ContextQMD
Back to Crewai

Set up the Rules

docs/en/enterprise/features/agent-control-plane/rules.mdx

1.14.6a25.6 KB
Original Source

Overview

Rules let you apply policies — today: PII Redaction — across many automations at once, instead of configuring each deployment individually. Open the Rules tab in the Agent Control Plane to manage them.

<Frame> ![Rules list](/images/enterprise/acp-rules-list.png) </Frame>

Each rule card shows the name, description, the scope the rule applies to (selected tools and tags), and a count of engaged automations — deployments that currently match the scope. The toggle on the right enables or disables the rule without deleting it.

Requirements

<Warning> **Enterprise Plan or Ultra Plan** is required to create or edit PII Redaction rules. Lower-tier organizations can still open the Rules tab and view existing rules, but the editor renders read-only with an "Enterprise" lock pill and the alert *"PII Redaction rules require an Enterprise plan."* — contact your account owner or sales to upgrade. </Warning>
  • The Agent Control Plane feature must be enabled for your organization. See Overview — Requirements.
  • The manage RBAC permission on Agent Control Plane is required to create, edit, toggle, or delete rules. The read permission is enough to view them.
  • All rule changes are versioned for auditing.

Available rule types

TypeWhat it does
PII RedactionApplies PII redaction to executions of every matching automation, using the same entity catalog and custom recognizers documented in PII Redaction for Traces.

More rule types will be added over time.

Creating a rule

<Frame> </Frame> <Steps> <Step title="Open the editor"> Click **+ Create new** at the top-right of the Rules tab, or **View Details** on an existing rule card. </Step> <Step title="Name and describe the rule"> Give the rule a clear name (e.g. *Mask PII (CC)*) and a description explaining when it applies. Both show up on the rule card and in the Engaged Automations modal. </Step> <Step title="Pick the type"> Today only **PII Redaction** is available. </Step> <Step title="Set the conditions"> Conditions decide which automations the rule engages with. Both are optional and use **set-equality** semantics: 
- **Tools** — only automations whose tool set **exactly matches** the selected tools will engage. Picks from Studio apps, MCPs, OSS tools, and Tool Repository registry tools.
- **Automations** — only automations whose tag set **exactly matches** the selected tags will engage.

Leaving a picker empty means "no filter on this dimension". Leaving both empty means the rule applies to **every** automation in the organization.
</Step> <Step title="Configure the PII Mask Type table"> Check each entity type you want covered and choose **Mask** (replaces with the entity label, e.g. `<CREDIT_CARD>`) or **Redact** (removes the matched text entirely). See [PII Redaction for Traces](/en/enterprise/features/pii-trace-redactions) for the full entity catalog and how to add organization-level custom recognizers. </Step> <Step title="Save"> The rule applies to **future** executions of every engaged automation as soon as you save. No re-deploy is needed. </Step> </Steps>

Engaged automations

Click Engaged N automations on any rule card to see exactly which deployments the rule is currently matching, along with each one's last execution.

<Frame> ![Engaged automations modal](/images/enterprise/acp-rules-engaged-modal.png) </Frame>

This is the fastest way to sanity-check a rule's scope before enabling it — for example, to confirm that a rule scoped to the production tag isn't accidentally matching a staging deployment.

Org-wide rules vs per-deployment settings

PII Redaction can be configured in two places:

  • Per-deployment — under Settings → PII Protection on each individual deployment (guide)
  • Org-wide — as a Rule on this page

When an enabled org-wide rule's scope matches a deployment, the rule's entity configuration overrides the deployment-owned PII settings for that deployment's executions — the rule becomes the single source of truth while it's attached. Disable or detach the rule (or change its scope so it no longer matches) and the deployment falls back to its own PII Protection settings.

Prefer org-wide rules when you want to enforce a consistent policy across many deployments; reserve per-deployment configuration for one-off exceptions.

<CardGroup cols={2}> <Card title="Agent Control Plane — Overview" icon="book-open" href="/en/enterprise/features/agent-control-plane/overview"> What ACP is, requirements, plan tiers, and RBAC. </Card> <Card title="Agent Control Plane — Monitoring" icon="gauge" href="/en/enterprise/features/agent-control-plane/monitoring"> Monitor automations and LLM consumption across your fleet. </Card> <Card title="PII Redaction for Traces" icon="lock" href="/en/enterprise/features/pii-trace-redactions"> Entity catalog, custom recognizers, and per-deployment configuration. </Card> <Card title="RBAC" icon="users" href="/en/enterprise/features/rbac"> Manage who can create or edit rules. </Card> </CardGroup> <Card title="Need Help?" icon="headset" href="mailto:[email protected]"> Contact our support team for help designing rules for your organization. </Card>