// tenant isolation, role permissions, visibility, API scopes, audit evidence

$ enforce --access="fail_closed"

AIducation access control keeps company-specific AI training, readiness evidence, manager reports, credentials, and integrations inside the right tenant. It maps identity, visibility, roles, API scopes, admin gates, and audit proof into one platform model.

[VIEW_ACCESS_API][COMPANY_ACADEMY][GOVERNANCE][PRIMITIVE_CONTRACTS]

Access-control model

6
Profiles
6
Layers
5
Roles
14
API scopes
[!] Access defaults fail closed when identity, tenant, scope, or visibility cannot be proven.

// Enforcement_loop

Enterprise readiness only works when evidence is tied to the right person, tenant, visibility mode, scope, and audit trail.

Identify

Resolve every learner, manager, admin, and API principal before private reads or writes.

Isolate

Keep company academies, scenarios, reports, and exports inside the owning tenant.

Authorize

Apply roles, visibility, API scopes, and admin boundaries before action.

Evidence

Expose proof metadata for audits and credentials without leaking private scenario contents.

// Access_layers

The access model covers platform identity, tenant isolation, content lifecycle, enterprise API keys, admin permissions, and audit evidence.

View tenant isolation API filter
getCurrentUser, getCurrentContentUser, SSO/SCIM provisioning, and enterprise user imports

Identity-bound learning evidence

identity

Tie readiness scores, attempts, credentials, manager reports, and exports to authenticated learners and organizations.

[fail_closed] If a learner or API principal cannot be resolved, readiness writes and private reads stop.

Roles

  • [+] owner: billing
  • [+] admin: content approval
  • [+] manager: team dashboards
  • [+] instructor: scenario drafts

Scopes and evidence

  • [scope] users:read
  • [scope] users:write
  • [scope] all:read
APIAcademy controlsExports
resolveEnterpriseOrgId, assertEnterpriseOrgAccess, orgId-scoped content reads and writes

Tenant isolation

tenant

Keep company academies, custom scenarios, manager reports, and private evidence inside the owning organization.

[fail_closed] Tenant admins cannot request or mutate another org's resources; platform admins need explicit org context.

Roles

  • [+] owner: billing
  • [+] admin: content approval
  • [+] manager: team dashboards
  • [+] instructor: scenario drafts

Scopes and evidence

  • [scope] teams:read
  • [scope] teams:write
  • [scope] reports:read
APIAcademy controlsExports
resolveContentVisibility, resolveRequestedVisibility, lifecycle controls, and admin publishing

Content visibility and lifecycle

content

Control whether courses, scenarios, skill atoms, scenario seeds, rubric contracts, and tool scripts are public, org-only, private, or draft.

[fail_closed] Non-platform admins cannot publish public content; draft content does not become learner-facing evidence.

Roles

  • [+] owner: billing
  • [+] admin: content approval
  • [+] manager: team dashboards
  • [+] instructor: scenario drafts

Scopes and evidence

  • [scope] courses:read
  • [scope] courses:write
  • [scope] all:write
APIAcademy controlsExports
Bearer or x-api-key authentication, hashed keys, scopes, expiry, IP/origin allowlists, and rate limits

Enterprise API scopes

api

Limit training data, users, teams, reports, enrollments, analytics, and webhook access for enterprise integrations.

[fail_closed] Invalid, expired, inactive, out-of-scope, disallowed-origin, or rate-limited API keys are rejected.

Roles

  • [+] owner: billing
  • [+] admin: content approval
  • [+] manager: team dashboards
  • [+] instructor: scenario drafts

Scopes and evidence

  • [scope] users:read
  • [scope] users:write
  • [scope] courses:read
APIAcademy controlsExports
Admin layout, content manager checks, company academy roles, and enterprise onboarding

Role-based admin permissions

admin

Separate owner, admin, manager, instructor, viewer, learner, tenant admin, and platform admin responsibilities.

[fail_closed] Users without admin or instructor role cannot access content authoring or enterprise admin surfaces.

Roles

  • [+] owner: billing
  • [+] admin: content approval
  • [+] manager: team dashboards
  • [+] instructor: scenario drafts

Scopes and evidence

  • [scope] users:write
  • [scope] courses:write
  • [scope] teams:write
APIAcademy controlsExports
Enterprise audit logs, evidence export center, credential registry, and report exports

Audit-ready access evidence

audit

Prove who accessed, changed, exported, or verified readiness artifacts across the enterprise rollout.

[fail_closed] Exports and credential verification should expose proof metadata, not private learner scenario contents.

Roles

  • [+] owner: billing
  • [+] admin: content approval
  • [+] manager: team dashboards
  • [+] instructor: scenario drafts

Scopes and evidence

  • [scope] reports:read
  • [scope] analytics:read
  • [scope] all:read
APIAcademy controlsExports