Enterprise

Role-based access control across workspaces and projects

Least privilege for a platform where a prompt can change production — workspace roles, project scoping, and Guardrails policies that route risky changes to the right reviewers.

Ciao's role-based access control layers workspace roles, project-level permissions and Guardrails governance. Unlike tools where access is all-or-nothing, RBAC scopes what each person can administer, build and approve — and Guardrails plain-English policies can route risky changes to designated senior reviewers, recording the human review behind every merge in an append-only audit trail.

Best forAccess-control designLeast-privilege reviewsContractor and vendor scoping

Published 2026-07-03 · Last updated 2026-07-03

Least privilege when a prompt can change production

Access control on a development platform has always mattered; AI raises the stakes because the distance from intention to production change is shorter. A person with broad access is no longer just a person who can read too much — they are a person whose plain-language request can become running code. Least privilege stops being a compliance nicety and becomes the primary control on what the platform will do on whose behalf.

Ciao's model answers three separate questions with three separate layers: who may administer the workspace, who may work in which projects, and who may approve which changes. Reviewers should evaluate each layer on its own, because collapsing them into a single 'admin vs user' toggle is exactly the design weakness this category tends toward.

The payoff for getting the layers right is speed as well as safety. When routine changes flow under light review and only protected areas demand senior eyes, governance stops being the bottleneck teams route around — and controls that people do not route around are the only controls that hold.

What Ciao provides

Five mechanisms, each independently verifiable during evaluation:

  • Workspace roles — Administrative capability — identity configuration, membership, workspace settings — is a role assigned deliberately, not a default.
  • Project-level permissions — Access is scoped to the projects a person actually works on, so a contractor on one build does not inherit visibility into the rest of the portfolio.
  • Guardrails policies with seniority — Guardrails applies plain-English policies to risky changes and records human review — and policies can name who is senior enough to review changes in protected business areas.
  • Identity integration — SSO via SAML and OIDC with optional MFA authenticates people; SCIM group-to-role mapping keeps roles aligned with your directory.
  • Recorded administration — Role grants and permission changes are admin actions in the append-only audit trail, so access reviews cite records, not memory.

Seniority tiers in Guardrails

Not every change deserves the same reviewer. A copy tweak on a marketing page and a modification to payment logic are different events, and a governance model that treats them identically will either slow everything down or review nothing properly. Guardrails maps code into business areas and detects risky changes, which lets policy distinguish the two — in plain English, readable by the compliance team that has to approve the policy itself. That mapping is what makes seniority meaningful: the platform knows which business area a change touches, so the policy can say who is qualified to judge it.

Seniority enters as policy: changes touching protected areas can be routed to designated senior reviewers, while routine changes flow with lighter review. The review that happens is recorded, so the audit trail shows not just that a change was approved but that it was approved by someone the policy deemed qualified. And because the policies are plain English, the people accountable for the control — compliance, risk, engineering leadership — can read and challenge them directly, with no translation layer between the policy that was approved and the rule that runs.

Rolling out RBAC

  1. 1. Map roles to reality

    List who administers, who builds, who reviews and who only observes — from your org chart, not from the tool's defaults.

  2. 2. Connect identity

    Put authentication behind SSO, and map IdP groups to roles via SCIM so the directory drives access.

  3. 3. Scope projects

    Assign project-level permissions so each person's reach matches their work, with contractors and vendors scoped tightest.

  4. 4. Write Guardrails policies

    Define, in plain English, which business areas are protected and which reviewers are senior enough to approve changes there.

  5. 5. Review with evidence

    Run your first access review from the audit trail — role grants, permission changes and recorded merges give the review its evidence base.

Three layers, three questions

Each layer answers a different reviewer question — score them separately:

Access layerQuestion it answersMechanism
Workspace rolesWho may administer the workspace?Deliberately assigned admin capability
Project permissionsWho may work where?Per-project scoping of access
Guardrails policiesWho may approve which changes?Plain-English policies with recorded human review
IdentityWho is this person at all?SSO via SAML and OIDC, optional MFA, SCIM mapping
EvidenceWhat actually happened?Append-only audit trail of admin actions and merges

Verification notes

RBAC claims are best verified by attempting things. During evaluation, have a scoped user try to reach a project outside their assignment, and have a non-senior reviewer attempt to approve a change in a protected area — then read both events in the audit trail. The security pack, available on request via the contact page, documents the access model in writing, and SOC 2 Type II reports under NDA cover the audited access-management controls.

Bring your own org chart to the evaluation: name a real contractor, a real junior engineer and a real protected system, and configure the trial to match. Abstract RBAC demos all look fine; your structure is the test that matters.

Frequently asked questions

Can a junior developer merge changes into a protected business area?

Guardrails detects risky changes and applies the plain-English policies your workspace defines — including routing changes in protected areas to designated senior reviewers, with the human review recorded. Verify the behavior against your own policy during evaluation rather than taking a yes/no from a webpage.

Can we scope contractors to a single project?

Project-level permissions exist for exactly this: a contractor's access is scoped to the projects they work on. Pair it with SCIM so the engagement ending in your directory also ends the access.

How are changes to roles and permissions themselves audited?

Role grants and permission changes are admin actions, recorded in the append-only audit trail alongside prompts, merges and deploys. Access reviews can therefore trace who changed whose access, and when.

Does access control apply to what the AI does, or only to humans?

AI-generated changes go through the same governed path as human ones: Guardrails maps them to business areas, detects risk, applies policy and records human review behind every merge. The controls your review evaluates for people are the controls governing the platform's own output.

Can roles be driven by our IdP groups?

Yes — SCIM provisioning maps IdP groups to Ciao roles, so role assignment follows the directory your team already governs. The mapping is agreed during onboarding and its changes are recorded as admin actions.

Related pages

Get the security pack.

Role-Based Access Control | Ciao