Full Platform
Access Control

Role-Based Governance Access

Every user, every role, every permission — enforced at the infrastructure layer. Not in application code. Not in middleware. In the control plane itself.

Architecture

Enforcement, Not Configuration

Access control enforced at the governance layer. Roles determine what the control plane allows — before any action reaches execution.

👤
User Request
JWT-authenticated identity with embedded role and tenant claims
🔐
RBAC Gate
Role resolved, permissions checked, tenant scope enforced
Governed Action
Only permitted operations reach the governance pipeline
📜
Audit Record
Every access decision logged with actor, role, action, and timestamp
Five Roles

Graduated Authority Levels

From read-only observers to platform administrators. Each role adds capabilities — none removes governance.

Tier 1
Viewer
Read-only access to task status, audit logs, and governance decisions. Cannot modify or execute.
  • View tasks & status
  • Read audit trail
  • No execution
Tier 2
Operator
Can cancel, retry, and manage running tasks. All operator actions are logged to the immutable audit trail.
  • Cancel tasks
  • Retry failed tasks
  • Actions audited
Tier 3
Approver
Reviews and approves pending governance decisions. Required for high-risk actions that exceed autonomous thresholds.
  • Approve actions
  • Reject with reason
  • Constraint overrides
Tier 4
Admin
Full tenant management. Can export audit data, configure policies, and manage users within their organization scope.
  • Export audit data
  • Manage users
  • Configure policies
Tier 5
Platform Admin
Cross-tenant platform authority. Toggle Red Team Mode, manage global configuration, and access all tenant scopes.
  • Cross-tenant access
  • Red Team Mode
  • Global config
Permissions

Nine Granular Permissions

Every API endpoint maps to a specific permission. No implicit access. No wildcards. Explicit grants only.

Permission Viewer Operator Approver Admin Platform Admin
task.view
task.cancel
task.retry
step.approve
step.reject
audit.export
user.manage
policy.configure
platform.admin
Tenant Isolation

Every Organization Is a Sovereign Scope

Users never see, touch, or influence resources outside their tenant. Isolation is architectural, not filtered.

🛡
Scoped Governance
Each tenant gets isolated Charter, Claims Ledger, Trust Dial, and Action Registry instances. Custom rules can only add restrictions — never weaken immutable principles.
🔑
JWT Tenant Claims
Every request carries an embedded tenant identifier. The control plane resolves scope before any permission check. Cross-tenant access requires Platform Admin elevation.
📑
Isolated Audit Trails
Audit records are tenant-scoped. Each organization's decision history is independently verifiable without exposing any other tenant's data.
⚠️
Blast Radius Containment
A compromised credential can only affect its own tenant scope. No lateral movement between organizations. LRU eviction prevents memory-level data leaks.
Audit Trail

Every Access Decision Is Proven

Immutable JSONL audit log with actor, role, action, resource, timestamp, and outcome for every operation.

2026-04-02T09:15:22.001Z | GRANTED | [email protected] | role=approver | step.approve | task_id=tsk_8291 tenant: org_acme | reason: "Reviewed risk assessment, within envelope" 2026-04-02T09:15:44.332Z | DENIED | [email protected] | role=viewer | task.cancel | task_id=tsk_8291 tenant: org_acme | reason: permission_denied: viewer lacks task.cancel 2026-04-02T09:16:01.109Z | GRANTED | [email protected] | role=operator | task.retry | task_id=tsk_7744 tenant: org_acme | reason: retry_after_timeout 2026-04-02T09:16:18.774Z | DENIED | [email protected] | role=operator | task.view | task_id=tsk_8291 tenant: org_partner | reason: tenant_scope_violation: resource belongs to org_acme 2026-04-02T09:16:33.221Z | ELEVATED | [email protected] | role=platform_admin | red_team_mode.toggle | enabled=true tenant: * (global) | reason: "Pre-release security hardening"
Every record persisted to immutable JSONL. Actor, role, permission, resource, tenant, and outcome — always.
Principles

Access Control Design Principles

01
Deny by default
No implicit access. Every endpoint requires an explicit permission grant. Missing permission = denied.
02
Governance is not optional
Even Platform Admins pass through the governance pipeline. Higher roles get more permissions, not less enforcement.
03
Audit everything
Every access decision — granted or denied — produces an immutable audit record with full context.
04
Tenant isolation is structural
Not a WHERE clause. Not a filter. Tenant boundaries are enforced at the identity layer before any query executes.
05
Roles compose, never subtract
Higher tiers inherit all lower-tier permissions. Custom roles can only add restrictions. No permission can weaken an immutable governance rule.

Access control should be infrastructure,
not application logic.

Five roles. Nine permissions. Tenant isolation. Cryptographic audit trail. Sub-millisecond enforcement.

Request Enterprise Access Back to Overview →