RBAC for AI Control Plane

RBAC — Section 1: Hero

AI Product Management Access Control Identity Management Zero to One Enterprise SaaS Cortx

Role Based Access Control (RBAC) —

Governance that works for people, not just policies

Enterprises were buying Cortx licenses for different roles and users — with no way to enforce who could access what. Every user had the same permissions. Every admin was flying blind. I built Role-Based Access Control from zero — a permission system that made enterprise governance possible without making it painful.

Role

PM Associate · Cortx

Product

Cortx — AI Control Plane for Enterprises

Timeline

Ongoing — still iterating

Tools

FigJam · Figma · Miro · ADO

RBAC — Section 2: Stats

0 → 1

Built entirely from scratch — no prior access control system existed in Cortx

Enterprise-ready

Cortx could now be sold to larger enterprises with stricter governance requirements

RBAC — Section 3: The Problem

The problem

Everyone had access to everything. Nobody could control anything.

When an enterprise buys software, they're not buying access for everyone equally. They're buying specific capabilities for specific people in specific roles. An operations lead shouldn't be able to reconfigure AI agents. A viewer shouldn't be able to delete a workflow someone spent a week building.

Cortx had none of this. Every user who was onboarded got the same permissions — full access to every module, every configuration, every piece of enterprise data. There was no concept of a role. No concept of a permission. No concept of an admin.

License enforcement was impossible

Enterprises bought tiered licenses — some with premium capabilities, some with standard access. There was no way to enforce any of this. Every tier distinction in the commercial model was invisible in the product.

Governance policies couldn't be applied

Enterprise IT and security teams have strict requirements about who can access what — especially for AI systems handling sensitive business data. Cortx had no mechanism to enforce any of those policies.

Admins had no visibility

There was no admin dashboard. No way to see who was in the system, what they had access to, or what they had done. If something went wrong, there was no audit trail and no way to trace it.

No connection to enterprise identity systems

Every enterprise already has an identity infrastructure — Active Directory, LDAP, CyberArk. Cortx had no way to connect to any of them. Every user had to be manually created and managed inside Cortx, separately from the rest of the enterprise's IT ecosystem.

The platform couldn't scale upmarket

Larger enterprises — the ones with the highest contract values — wouldn't onboard without access control and identity integration. RBAC was the gate between Cortx's current customer profile and the enterprise segment it needed to reach.

RBAC — Section 4: Two Admins

Two admins, one system

The IT administrator and the workspace owner

RBAC in enterprise software is almost always designed for one person: the IT administrator. The result is a system that works for that person and nobody else. Cortx's admin users were more varied than that — and I designed for both.

The IT administrator

Security teams · IT governance · Compliance

Security-first mindset. Comfortable with complex permission models. Needs granular control, audit trails, and the ability to connect Cortx to the organisation's existing identity infrastructure — CyberArk, LDAP, Azure AD. Will configure the system once and expect it to enforce itself reliably.

Design principle: every permission decision should be auditable. If something goes wrong, the admin should be able to trace exactly what happened, when, and who did it.

The workspace owner

PMs · Team leads · Operations directors

A product manager, team lead, or operations director given admin rights for their team — but with no interest in becoming an IT specialist. They need to onboard their team, assign the right access levels, and get out of the way. They don't want to think about inheritance hierarchies or identity provider configurations.

Design principle: the most common admin task — inviting a user and assigning a role — should take under 60 seconds with zero technical knowledge required.

Both users needed the same underlying system. They needed completely different interfaces to it. I designed one permission model and two entry points — the same approach that worked in Agent Playground, applied to a governance context.

Section 5 — Two Users

Two users, one product

The non-technical builder and the power user

Most enterprise tools are built for one type of user and quietly ignore the other. I defined Agent Playground to serve two distinct users on the same underlying framework — different entry points, not different products.

