Team and RBAC

RBAC controls who can mutate policy, billing, and organization state.

Standard roles

• owner: full workspace control, billing authority, emergency controls
• admin: policy and team governance
• security_admin: policy and incident authority
• member: runtime usage with restricted mutation access

Team model

• users can belong to multiple groups
• each session resolves one active workspace context
• team assignment changes affect next policy fetch cycle

Permission boundaries

Admin-only actions should be server-authorized, not client-trusted:

• create/edit/delete team policy
• assign/reassign team membership
• revoke user/device access
• toggle emergency override
• billing seat and plan operations

Device/session governance

Production behavior should include:

• controlled max active device sessions per user
• ability to revoke one device or all devices for a user
• short-lived access tokens + refresh token rotation
• replay-defense revocation when refresh token reuse is detected

Offboarding

When user access is removed:

1. revoke device sessions
2. remove org/team mappings
3. block policy fetch for further CLI execution
4. preserve audit record history