Seats Access Controls

Overview

Role-based access control system governing permissions for Organization Members and Customer Kits across workspaces, ensuring secure multi-tenant isolation and granular resource management within the MECLABS AI platform.

Access Model Architecture

Three-Tier Hierarchy

1. Organization Level: Global subscription and billing context
2. Workspace/Team Level: Collaborative environment for AI product development
3. Resource Level: Individual Experts, Apps, Libraries, and ADS deployments

Seat Type Permissions

Organization Members (Internal)

• Full platform access based on assigned role
• Shared resource pool (credits, workspaces)
• Collaborative development capabilities
• Access to team-wide AI products and deployments

Customer Kits (External)

• Isolated single-tenant access
• Dedicated credit allocation (1,000 MLC)
• Restricted to assigned ADS deployment
• No visibility into organization resources

Role-Based Access Control (RBAC)

Role Definitions

Owner Role

Permission Scope: Full workspace administration

• Create/modify/delete workspace settings
• Manage all member roles and permissions
• Access all workspace resources
• View usage analytics and billing
• Configure ADS deployments

Admin Role

Permission Scope: Resource and member management

• Add/remove workspace members
• Assign member roles (except Owner)
• Create/modify AI products
• Deploy Customer Kits
• Access usage reports

Member Role

Permission Scope: Standard development access

• Create/edit own AI products
• Test ADS deployments
• View shared resources
• Collaborate on team projects
• Limited to assigned resource quotas

Viewer Role (Future)

Permission Scope: Read-only access

• View AI products and deployments
• Access performance metrics
• Review documentation
• No modification capabilities

Resource Isolation

Workspace Separation

Each workspace maintains isolated:

• Data Storage: Separate Firestore collections per workspace
• Credit Pools: Non-transferable MLC allocations
• AI Products: Private Experts, Apps, Libraries
• Customer Deployments: Workspace-specific Customer Kits

Multi-Tenant Security

Data Isolation Patterns

interface WorkspaceIsolation {
  workspaceId: string;
  organizationId: string;
  dataPath: `team/${string}/resources`;
  creditPool: {
    source: "organization" | "workspace";
    allocated: number;
    consumed: number;
  };
}

Access Verification Flow

1. Authenticate user identity
2. Verify workspace membership
3. Check role permissions
4. Validate resource ownership
5. Grant scoped access

Permission Matrix

Organization Member Permissions

Action	Owner	Admin	Member	Viewer
Workspace Management
Create workspace	✓	✓	-	-
Delete workspace	✓	-	-	-
Modify workspace settings	✓	✓	-	-
Member Management
Add members	✓	✓	-	-
Remove members	✓	✓	Self only	-
Change member roles	✓	✓	-	-
Resource Management
Create AI products	✓	✓	✓	-
Modify AI products	✓	✓	Own only	-
Delete AI products	✓	✓	Own only	-
Deploy Customer Kits	✓	✓	✓	-
Analytics & Billing
View usage analytics	✓	✓	Limited	Limited
Access billing information	✓	✓	-	-
Purchase credits/upgrades	✓	✓	-	-

Customer Kit Permissions

Action	Customer Kit User
Access assigned ADS	✓
Consume allocated credits	✓
View usage metrics	Own only
Access organization resources	-
Modify deployment settings	-
Transfer credits	-

Access Control Implementation

Authentication Layer

Uses Firebase Authentication with custom claims:

interface CustomClaims {
  org_id?: string;
  team_id?: string;
  subscription?: "build" | "sell" | "scale";
  admin?: boolean;
}

Authorization Middleware

TRPC procedures enforce access control:

// Owner-only operations
.use(authorizeOwner)

// Admin or owner operations
.use(authorizeAdmin)

// Any authenticated member
.use(authorize)

Resource Scoping

All queries automatically scope to user's workspace:

db.collection(`team/${teamId}/resources`).where("createdBy", "==", userId);

Customer Kit Isolation

Deployment Architecture

Each Customer Kit operates in isolation:

• Unique Login: Separate authentication credentials
• Dedicated Workspace: Isolated data context
• Credit Boundary: Cannot access organization credits
• Usage Tracking: Independent consumption metrics

Security Boundaries

interface CustomerKitBoundary {
  authentication: "separate_credentials";
  dataAccess: "kit_workspace_only";
  creditSource: "kit_allocation_only";
  resourceVisibility: "assigned_ads_only";
  analyticsScope: "own_usage_only";
}

Workspace Management

Creation Flow

1. Organization Admin initiates workspace creation
2. System allocates workspace ID and database namespace
3. Creator assigned as workspace Owner
4. Initial resource quotas allocated from organization pool
5. Workspace appears in creator's workspace selector

Member Invitation Process

1. Owner/Admin initiates invitation
2. System validates organization seat availability
3. Invitation sent via email with workspace context
4. New member accepts and gains workspace access
5. Role assigned based on invitation parameters

Workspace Switching

Users with multiple workspace memberships can switch contexts:

• Maintains separate session per workspace
• Preserves workspace-specific settings
• Updates resource visibility accordingly
• Refreshes permission scope

Security Policies

Access Revocation

Immediate effect upon:

• Member removal from workspace
• Role downgrade
• Workspace deletion
• Organization subscription termination

Audit Trail

System tracks all permission-related events:

• Member additions/removals
• Role changes
• Resource access attempts
• Permission violations

Compliance Controls

• Data Residency: Workspace data remains in designated regions
• Encryption: All sensitive data encrypted at rest and in transit
• Access Logs: Comprehensive audit trail for compliance
• GDPR Support: User data deletion and export capabilities

Integration Points

With Billing System

Access controls enforce subscription limits:

• Organization Member seat counts
• Customer Kit allocations
• Feature access based on tier (Build/Sell/Scale)

With Usage Tracking

Permissions determine visibility:

• Owners see full workspace analytics
• Admins access usage reports
• Members view own consumption
• Customer Kits see isolated metrics

With AI Products

Access controls govern:

• Expert/App/Library creation rights
• Modification permissions
• Deployment capabilities
• Sharing and collaboration

Future Enhancements

Planned Features

• Custom Roles: Organization-defined permission sets
• Temporary Access: Time-limited elevated permissions
• Cross-Workspace Collaboration: Controlled resource sharing
• API Keys: Programmatic access with scoped permissions
• SSO Integration: Enterprise single sign-on support

Advanced Controls

• IP Whitelisting: Restrict access by network location
• MFA Requirements: Enforce multi-factor for sensitive operations
• Session Management: Configurable timeout and concurrency limits
• Delegated Administration: Granular permission delegation

Best Practices

For Organizations

1. Principle of Least Privilege: Assign minimum required permissions
2. Regular Audits: Review member access quarterly
3. Role Standardization: Define clear role responsibilities
4. Workspace Segmentation: Separate projects/departments
5. Access Reviews: Periodic verification of active members

For Workspace Owners

1. Member Onboarding: Document role expectations
2. Permission Documentation: Maintain access matrix
3. Regular Cleanup: Remove inactive members
4. Audit Monitoring: Review access logs for anomalies
5. Succession Planning: Designate backup owners

Technical Considerations

Performance Impact

• Permission checks cached per session
• Minimal latency on resource access
• Bulk operations optimize database queries
• Role changes propagate within 60 seconds

Scalability

• Supports 1000+ members per workspace
• Handles 10,000+ Customer Kits per organization
• Concurrent workspace operations supported
• Horizontal scaling for permission checks

Related Features

• Organization Members - Internal team seat management
• Customer Kits - External seat deployment and isolation
• Billing Subscription Tiers - Tier-based feature access
• Usage Tracking - Seat utilization monitoring