RBAC matrix
| Role | Can view | Can approve | Can bill |
|---|---|---|---|
| Owner | All tenant data | Yes | Yes |
| IT admin | Tickets, KB, devices | Scoped | No |
| Finance | Invoices, cost | No | Yes |
| Viewer | Reports only | No | No |
Multi-tenant operations with role boundaries.
The tenant admin shell turns Round 9 admin work into a customer-ready interface: RBAC matrix, SCIM provisioning plan, audit log links, and privileged-action write gate.
SCIM provisioning checklist
- Tenant domain verified before provisioning.
- External IdP maps owner, IT admin, finance, and viewer.
- Deprovision disables ARIA access and leaves audit record.
- Privileged action still requires write-gate approval.
Related functions
aria-tenant-audit, aria-tenant-kb, aria-write-gate, aria-white-label, aria-cost-attribution, and aria-cross-device-sync.