What permissions does BrandLight offer for team setup?

Core explainer

What RBAC model does BrandLight use to simplify team setup?

BrandLight uses role-based access control (RBAC) as the foundation for team setup, ensuring each user has the appropriate scope to perform their work.

Roles include Owner, Admin, Editor, and Contributor, each with escalating capabilities and clearly defined boundaries that reinforce least-privilege onboarding. Permissions are mapped to core domains such as Template Management, Team Management, Blocks Management, Project Settings, and API Access, enabling consistent provisioning across engines and reducing drift. This mapping supports scalable growth, simplifies onboarding for new members, and makes governance auditable from day one.

Auditable change management and granular activity tracking provide governance and accountability. Enterprise SSO and RESTful APIs centralize authentication and data access across engines, and the system aligns with SOC 2 Type 2 and a no-PII posture to reinforce trust across multi-region deployments. BrandLight RBAC framework.

How are roles defined and mapped to permissions?

RBAC defines what a user can view or modify, separating the concept of role identity from per-user permissions to create scalable, predictable access control.

The four core roles—Owner, Admin, Editor, Contributor—map to capability groups such as Template Management, Blocks Management, Team Management, Project Settings, and API Access, with boundaries that guide onboarding, configuration, and ongoing governance. This explicit mapping ensures consistent provisioning as teams scale and reduces the risk of over-permissioning.

This mapping supports auditing, cross-engine visibility, and governance artifacts that capture decisions and provenance across surfaces, enabling teams to maintain trustworthy signals and align with organizational policies without compromising productivity.

How do SSO and RESTful APIs affect provisioning and revocation?

SSO and RESTful APIs centralize provisioning and revocation, creating a single source of truth for access control across engines.

Assigning a role in BrandLight propagates updates to all connected surfaces, while revocation automatically disassociates credentials. This reduces manual handoffs, speeds onboarding and offboarding, and minimizes the window of potential exposure during changes in team composition or role transitions.

This approach aligns with SOC 2 Type 2 and no-PII posture, and it supports multi-region deployments by standardizing authentication and authorization workflows across domains and surfaces, ensuring consistent and auditable access controls everywhere.

How are audits, governance artifacts, and offboarding handled?

Auditable change management and governance artifacts provide traceability for permission changes and access events across engines, enabling clear accountability and regulatory readiness.

Activity logs, versioned role definitions, and provenance support regulatory reviews and drift detection across surfaces, helping teams verify who changed what and when, and ensuring alignment with internal policies.

Offboarding and lifecycle governance ensure access is updated promptly when users join, move, or depart, reducing risk and maintaining a clean access surface for ongoing operations. This disciplined approach minimizes residual access and supports seamless transitions without service disruption.