Working with Your Ledger Environment: Instances, Cohorts, Roles, and Agents

Now that your CLI is connected and authenticated, this guide walks you through the first operational steps in your Ledger environment: defining roles, creating agents, and understanding how to scope access using instances and cohorts.

What Is an Instance?

An instance is how your CLI connects to your assigned Ledger environment (e.g., your test or production setup). You’ll typically be given the base URL for your Ledger instance during onboarding.

Example:

./luca add-instance gtm-dev https://cac-ledger-svc.gtm-prod.euw1.aws.xyb.io
./luca configure default-instance gtm-dev

What Is a Cohort?

A cohort is a workspace or namespace inside the ledger. Your cohort is assigned during onboarding and defines the scope of your agents, roles, and operations.

Cohort paths follow the format /application/<name>

1. Define a Role

A role defines what an agent is allowed to do. Each role includes:

  • A name (e.g. ADMIN)

  • A set of permissions:

    • read – View data

    • write – Modify data

    • transition – Move items between lifecycle states

    • access – Connect to services

    • impersonate – Allow one agent to act on behalf of another

Create a full-access role:

./luca write-role ADMIN "access+read+write+transition@/*/**"

2. Create an Agent

An agent is an identity that interacts with the ledger via API, CLI, or automation. Agents are created within a cohort.

Set your auth identity (i.e., who the CLI is acting as). This must match a registered agent in your cohort and is used for all requests in your current session.

./luca set-auth application/admin

Then create an agent:

./luca write-agent application/admin --r:ADMIN

💡 Agent Naming Tip: Use application/<name> for your app or employee/<user-id> for individuals. Example: application/finance-app, employee/charlie.wei

3. View and Test Your Setup

List all agents in your cohort:

./luca list-agents

Example output:

application admin ADMIN

This means there’s an agent admin in the application cohort with ADMIN permissions.

4. Common Customizations

Create a limited-access role:

./luca write-role CHART_MANAGER "read+write@/chart/UK/**"

Register an agent with that role:

./luca set-auth application/chart_manager
./luca write-agent application/chart_manager --r:CHART_MANAGER

🛠 Troubleshooting

Problem
Fix

No agents found

Ensure you've set the instance: luca configure default-instance

Invalid cohort

Use /application/<name> instead of /service/

Permission denied

Check your role permissions and assigned roles

Now that you have agents and roles configured, you're ready to:

  • Start sending operations (e.g. charts, transactions)

  • Configure messaging channels (Kafka or HTTP)

  • Interact with the Ledger API using secure tokens

PreviousInstall & Setup the Ledger CLI ToolNextSet Up Messaging Channels for Your Ledger Environment

Last updated