RBAC & SSO
Enterprise security controls
[!WARNING] Status: Coming soon. SSO and RBAC are part of the enterprise features under development. The design below describes the planned behavior.
Role-Based Access Control (RBAC)
ChooChoo will support fine-grained permissions for The Station. RBAC will determine what each user can see and do within the Governance UI, and integrate with Approval Workflows to control who can approve or reject changes.
| Role | Capabilities |
|---|---|
admin | Full access. Manage users, policies, and configuration. |
approver | Can approve/reject requests via Approval Workflows. View Audit Trail. |
developer | View Lineage Graph and submit requests. Run choochoo governance submit. |
auditor | Read-only access to Audit Trail and Compliance Reports. |
Role Assignment
Roles are assigned in The Station admin panel. When SSO is configured, roles can be automatically mapped from identity provider groups, eliminating manual role management.
RBAC and Agents
AI Agents are subject to a separate boundary system defined in the Agent Registry and enforced by the validation engine. Agent boundaries (read-only, no-pii, requires-approval, etc.) operate independently of RBAC roles. However, the human who registered the agent must have at least developer permissions.
System Cards document each agent's capabilities and compliance alignment, which feeds into risk scoring alongside RBAC considerations.
Single Sign-On (SSO)
Enterprise plans support OIDC and SAML integration with:
- Okta
- Entra ID (Azure AD)
- Google Workspace
SSO integration ensures that all user identities in The Station are centrally managed and that authentication events are recorded in the Audit Trail.
Configuration
SSO is configured in The Station admin settings. Once enabled, all access to the Governance UI requires authentication through your identity provider. The Audit Trail records the SSO identity for every action, providing a clear chain of attribution for Compliance Reporting.
Security Considerations
All SSO tokens are handled according to the Security Considerations specification:
- Tokens are encrypted in transit (required) and at rest (required for
confidentialandrestrictedclassifications) - Session events are logged in the Audit Trail
- Failed authentication attempts are recorded and contribute to security monitoring in The Station
Related
The Station
The enterprise Governance UI where RBAC and SSO are configured and enforced.
Approval Workflows
Policy gates that integrate with RBAC roles to determine who can approve changes.
Audit Trail
All authentication and authorization events are recorded in the immutable log.
Compliance Reporting
Generate reports that include SSO identity attribution for all decisions.
Security Considerations
Encryption, token handling, and access control requirements for the platform.
Agents
How agent boundaries relate to (and differ from) RBAC user permissions.