The non-technical builder

Ops leads · Business analysts · PMs

They know what they want the agent to do but have never thought about models, tools, or knowledge sources as separate configurable layers. They needed progressive disclosure — the most important controls first, advanced configuration available but not imposed.

Design principle: every setting should explain itself — plain language, not technical jargon buried in a tooltip.

The power user

Developers · Solution architects · Technical PMs

They know what they're doing. They don't need guidance through every layer — they want direct access to configuration, fast. An advanced mode that bypasses the guided flow and lets them work directly on the assembly environment.

Design principle: same product, different front door. No feature gates — just two entry points into the same builder.

The two-mode decision wasn't just a UX call. Enterprise tools that only serve power users leave most of the organisation behind. Tools that only serve non-technical users frustrate the people who need depth. Both groups existed at every enterprise client — the right answer was both.

RBAC — Section 5: Permission Architecture

The architecture

One model, two role types, module-level control

Before any design or engineering work started, I defined the complete permission architecture — what could be controlled, at what level of granularity, and how roles mapped to access. Click each role below to explore what it can do.

Owner

One per workspace · Full control

Full access to all modules, all settings, and all users. Can change billing, transfer ownership, and configure identity providers. The single highest-trust role in the system — one per workspace.

Agent Playground

Full

Workflow Builder

Full

Collab Flow

Full

Model Playground

Full

Platform Settings

Full

🎛️

Custom roles

For enterprises with specific governance requirements — clone any predefined role as a starting point, then adjust module-level permissions. Custom roles are named, saved, and reusable across the organisation.

📋

Role templates

Common custom role patterns available as pre-built templates — a "Developer" role, a "Business Analyst" role, and others. Click, customise, deploy. Most enterprises never need to build from scratch.

RBAC — Section 6: License Model

The license model

Permissions follow the license — automatically

Certain features within each module are premium — available only to enterprises on higher license tiers. Before RBAC, these features were visible to every user regardless of their license. I defined the license-permission bridge that connected what was commercially agreed to what was actually accessible in the product.

Feature

Agent Playground

Workflow Builder

Collab Flow

Basic chat interface

Standard

✓

Custom knowledge sources

Standard

✓

Advanced model selection

Premium

🔒

—

Version history & rollback

Premium

🔒

Audit logs

Enterprise

🔒

Identity provider integration

Enterprise

🔒

Advanced model selection — Premium feature

Switch between AI models to optimise for response quality, speed, or cost. Available on Professional and Enterprise tiers.

Upgrade to unlock →

📈

Visible but locked — not hidden

Every user sees premium features regardless of their tier — with a lock icon and upgrade prompt. This creates organic upgrade intent. Every locked touchpoint is a commercial conversation.

✅

Automatic enforcement

License changes propagate immediately — no cache delays, no manual refresh. When a tier upgrades, features unlock in real time. When it downgrades, they lock. No manual intervention required.

RBAC — Section 7: Identity Providers

Identity providers

Connecting Cortx to enterprise identity infrastructure

Every enterprise already has an identity system. Before RBAC, Cortx existed completely outside of it — a separate island of users and credentials with no relationship to the organisation's existing IT infrastructure. I defined and shipped integration with three of the most common enterprise identity platforms.

🔐

CyberArk

Used by: Financial services · Healthcare · Government

CyberArk is the privileged access management platform used by enterprises with the strictest security requirements. Integration with CyberArk meant that Cortx could participate in the enterprise's broader privileged access workflows — session recording, credential vaulting, and just-in-time access provisioning. For security-heavy industries, CyberArk integration was a procurement requirement, not a nice-to-have.

Privileged access Session recording Credential vaulting JIT provisioning

Product decisions I made for this integration

Role mapping logic

Defined how CyberArk privilege groups map to Cortx predefined and custom roles — including fallback behaviour when no clean mapping exists.

Sync behaviour

Users removed from CyberArk lose Cortx access in real time — not at the next sync cycle. Immediate deprovisioning was non-negotiable for security-heavy clients.

