, or enriching the payload with auth context. The function receives aMiddlewareFunctionInput.
- Node / TypeScript
- Python
- Rust
middleware_function_id sits at the config level, not inside rbac:
iii-config.yaml
4. Connect a Worker
The RBAC port speaks the standard iii engine protocol. Connect using the SDK:- Node / TypeScript
- Python
- Rust
5. Use Channels Through the RBAC Port
Channels work on the RBAC port exactly as they do on the main engine port. The SDK’screateChannel() works without changes:
/ws/channels/{channel_id} on the same port, so channel data flows through the secure port without exposing the main engine’s channel endpoint.
6. RBAC for Trigger Registration
Workers connecting through the RBAC port can register trigger types and triggers, subject to access control.Auth Result Fields
The auth function controls trigger access via two fields inAuthResult:
allowed_trigger_types— List of trigger type IDs this worker can register triggers for. When omitted, all types are allowed.allow_trigger_type_registration— Whether this worker can register new trigger types.
Registration Hook Functions
For fine-grained control, configure hook functions that are called before each registration:iii-config.yaml
- Node / TypeScript
- Python
- Rust
Expose Functions by Metadata
If your functions register metadata, you can use metadata filters instead of (or in addition to) wildcard patterns:- Node / TypeScript
- Python
- Rust
iii-config.yaml
Types Reference
All three SDKs export the following types for RBAC functions.AuthInput
Input passed to the auth function during the WebSocket upgrade.AuthResult
Return value from the auth function. Controls access and passes context to middleware.MiddlewareFunctionInput
Input passed to the middleware function on every invocation through the RBAC port.OnTriggerTypeRegistrationInput
Input passed to theon_trigger_type_registration_function_id hook. Return an OnTriggerTypeRegistrationResult or throw to deny.
OnTriggerTypeRegistrationResult
Result returned from theon_trigger_type_registration_function_id hook. Omitted fields keep the original value.
OnTriggerRegistrationInput
Input passed to theon_trigger_registration_function_id hook. Return an OnTriggerRegistrationResult or throw to deny.
OnTriggerRegistrationResult
Result returned from theon_trigger_registration_function_id hook. Omitted fields keep the original value.
OnFunctionRegistrationInput
Input passed to theon_function_registration_function_id hook. Return an OnFunctionRegistrationResult or throw to deny.
OnFunctionRegistrationResult
Result returned from theon_function_registration_function_id hook. Omitted fields keep the original value.
Full Example Config
iii-config.yaml
Only expose the RBAC port (49135) to external networks. The main engine port (49134) and stream port (3112) should remain internal. Use firewall rules or network policies to enforce this.