Skip to content
opencomplai.com Get Started

Enterprise RBAC and SSO — Commercial Phase C1 Plan

Status: Deferred from v0.1. Planned for commercial phase C1. Scope owner: Platform + Identity. Source of truth: PRD §commercialization — Enterprise features, scope-90-day.md:37.

C1 ships the enterprise distribution: SSO/SCIM, advanced RBAC, signed administrative actions, and central signed policy distribution. The OSS core in v0.1 stays single-tenant and CLI-driven; this plan captures what v0.1 must avoid foreclosing so enterprise identity can be added cleanly at C1.

Why it is deferred

Identity is a procurement requirement, not an activation requirement. Provider design partners install via Docker Compose with local keys and CLI; they do not need OIDC on day one. Building enterprise identity before the wedge is proven would burn engineering on a feature that closes deals only after the OSS product earns the meeting.

Architectural preconditions v0.1 must preserve

Precondition Owner phase Why it matters
Every privileged action in the OSS core has a stable actor_id field that is not hard-coded to a local OS user Phase 8, Phase 11 At C1, actor_id is populated from an SSO subject claim; the ledger schema must already carry it
HITL signature verification is decoupled from key source (local file today, KMS/HSM tomorrow) Phase 8, Phase 11 C1 enterprise uses customer-managed HSM/KMS; the signing interface must accept a pluggable signer
Authorization decisions are emitted as events (override_authorized, release_resume_authorized) with a scope field Phase 11 RBAC at C1 reads/writes these events; no retrofit of an audit trail
The API skeleton in v0.1 reserves a place for an auth middleware (even if it is a no-op locally) Phase 9 Adding OIDC/SAML at C1 is a middleware swap, not a route rewrite
Policy bundle loading already supports a bundle_signer identity and signature verification Phase 10 Central signed policy distribution is a signer-trust extension, not a new mechanism
Admin actions are recorded with prev_hash chaining like any other ledger event Phase 7–8 Signed administrative actions for regulated change control are "just" events

If a v0.1 change would force a retrofit of one of these, it is a scope change — file a change-request.

Scope at C1

In scope:

  • OIDC and SAML SSO; minimum providers at GA: Okta, Azure AD, Google Workspace.
  • SCIM 2.0 user/group provisioning and deprovisioning.
  • Fine-grained RBAC: roles admin, policy_manager, release_approver, reviewer, viewer. Scope axes: org, project, system.
  • Break-glass workflow: time-boxed elevated access with a mandatory signed rationale and an automatic audit alert.
  • Signed administrative actions: every policy change, role grant, and break-glass activation is signed by the actor and appended to the ledger.
  • Central signed policy distribution: enterprise customers pull versioned policy bundles from a customer-controlled distribution endpoint, with signature verification and drift detection against pinned versions.
  • HSM/KMS integration for signing keys (AWS KMS, GCP KMS, on-prem PKCS#11). FIPS-validated crypto build available on request.

Out of scope (intentional):

  • Hosted identity. The product integrates with the customer's IdP; it does not become one.
  • Per-user pricing at the OSS layer. OSS stays free and local-first; identity features are an enterprise-only surface.
  • "Compliance officer" UI for non-engineering users. C1 is API + CLI; richer UI tracks against the SaaS premium dashboard.

Milestones

C0 prep (during seed → C0)

  • Confirm actor_id and scope are present on every privileged event emitted by v0.1.
  • Stub the auth middleware in the gateway-api with a documented contract: header in, principal + scope claims out.

C1 — Enterprise distribution v1

Exit criteria:

  • OIDC + SAML supported end to end with one reference IdP each.
  • SCIM provisioning round-trips for users and groups; deprovisioning revokes roles within 60 seconds.
  • RBAC enforced on the full API surface; deny-by-default; explicit allow-list of public endpoints (health, version).
  • Break-glass workflow has been exercised in a partner environment.
  • HSM/KMS-backed signing produces ledger events indistinguishable in audit from local-file signing except for the signer_kind field.
  • Central policy distribution running for at least one enterprise tenant with version pinning and drift alerts.
  • Acceptance: first annual enterprise subscription signed with defined scope.

Open questions

  • Whether SCIM is mandatory at GA or fast-follow (depends on first-deal IdP).
  • How to expose RBAC configuration: declarative file in the repo (GitOps-friendly) vs. API-driven (UI-friendly). Likely both, file is source of truth.
  • Whether the central policy distribution endpoint is a hosted SaaS surface or shipped as a customer-run service. Likely shipped — keeps it on-prem-friendly.