Changelog: Managing Complexity at Scale with Chainloop's Enhanced RBAC

TL;DR

Over the last month, we’ve been focused on ensuring Chainloop’s platform is a good fit for enterprises with hundreds of products and different personas. These features include a whole revamp of our Role-Based Access Control system to allow our customers to bring their externally managed organization structure to Chainloop.

Project-Scoped RBAC (Role-Based Access Control)

Previously, RBAC was confined to Organization-level memberships. Users would have either Organization Admin or Organization Viewer roles, giving them access to all the organization resources.

This model proved unscalable for large organizations, as it lacked the ability to restrict project visibility for specific users or grant management permissions within individual projects.

We are introducing a flexible membership scheme with project-level RBAC (and soon Product-level, more on that in next blog posts), aligning with typical Enterprise scenarios and organizational team structures.

RBAC enhancements include:

• Project-scoped roles for fine-grained permission schemes.
• User groups for simplified membership management.
• Dynamic, IdP-managed provision of users, groups, and roles through Single Sign On.

Project-scoped roles

Instead of broad organization-level permissions, you can now define who can manage or view individual projects. This means:

• Tighter control over sensitive workflows
• Clear boundaries between teams or departments
• Less risk of accidental changes or compliance drift

Whether you’re coordinating across dozens — or hundreds — of products, this gives you the confidence and control to scale securely.

Two new roles, can help define project-scoped access control: Project Admins can fully interact with project resources (e.g., create attestations, workflows, and configure compliance frameworks), and Project Viewers have restricted read-only access to these resources.

Project membership can now be found in the Project menu (only visible to Organization Admins and Project Admins):

Project-scoped API tokens

Alongside org-level API tokens, project-scoped API tokens can now be created.

These tokens can be used to authenticate the Chainloop CLI/API, perform attestations, or operate in the context of a specific project. This adds security guarantees that a team can’t interfere with another team’s project and removes the bottleneck of requiring an organization administrator to provide such tokens.

Additionally, the organization admins can have visibility and manage the tokens from all projects from a single place.

Groups

Groups allow you to represent complex external organization structures, from individual teams and departments to whole Business Units.

Once in place, you get:

• User management at scale: Adding individual members to projects doesn’t scale, so by organizing users in groups and attaching the groups to the projects, their members will inherit the project role associated with that group.
• Easier Integration with external IdP: Groups can be provisioned in Chainloop or imported automatically from an external source of truth, more on that below.

Following a common pattern, group members can become maintainers, allowing Admins to delegate membership management to them.

Provisioning users from Enterprise Identity Providers

The Chainloop platform now supports custom OIDC claims, enabling dynamic user provisioning and the assignment of organization-level roles and groups based on information from the integrated IdP. This allows for leveraging group membership details to streamline user management.

Using this feature, Chainloop provides the tools to mirror organizational directories and support custom signup flows from IdPs like Azure Entra ID, Auth0, etc.

This flexibility is provided through the following features:

• Managed mode. In this mode, the IdP acts as the primary source of truth for user, group, and role assignments, overwriting any manual modifications.
• Configuring a default role for all logged in users. In managed mode, it will take precedence over any manual change.
• Flexible parsing patterns for user group claims to extract information about organizations, groups, and roles from the raw group value.

Future improvements of this provisioning engine might include support for SAML and a SCIM provisioning API (System for Cross-domain Identity Management).

Check our documentation for more information about user provisioning.

Signed Manual Evidence and Exceptions

One of Chainloop’s secret super-powers is that the foundation is an evidence store where all the data is signed, contextualized, and attested.

Now, all Compliance user interactions, from manual evidence uploads to exceptions, are attested, signed, and stored in our evidence store.

In fact, we’ve exposed this functionality through our API, to allow you to sign and store any piece of evidence from your organization.

We’re super excited about these updates to Chainloop! They really boost our platform’s ability to handle those tricky enterprise environments, giving you the control and flexibility you need to scale securely and smoothly.

To look out for additional Enterprise features in the coming weeks, follow us on LinkedIn or subscribe to our newsletter for getting updates straight to your inbox.