RBAC, SSO, MFA & SCIM: Identity and Access Management

Executive Summary

Controlling Who Accesses What

Identity and Access Management (IAM) is the cornerstone of enterprise security. It answers three questions: Who is this person? What are they allowed to do? How do we prove it? For Fortune 500 clients like McKinsey, the expectations are specific: employees must authenticate through their corporate identity provider (SSO), all accounts must use multi-factor authentication (MFA), user provisioning must be automated (SCIM), and access must be role-based with a clear privilege model.

ReGenesis defines six user roles -- Coachee, Coach, Admin, Executive, Sasha (AI), and System Admin -- each with precisely scoped permissions. Data is tagged with four visibility levels (client_visible, coach_only, admin_aggregate, system_internal) that determine which roles can see which information. This ensures that a coachee's private reflections never appear in an executive dashboard, and that coaching notes remain between coach and client unless explicitly shared.

The IAM implementation is staged: basic RBAC and MFA ship with MVP0, SAML-based SSO is required for the McKinsey pilot, and SCIM automated provisioning is targeted for GA. This sequence matches enterprise procurement expectations and ensures the pilot deal can close while building toward full enterprise-grade identity management.

Working Knowledge

The Four Pillars of Enterprise Identity

1. RBAC (Role-Based Access Control)

RBAC means users are assigned roles, and roles define what actions they can perform and what data they can see. ReGenesis has six roles:

Role	Description	Data Access	Key Permissions
Coachee	The person being coached	Own data only (client_visible)	View own sessions, goals, AI insights; interact with Sasha; submit reflections
Coach	The human coach	Assigned coachees' data (client_visible + coach_only)	View/edit coaching notes; see session transcripts; set goals; add private coach notes
Admin	Organization administrator	Aggregated data (admin_aggregate)	Manage users; view engagement metrics; configure settings; run reports
Executive	Senior leadership	Aggregated/anonymized data (admin_aggregate)	View organizational dashboards; ROI metrics; engagement trends
Sasha (AI)	The AI coaching engine	Scoped per session (system_internal + context window)	Generate insights; access session history for context; no persistent data storage beyond session
System Admin	ReGenesis platform operators	Full system access (system_internal)	Infrastructure management; tenant configuration; security incident response

Data Visibility Tags

Every piece of data in the system has a visibility tag that controls who can access it:

Important Distinction

• client_visible: The coachee can see this. Session summaries, goals, action items, Sasha responses.
• coach_only: Only the assigned coach can see this. Private coaching notes, behavioral observations, concern flags.
• admin_aggregate: Admins and executives see aggregated/anonymized data. Engagement rates, completion percentages, NPS scores. Never individual session content.
• system_internal: Only the system and AI engine access this. Raw logs, model parameters, system health data.

2. SSO (Single Sign-On)

Enterprise employees do not create separate username/password accounts for every SaaS tool. They sign in once through their corporate identity provider (Okta, Azure AD, Google Workspace) and that grants access to all approved applications.

How it works for ReGenesis:

1. User clicks "Sign in with SSO" on the ReGenesis login page
2. ReGenesis redirects to the enterprise's identity provider (e.g., Okta)
3. User authenticates there (password + MFA)
4. Identity provider sends a SAML assertion or OIDC token back to ReGenesis
5. ReGenesis validates the assertion and creates/updates the user session
6. User is logged in with their enterprise-assigned role

Supported protocols:

• SAML 2.0 (required for McKinsey pilot -- most Fortune 500 companies use this)
• OAuth 2.0 / OpenID Connect (modern alternative, used by Google Workspace)

3. MFA (Multi-Factor Authentication)

MFA requires users to prove their identity with two or more factors:

• Something you know (password)
• Something you have (authenticator app, hardware key)
• Something you are (biometric)

For ReGenesis:

• MFA is required for all users at pilot and beyond
• TOTP (Time-based One-Time Password) via authenticator apps (Google Authenticator, Authy) is the preferred method
• WebAuthn/FIDO2 hardware keys (YubiKey) supported for high-security environments
• SMS-based OTP is supported but discouraged (vulnerable to SIM swapping)
• When SSO is active, MFA is typically enforced by the identity provider, not ReGenesis

4. SCIM (System for Cross-domain Identity Management)

SCIM automates user provisioning and deprovisioning. When an enterprise adds someone to their "ReGenesis" group in Okta, SCIM automatically creates the user account in ReGenesis with the right role. When someone leaves the company or is removed from the group, SCIM automatically deactivates their ReGenesis account.

Why it matters:

• Security: No orphaned accounts when employees leave
• Efficiency: IT teams do not manually create/delete accounts
• Compliance: Provable automated access management for auditors

Additional Access Controls

Control	Description	Stage
Tenant Isolation	Each enterprise client's data is logically isolated; no cross-tenant data access	MVP0
Just-In-Time Access	System admin access to production is temporary and audited	Pilot
Session Timeout	Inactive sessions expire after 30 minutes (configurable per tenant)	MVP0
Inactivity Auto-Logout	Browser/mobile auto-logout after inactivity period	MVP0
Concurrent Session Limits	Configurable max sessions per user (default: 3)	GA
IP Allowlisting	Enterprise can restrict access to corporate IP ranges	GA
Mobile SSO	SAML/OIDC flow optimized for mobile (deep linking, app-based auth)	GA
Biometric Authentication	Face ID / Touch ID for mobile app (device-level, not server-level)	GA
Enterprise Admin Console	Self-service portal for enterprise admins to manage users, view logs, configure policies	Pilot

Technical Spec