Admin handoff

Integration setup is a distinct, one-time configuration flow — separate from day-to-day admin. IT configures once, workspace owner takes over without needing to understand the integration.

The boundary I defined: the identity provider authenticates the user — verifying who they are. Cortx assigns the role — determining what they can do. Two systems, each owning what they're actually good at.

RBAC — Section 8: Central Design Challenge

The central design challenge

Making a complex permission system feel simple to configure

RBAC has real depth — multiple role types, module-level granularity, custom role creation, audit logging, license-tier integration, and identity provider connectivity. The challenge wasn't building the depth. It was making that depth invisible to the people who didn't need it.

The failure mode I was designing against: enterprise IT tools that put the full complexity of their permission model in front of every admin, regardless of technical level. The result is a system that intimidates non-technical admins, creates configuration errors, and generates support tickets.

The three decisions that solved it

Progressive disclosure over full exposure

Show the simple path first. Let complexity be discovered.

The default admin view shows the four predefined roles and a simple user list. Custom role creation, identity provider configuration, and license-tier management are available but require deliberate navigation — they're not on the critical path.

Without this

Non-technical workspace owners see the full permission matrix on first login. Confusion. Configuration errors. Support tickets.

With this

Workspace owners see four roles and a user list. They onboard their team in minutes. IT admins find the advanced controls when they need them.

Predefined roles as the primary path

Make the defaults genuinely good — not placeholders.

I made the predefined roles genuinely good — four roles that cover 90% of enterprise use cases. Most admins never touched the custom role builder. The complexity existed for the 10% who needed it, not as the first thing everyone encountered.

Without this

Every enterprise immediately customises away from bad defaults. The custom role builder becomes the primary path. Complexity is unavoidable.

With this

90% of enterprises deploy with predefined roles only. The custom builder is there for the 10% who genuinely need it — not everyone who had to use it.

Plain language everywhere

Write for the workspace owner, not the IT administrator.

Permission descriptions in plain language, not technical jargon. Every role has a one-line description of who it's for and what they can do. A workspace owner reading the role list for the first time should understand it without hovering over a tooltip.

Without this

"WRITE:workflow_builder" · "READ:agent_playground" · "ADMIN:platform_settings" — requires a technical background to interpret.

With this

"Can create and edit workflows" · "Can use but not configure agents" · "Full access to platform settings" — anyone can read and understand.

RBAC — Section 9: Key Decisions

Key decisions

The calls that shaped the product

Click each decision to reveal the reasoning behind it.

01 — Permission layers

Module-level role permissions and license-level feature permissions — two separate layers

↓

I chose to handle role-based access at the module level and license-based access at the feature level — as two distinct, complementary layers rather than one unified permission system. The alternative was a single system controlling everything at the feature level — maximum flexibility, maximum complexity.

Why: Two clean layers beat one complex unified system. Role-based access answers "who can use which parts of the platform." License-based access answers "which capabilities within those parts are unlocked." Conflating them would have produced a permission model too complex to configure and too hard to explain.

02 — Premium features

Visible but locked for premium features — not hidden

↓

When a user doesn't have access to a premium feature, they see it — with a lock icon and an upgrade prompt — rather than not seeing it at all. The alternative was hiding premium features entirely from users on lower tiers.

Why: Hiding features makes the product feel smaller than it is. Showing locked features creates organic upgrade intent and is more honest. Every locked premium touchpoint is a commercial signal and a product education moment.

03 — Identity boundary

Identity provider as authentication source of truth, Cortx as role source of truth

↓

When defining how external identity providers interact with Cortx's internal role system, I had to decide which system wins when there's a conflict. The options were: identity provider controls everything, Cortx controls everything, or a clean split between the two.

Why: The identity provider authenticates the user — verifying who they are. Cortx assigns the role — determining what they can do. Letting the IdP control roles would have meant IT teams managing Cortx-specific config in a system not built for it. The clean boundary made integration robust and gave each system ownership of what it was actually good at.

