Enterprise
Role-based access control across workspaces and projects
Least privilege for a platform where a prompt can change production — workspace roles, project scoping, and Guardrails policies that route risky changes to the right reviewers.
Ciao's role-based access control layers workspace roles, project-level permissions and Guardrails governance. Unlike tools where access is all-or-nothing, RBAC scopes what each person can administer, build and approve — and Guardrails plain-English policies can route risky changes to designated senior reviewers, recording the human review behind every merge in an append-only audit trail.
Published 2026-07-03 · Last updated 2026-07-03
Least privilege when a prompt can change production
Access control on a development platform has always mattered; AI raises the stakes because the distance from intention to production change is shorter. A person with broad access is no longer just a person who can read too much — they are a person whose plain-language request can become running code. Least privilege stops being a compliance nicety and becomes the primary control on what the platform will do on whose behalf.
Ciao's model answers three separate questions with three separate layers: who may administer the workspace, who may work in which projects, and who may approve which changes. Reviewers should evaluate each layer on its own, because collapsing them into a single 'admin vs user' toggle is exactly the design weakness this category tends toward.
The payoff for getting the layers right is speed as well as safety. When routine changes flow under light review and only protected areas demand senior eyes, governance stops being the bottleneck teams route around — and controls that people do not route around are the only controls that hold.
What Ciao provides
Five mechanisms, each independently verifiable during evaluation:
- Workspace roles — Administrative capability — identity configuration, membership, workspace settings — is a role assigned deliberately, not a default.
- Project-level permissions — Access is scoped to the projects a person actually works on, so a contractor on one build does not inherit visibility into the rest of the portfolio.
- Guardrails policies with seniority — Guardrails applies plain-English policies to risky changes and records human review — and policies can name who is senior enough to review changes in protected business areas.
- Identity integration — SSO via SAML and OIDC with optional MFA authenticates people; SCIM group-to-role mapping keeps roles aligned with your directory.
- Recorded administration — Role grants and permission changes are admin actions in the append-only audit trail, so access reviews cite records, not memory.
Seniority tiers in Guardrails
Not every change deserves the same reviewer. A copy tweak on a marketing page and a modification to payment logic are different events, and a governance model that treats them identically will either slow everything down or review nothing properly. Guardrails maps code into business areas and detects risky changes, which lets policy distinguish the two — in plain English, readable by the compliance team that has to approve the policy itself. That mapping is what makes seniority meaningful: the platform knows which business area a change touches, so the policy can say who is qualified to judge it.
Seniority enters as policy: changes touching protected areas can be routed to designated senior reviewers, while routine changes flow with lighter review. The review that happens is recorded, so the audit trail shows not just that a change was approved but that it was approved by someone the policy deemed qualified. And because the policies are plain English, the people accountable for the control — compliance, risk, engineering leadership — can read and challenge them directly, with no translation layer between the policy that was approved and the rule that runs.
Rolling out RBAC
1. Map roles to reality
List who administers, who builds, who reviews and who only observes — from your org chart, not from the tool's defaults.
2. Connect identity
Put authentication behind SSO, and map IdP groups to roles via SCIM so the directory drives access.
3. Scope projects
Assign project-level permissions so each person's reach matches their work, with contractors and vendors scoped tightest.
4. Write Guardrails policies
Define, in plain English, which business areas are protected and which reviewers are senior enough to approve changes there.
5. Review with evidence
Run your first access review from the audit trail — role grants, permission changes and recorded merges give the review its evidence base.
Three layers, three questions
Each layer answers a different reviewer question — score them separately:
| Access layer | Question it answers | Mechanism |
|---|---|---|
| Workspace roles | Who may administer the workspace? | Deliberately assigned admin capability |
| Project permissions | Who may work where? | Per-project scoping of access |
| Guardrails policies | Who may approve which changes? | Plain-English policies with recorded human review |
| Identity | Who is this person at all? | SSO via SAML and OIDC, optional MFA, SCIM mapping |
| Evidence | What actually happened? | Append-only audit trail of admin actions and merges |
Verification notes
RBAC claims are best verified by attempting things. During evaluation, have a scoped user try to reach a project outside their assignment, and have a non-senior reviewer attempt to approve a change in a protected area — then read both events in the audit trail. The security pack, available on request via the contact page, documents the access model in writing, and SOC 2 Type II reports under NDA cover the audited access-management controls.
Bring your own org chart to the evaluation: name a real contractor, a real junior engineer and a real protected system, and configure the trial to match. Abstract RBAC demos all look fine; your structure is the test that matters.
Frequently asked questions
Can a junior developer merge changes into a protected business area?
Guardrails detects risky changes and applies the plain-English policies your workspace defines — including routing changes in protected areas to designated senior reviewers, with the human review recorded. Verify the behavior against your own policy during evaluation rather than taking a yes/no from a webpage.
Can we scope contractors to a single project?
Project-level permissions exist for exactly this: a contractor's access is scoped to the projects they work on. Pair it with SCIM so the engagement ending in your directory also ends the access.
How are changes to roles and permissions themselves audited?
Role grants and permission changes are admin actions, recorded in the append-only audit trail alongside prompts, merges and deploys. Access reviews can therefore trace who changed whose access, and when.
Does access control apply to what the AI does, or only to humans?
AI-generated changes go through the same governed path as human ones: Guardrails maps them to business areas, detects risk, applies policy and records human review behind every merge. The controls your review evaluates for people are the controls governing the platform's own output.
Can roles be driven by our IdP groups?
Yes — SCIM provisioning maps IdP groups to Ciao roles, so role assignment follows the directory your team already governs. The mapping is agreed during onboarding and its changes are recorded as admin actions.