Overview
AI Security Gateway uses a role-based access control model organized around organizations. Every user belongs to exactly one organization, and their role determines what they can see and do across all projects within that organization.
The RBAC model is designed for enterprise teams where different people have different responsibilities: security admins configure DLP policies and SSO, finance teams manage billing, developers create projects and API keys, and auditors review logs and violation reports.
Role Hierarchy
Roles form a strict hierarchy. Higher roles inherit all permissions from lower roles. A user can only manage roles below their own level.
Full control including organization deletion and ownership transfer
- Everything an Admin can do
- Delete the organization
- Transfer ownership to another member
Manage billing, SSO, SIEM, and team members
- Configure billing and subscription
- Manage SSO and SIEM settings
- Invite, remove, and change roles of members (below admin)
- Create and delete projects
- Manage DLP policies and API keys
- View dashboards, audit logs, and violations
- Export audit reports
Create projects, manage policies and API keys
- Create and delete projects
- Manage DLP policies, API keys, and webhooks
- Manage hybrid VPC deployments
- View dashboards and audit logs
- Export audit reports
- View and generate violation reports
Read-only access to dashboards and audit logs
- View project dashboards
- View audit logs (read-only)
- View violation reports (read-only)
Permissions Matrix
Complete mapping of permissions to roles. Higher roles inherit all permissions from lower roles.
| Permission | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| Delete organization | — | — | — | |
| Transfer ownership | — | — | — | |
| Manage billing | — | — | ||
| Configure SSO | — | — | ||
| Configure SIEM | — | — | ||
| Manage members & roles | — | — | ||
| Create / delete projects | — | |||
| Manage DLP policies | — | |||
| Manage API keys | — | |||
| Manage webhooks | — | |||
| Manage deployments | — | |||
| View dashboards | ||||
| View audit logs | ||||
| Export audit reports | — | |||
| View violations | ||||
| Generate violation reports | — |
Organization Model
Organizations are the top-level container for all resources in AI Security Gateway. Every project, API key, DLP policy, and audit log belongs to an organization.
One Org Per Account
Each user belongs to exactly one organization. The first user to sign up becomes the org owner. Additional users join via invitation or SSO auto-provisioning.
Org-Level Settings
SSO configuration, SIEM connectors, and billing are all org-level settings managed by owners and admins. Projects and their DLP policies are managed by owners, admins, and members.
Invitations
Owners and admins can invite users by email. Each invitation specifies a role for the new user.
Admin sends invite — with a selected role (admin, member, or viewer)
Email delivered — containing a unique invitation link with a secure token
User clicks link — and creates an account (or logs into their existing account)
User joins org — with the role specified in the invitation
Role assignment rules: Admins can invite users up to (but not including) their own role level. Only owners can invite new admins. Owners cannot be invited — ownership is transferred, not assigned.
SSO & Auto-Provisioning
When SAML SSO is configured, RBAC integrates with identity provider authentication:
- Auto-provisioning — new SSO users are created with the org's configured default role (recommended: Member)
- Existing users — keep their current role on re-login via SSO
- Enforce SSO — when enabled, password login is blocked for users with matching email domains
Security warning: If auto-provisioning is enabled with defaultRole set to Admin, anyone with a matching email domain who logs in via SSO automatically receives admin rights. Use Member as the default role and promote users individually.
How RBAC Relates to API Keys
RBAC controls who can manage projects, policies, and keys via the dashboard. API keys authenticate proxy requests at runtime and are scoped to individual projects.
Dashboard Access (RBAC)
Determines who can create projects, edit DLP policies, generate API keys, configure SSO/SIEM, and view audit logs. Enforced by the web application.
Proxy Access (API Keys)
API keys authenticate requests to the proxy and determine which project's DLP policy, budget, and provider keys apply. API keys don't carry user identity or roles.
FAQ
Can I have multiple owners?
No. Each organization has exactly one owner. Ownership can be transferred to another admin via the settings page.
Can a member see other members' projects?
Yes. All projects within an organization are visible to all members. RBAC controls who can modify settings, not who can see projects.
What happens when I remove a user?
They lose access immediately. Their past actions remain in the audit log. API keys they created continue to work (keys are scoped to projects, not users).
Can I restrict a user to specific projects?
Not currently. RBAC is org-level — all roles apply across all projects in the organization. Per-project role assignments are on the roadmap.
Does RBAC work with Hybrid VPC?
Yes. RBAC controls dashboard access. Hybrid VPC proxy requests authenticate via API keys, which are independent of user roles.
Ready to manage your AI governance team?
RBAC is available on all plans. Invite team members and assign roles from the Settings page.
Want to self-host this?
AI Security Gateway is open source. Deploy the core AI security proxy on your own infrastructure — PII redaction, prompt injection blocking, and secret detection included. No account required.
Join the Community