Docs / SSO & RBAC
SSO & RBAC
Connect your identity provider (IdP) and enforce role-based access control across projects. Implement secure, scalable access management that integrates with your existing identity infrastructure.
Single Sign-On (SSO) and Role-Based Access Control (RBAC) provide the foundation for enterprise security. By integrating with your identity provider, you can leverage existing user management processes while maintaining granular control over Evaligo access.
Assign roles such as admin, editor, and viewer with least-privilege defaults and project scoping. This approach minimizes security risks while ensuring users have the access they need to be productive.
Identity Provider Setup
Configure integration with your organization's identity provider. Evaligo supports major SSO providers including Okta, Azure AD, Google Workspace, and any SAML 2.0 or OIDC-compliant system.
- 1
Choose provider type Select your identity provider and authentication protocol (SAML 2.0 or OIDC).
- 2
Configure endpoints Set up SSO URLs, certificates, and claim mappings between systems.
- 3
Test authentication Verify user login flow and attribute mapping work correctly.
- 4
Enable enforcement Require SSO for all users and disable password-based authentication.
<!-- SAML configuration for Evaligo -->
<saml:AttributeStatement>
<saml:Attribute Name="email">
<saml:AttributeValue>user@company.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="groups">
<saml:AttributeValue>ai-team</saml:AttributeValue>
<saml:AttributeValue>data-scientists</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="department">
<saml:AttributeValue>engineering</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>Attribute Mapping: Ensure your IdP sends required attributes (email, groups, department) in SAML assertions or OIDC claims. These attributes drive automatic role assignment and project access.
Role-Based Access Control
Define roles that align with your organization's structure and security requirements. Each role provides specific permissions across different Evaligo resources and operations.
Use groups and SCIM for automated provisioning where available. This enables dynamic user provisioning based on organizational changes and reduces manual administration overhead.
from evaligo import Client
admin_client = Client()
# Define custom roles
roles = admin_client.rbac.create_roles([
{
"name": "Data Scientist",
"permissions": [
"experiments.read",
"experiments.write",
"datasets.read",
"datasets.write",
"playground.write"
],
"project_scope": "assigned" # Only projects they're assigned to
},
{
"name": "ML Engineer",
"permissions": [
"experiments.read",
"experiments.write",
"traces.read",
"traces.write",
"integrations.read"
],
"project_scope": "assigned"
},
{
"name": "AI Team Lead",
"permissions": [
"experiments.*",
"datasets.*",
"projects.read",
"projects.write",
"users.read"
],
"project_scope": "all"
}
])
# Map IdP groups to roles
group_mappings = admin_client.rbac.create_group_mappings([
{"idp_group": "data-scientists", "role": "Data Scientist"},
{"idp_group": "ml-engineers", "role": "ML Engineer"},
{"idp_group": "ai-leads", "role": "AI Team Lead"}
])Project-Level Permissions
Implement project scoping to limit access to relevant resources. Users can be granted different permission levels across different projects, enabling flexible collaboration while maintaining security boundaries.
Least Privilege: Start with minimal permissions and grant additional access as needed. Regular access reviews help identify and remove unnecessary permissions over time.
# Assign users to projects with specific roles
project_assignments = admin_client.rbac.assign_project_access([
{
"user_email": "alice@company.com",
"project_id": "chatbot-prod",
"role": "Data Scientist",
"permissions": ["experiments.read", "experiments.write"]
},
{
"user_email": "bob@company.com",
"project_id": "recommendation-engine",
"role": "ML Engineer",
"permissions": ["experiments.*", "traces.*"]
}
])
# Bulk assignment based on department
admin_client.rbac.bulk_assign_by_attribute(
attribute="department",
value="ai-research",
project_id="research-projects",
role="Data Scientist"
)Dynamic Access Control
Configure rules that automatically grant or revoke access based on organizational changes. This reduces administrative overhead and ensures access permissions stay current with organizational structure.
Video
Compliance and Auditing
Audit permission changes via the audit log to maintain compliance and traceability. All access control modifications are automatically logged with full context for regulatory and security review.
Regular access reviews ensure permissions remain appropriate as roles and responsibilities evolve. Automated reporting can identify unused permissions, over-privileged accounts, and compliance violations.
Regular Reviews: Conduct quarterly access reviews to identify and remove unnecessary permissions. Document review findings for compliance and audit purposes.
# Generate access review report
review_report = admin_client.rbac.generate_access_review(
time_period="last_quarter",
include_sections=[
"user_permissions",
"inactive_users",
"over_privileged_accounts",
"role_usage_statistics"
]
)
# Schedule regular reviews
admin_client.rbac.schedule_access_review(
frequency="quarterly",
reviewers=["security@company.com", "ai-team-lead@company.com"],
auto_remediation={
"remove_inactive_users_days": 90,
"downgrade_unused_permissions": True
}
)
# Export for compliance
compliance_export = admin_client.rbac.export_access_data(
format="csv",
include_historical=True,
retention_period="7_years"
)