04 — Audit logs

Audit logs in v1 — not deferred to v2

↓

There was pressure to defer audit logs — ship the core role and permission system first, add logging in a follow-up sprint. The argument was reasonable: logging is complex to implement and the core RBAC value doesn't depend on it.

Why: For enterprise IT and security teams, an access control system without audit logs isn't an access control system. The ability to say "this person had access" is worthless if you can't say "this person did this thing at this time." Audit logs were the feature that made the rest of the system trustworthy. Deferring them would have deferred enterprise credibility.

RBAC — Section 10: What I Didn't Build

What I didn't build

The deliberate cuts

Good product decisions aren't just about what you ship. They're about what you choose not to — and being clear-eyed about why.

Feature-level role permissions

Granular role control at the individual feature level within modules was requested. I kept role-based access at the module level — feature-level access is the responsibility of the license model. Two clean layers beat one complex unified system.

Descoped — by design

Nested team hierarchies with permission inheritance

Some enterprises wanted hierarchical team structures where permissions inherited down from parent teams to child teams. I kept the model flat — roles assigned to teams directly, no inheritance. Inheritance adds significant complexity to both the configuration experience and the data model. The flat model covers real use cases without the edge case complexity.

Deferred to v2

SSO beyond CyberArk, LDAP, and Azure AD

Beyond the three integrated providers, there were requests for Okta, PingIdentity, and others. I scoped v1 to the three most common providers across our enterprise client base. The integration architecture is designed to be extensible — adding new providers is a configuration exercise, not a rebuild.

On the roadmap

RBAC — Section 11: Impact

Impact

What became possible

RBAC didn't produce a metric I can point to. What it produced was a category of enterprise deal that wasn't possible before it existed — and a set of capabilities that fundamentally changed what Cortx could promise to enterprise clients.

🔐

License enforcement finally worked

Premium features are now gated by license tier — automatically, reliably, and visibly. The commercial model and the product are finally aligned. Enterprises get exactly what they paid for, and the upgrade path is visible to every user who encounters a locked feature.

👁️

Admins had the visibility they needed

For the first time, enterprise admins could see exactly who was in their Cortx workspace, what they had access to, and what they had done. The audit log transformed RBAC from a configuration tool into a governance tool.

🔗

Enterprise identity infrastructure — connected

Cortx stopped being a separate identity island. Enterprises using CyberArk, LDAP, or Azure AD could connect their existing identity infrastructure — centralising user management, enabling real-time deprovisioning, and satisfying enterprise security requirements.

📈

Cortx could sell to larger enterprises

Enterprise procurement teams at larger organisations — the ones with security reviews, compliance requirements, and identity governance policies — could now evaluate Cortx seriously. RBAC, the license model, and identity provider integration together made Cortx enterprise-credible.

The most significant outcome wasn't a feature — it was a market. RBAC unlocked an entire segment of enterprise deals that couldn't happen before it existed. Not just a capable AI platform — a governable one.

RBAC — Section 12: Learnings

Learnings

The product that unlocks market access isn't always the most visible one. RBAC doesn't show up in demo videos. But without it, Cortx couldn't be sold to the enterprises that matter most. Infrastructure products deserve the same PM rigour as headline features.

Two complementary layers beat one complex unified system. Role-based access and license-based access as separate layers made both simpler to build, configure, and explain. Clean separation of concerns is a product design principle, not just an engineering one.

Predefined defaults are a product decision, not a shortcut. The four predefined roles are the result of mapping every enterprise use case I encountered. Bad defaults generate support tickets. Good defaults mean most users never need to go deeper.

Identity integration is a product problem before it's an engineering problem. Connecting Cortx to CyberArk, LDAP, and Azure AD required product decisions at every level. The engineering complexity was real, but the product decisions came first — you can't build a good integration without knowing what it's supposed to do and for whom.

Let's Connect!

Building and scaling products—from 0 to 1, and from 1 to 10. Let’s create what’s next.