RBAC & Permissions

DecisionLedger enforces role-based access control (RBAC) across the entire platform. Every API request and UI action is checked against the authenticated user's assigned permissions before execution. This document describes the permission model, default roles, and customization options available to tenant administrators.

1. Permission Model

Permissions follow a category:action format (e.g., scenarios:view, decisions:approve). Each permission grants access to a specific operation within a resource category. Permissions are additive — a user can perform an action only if at least one of their assigned roles includes the required permission.

Enforcement occurs at two layers:

• API middleware: Every request is validated against the caller's permission set before reaching business logic
• Row-Level Security (RLS): Database queries are scoped to the user's tenant and, where applicable, ownership or approval status

2. Permission Categories

The platform defines 58 permissions across 11 categories:

Scenarios (8 permissions)

• scenarios:view — View all scenarios in the tenant
• scenarios:view_own — View only scenarios you created
• scenarios:view_approved — View only approved scenarios
• scenarios:create — Create new scenarios
• scenarios:edit — Edit existing scenarios
• scenarios:delete — Delete scenarios
• scenarios:share — Share scenarios with other users or externally
• scenarios:run — Execute scenario model runs

Templates (4 permissions)

• templates:view — View available templates
• templates:create — Create new templates
• templates:edit — Edit existing templates
• templates:delete — Delete templates

KPIs (7 permissions)

• kpis:view — View KPI definitions and values
• kpis:create — Create new KPIs
• kpis:edit — Edit KPI definitions
• kpis:delete — Delete KPIs
• kpis:manage_alerts — Configure KPI alert thresholds and notifications
• kpis:manage_dashboards — Manage KPI dashboard layouts
• kpis:export — Export KPI data

Decisions (14 permissions)

• decisions:view — View all decisions in the tenant
• decisions:view_own — View only decisions you created
• decisions:view_approved — View only approved decisions
• decisions:create — Create new decision records
• decisions:edit — Edit decision details
• decisions:delete — Delete decisions
• decisions:submit — Submit decisions for approval
• decisions:approve — Approve decisions at standard level
• decisions:approve_final — Grant final approval on decisions
• decisions:override — Override approval workflows
• decisions:escalate — Escalate decisions to higher authority
• decisions:manage_workflows — Configure approval workflows
• decisions:export — Export decision data
• decisions:record_outcomes — Record real-world outcomes against decisions

Teams (4 permissions)

• teams:view — View team membership and structure
• teams:create — Create new teams
• teams:edit — Edit team membership and settings
• teams:delete — Delete teams

Plugins (3 permissions)

• plugins:view — View available decision model plugins
• plugins:execute — Execute plugin model runs
• plugins:manage — Install, update, and remove plugins

Administration (5 permissions)

• admin:users — Manage user accounts (invite, deactivate, assign roles)
• admin:roles — Create and manage custom roles
• admin:settings — Manage tenant-level settings
• admin:billing — View and manage billing and subscriptions
• admin:audit — Access administrative audit functions

Audit (2 permissions)

• audit:view — View audit logs and compliance records
• audit:export — Export audit log data

Dashboards (2 permissions)

• dashboards:view — View standard dashboards and reports
• dashboards:view_executive — View executive-level dashboards

Board Portal (1 permission)

• board_portal:access — Access the board of directors portal and governance tools

AI Governance (8 permissions)

• ai_governance:view — View AI governance dashboards, agent registry, and evaluator results
• ai_governance:manage_agents — Register, edit, and deactivate AI agents in the registry
• ai_governance:manage_kill_switch — Toggle execution kill switch and manage granular rules
• ai_governance:manage_shadow_mode — Create and manage champion/challenger shadow configs
• ai_governance:manage_evaluator — Toggle AI evaluator, re-evaluate runs, and track recommendations
• ai_governance:manage_policies — Create, edit, and delete governance gate policies
• ai_governance:resolve_gates — Manually resolve pending governance gate entries
• ai_governance:compliance — Run LL144 bias audits, model validation, and compliance checks

3. Default Roles

Every tenant starts with nine built-in roles. These roles cannot be deleted but their permissions can be viewed for reference when creating custom roles.

Administrator

Full system access. Manages users, roles, settings, billing, and all platform features including all AI governance controls. Holds all 58 permissions.

Executive

Strategic decision authority. Has full scenario, template, KPI, and decision access including final approval and override capabilities. Can manage teams, view audit logs, view AI governance dashboards, and manage the kill switch. Does not have user management or billing permissions.

Decision Approver

Tactical approval authority. Can view scenarios, approve standard decisions, escalate to executives, export data, view AI governance dashboards, and resolve pending governance gates. Cannot create or edit templates, delete resources, or grant final approvals.

Decision Analyst

Creates and prepares decision scenarios. Has full edit access to scenarios and templates, can create KPIs and manage alerts, and submits decisions for approval. Cannot approve or override decisions.

Auditor

Compliance and audit access. Read-only access to all scenarios, decisions, KPIs, and full audit log access with export. Can view AI governance dashboards and run compliance checks (LL144, model validation). Cannot create, edit, or delete any resources.

Board of Directors

Board governance access. Can view decisions, dashboards, AI governance dashboards, and audit logs, approve and grant final approval on strategic decisions, escalate concerns, record outcomes, and access the board portal. Cannot create, edit, or delete operational resources.

AI Governance Officer

AI governance authority. Full access to all AI governance controls: agent registry, kill switch, shadow mode, AI evaluator, governance policies, gate resolution, and compliance checks. Can view scenarios, decisions, KPIs, dashboards (including executive), and audit logs. Can manage plugins for governance context.

Viewer

Stakeholder access. Can view only approved scenarios and decisions, browse templates, view KPIs, and access standard dashboards. The most restricted default role.

4. Custom Roles

Tenant administrators with the admin:roles permission can create custom roles with any subset of the 58 available permissions. Custom roles are useful for:

• Department-specific access (e.g., HR analysts who can only view HR-related models)
• Contractor or external consultant access with limited scope
• Separation of duties required by compliance frameworks (SOX, SOC 2, etc.)
• Temporary elevated access for specific projects

5. Role Assignment

Users can be assigned one or more roles. When a user holds multiple roles, their effective permission set is the union of all permissions from all assigned roles. Role assignments are tracked in the audit log for compliance purposes.

6. Audit and Compliance

All permission checks, role changes, and access control events are recorded in immutable audit logs (protected by S3 Object Lock). Audit log retention varies by plan tier: 30 days for Starter, 180 days for Professional, and custom retention for Enterprise customers.

7. Contact

For questions about access control or to request Enterprise RBAC features, contact us at security@decisionledgerai.com.