Access Control Policy

Status: ACTIVE Owner: Daan ([email protected]) Effective: 2026-04-20 Last reviewed: 2026-04-20 Next review: 2026-10-20

Purpose

Define how access to rotor.sh systems, data, and administrative functions is granted, maintained, and revoked — covering both internal team access and customer-facing RBAC.

Scope

All Rotor employees, contractors, and enterprise customers using SSO/SAML + RBAC features.

Policy

1. Customer-Facing RBAC (ENT-01)

rotor.sh implements a fixed four-role model:

  • admin: Full workspace control; manages members, API keys, SSO config, billing.
  • developer: Manages queues, jobs, schedules, guardrails, webhooks; cannot manage members.
  • approver: Approves or rejects pending jobs; cannot manage queues or members.
  • viewer: Read-only access to runs, audit events, and metrics.

Role assignments follow least-privilege: new invites default to viewer unless explicitly set by an admin. The approver capability is additive — a developer's team member record may include approver in their capabilities array.

2. API Key Hierarchy

API keys follow a three-tier hierarchy (AUTH-03):

  • Team keys (rtr_t_*): Cross-workspace access; issued only to admins.
  • Workspace keys (rtr_w_*): Single-workspace access; issued by admins/developers.
  • Queue keys (rtr_q_*): Single-queue access; issued by admins/developers.

Keys expire after 90 days unless extended by an admin. Rotated keys (via POST /v1/api-keys/:id/rotate) inherit the parent key's expiry.

3. SSO / SAML (ENT-01)

Enterprise customers may configure SAML 2.0 SSO via Supabase Auth. SAML role assertions (raw_app_meta_data.role) override invite-time roles where the asserted role is a valid four-role value. The Supabase SAML provider toggle must be enabled per-project by the Rotor operator.

4. Internal Team Access

Rotor employees access production infrastructure via:

  • Supabase Dashboard: email + TOTP 2FA required.
  • Railway Dashboard: SSO via GitHub; 2FA required on GitHub.
  • Fly.io Dashboard: email + TOTP 2FA required.
  • AWS Console: IAM roles with MFA enforcement; no root account usage.

New employee access is provisioned on their first day; deprovisioned within 24 hours of offboarding.

5. Secret Rotation

  • Webhook signing secrets: rotated via POST /v1/webhooks/:id/rotate-secret.
  • Callback signing secrets: rotated via PATCH /v1/queues/:id (rotate_callback_secret: true).
  • WEBHOOK_SECRET_ENCRYPTION_KEY: rotated annually and on any credential-exposure incident.
  • All secrets stored in Railway vault; never in .env files committed to version control.

6. Orphan / Legacy Keys

Orphan API key rows (null or broken team_member_id) default to role=viewer (least-privilege). scripts/audit-orphan-api-keys.sh runs as a pre-deploy CI gate before production cutover.

Review Cadence

Reviewed annually. Next review: 2026-10-20.