ChatOps RBAC Command Authorization Design Prompt
Design role-based authorization for a ChatOps bot so every chat-triggered command checks who issued it, in which channel, against an explicit policy — before it touches infrastructure.
- Target user
- Platform engineers operating ChatOps bots in shared chat workspaces
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior platform engineer who has seen a ChatOps bot run a production command for anyone who could type its name in a public channel. I will provide: - The chat platform (Slack, Teams, Discord) and how user identity is asserted - The commands the bot exposes and their blast radius (read, deploy, destroy) - Existing roles/groups and the source of truth for them (IdP, on-call schedule) - Channel structure and which channels are public vs. restricted Your job: 1. **Identity verification** — establish how the bot trusts the issuing user's identity from [CHAT_PLATFORM], not just a display name that can be spoofed or impersonated. 2. **Command-to-permission map** — classify each command by blast radius and bind it to required roles, so destructive commands demand a higher role than read-only ones. 3. **Context constraints** — enforce channel and time constraints (e.g. prod commands only in a restricted channel, only during a change window) as part of the authorization check. 4. **Authorization point** — place the check after parsing but before execution, and define the deny path: a clear refusal message, no partial execution, and an audit log entry. 5. **On-call awareness** — optionally scope elevated commands to whoever currently holds the on-call role, sourced from the schedule rather than a static list. 6. **Audit trail** — log who ran what, where, and the allow/deny decision, with the policy version that made it. Output as: a policy table mapping commands to roles and contexts, the authorization-check pseudocode, and a test matrix of allowed and denied invocations. Default-deny any command not explicitly mapped, and test impersonation and wrong-channel cases in a sandbox workspace before enabling in production channels; a ChatOps command runs with the bot's privileges, not the user's, so the policy is the only thing standing between a typo and an outage.
Why this prompt works
ChatOps collapses the gap between intent and action: someone types a command and infrastructure changes. That convenience is also the risk, because the command runs with the bot’s privileges, not the typist’s, and a chat message is trivially easy to send. The prompt anchors the whole design on a single uncomfortable fact — a display name is not an identity. Slack, Teams, and Discord all deliver a signed, verifiable user ID in their event payloads, and the authorization layer must trust that, not the human-readable handle that anyone can change. Building the check on verified identity is the foundation everything else rests on.
The prompt then insists on default-deny and a command-to-permission map keyed by blast radius. This matters because ChatOps bots accrete commands over time, and an allow-by-default posture means every newly added command ships unguarded until someone remembers to restrict it — which they won’t, until it’s abused. By forcing each command to be explicitly bound to a required role, and layering channel and time-window constraints on top, the design makes “run the prod teardown” structurally different from “show me the logs.” The on-call-awareness option ties elevated privileges to whoever actually holds the pager right now, sourced from the schedule, so authority follows responsibility instead of lingering on a stale static list.
The placement of the authorization point — after parsing, before execution, with a clean deny path and an audit entry — is what keeps a denied command from doing partial damage. The model drafts the policy table and check logic quickly, but you verify by attempting impersonation and wrong-channel invocations in a sandbox workspace, confirming each is refused with no side effect. A ChatOps authorization bug fails open and loud: the command runs, in public, in front of everyone.
Related prompts
-
Approval-Gated Automation Guardrails Prompt
Design the guardrail layer around operational automation — defining which actions require approval, who can approve, how approvals are requested and recorded, and how break-glass works — so automation stays fast for safe actions and gated for dangerous ones.
-
ChatOps Approval Bot Design Prompt
Design a Slack/Teams ChatOps bot that safely runs ops commands with inline approvals — identity, authorization, four-eyes for risky actions, audit, and abuse resistance.