Skip to content

Identity & administration

Venturi is the enterprise system of record for AI consumption, and it is operated the way enterprises expect a system of record to be operated: through your own identity provider, with least-privilege roles, an immutable audit trail, and a single admin console that shows the current state of every control. This section is for the Tenant Admin — the person who runs the Venturi tenant: the right people, the right access, the right policies.

Everything here inherits the platform's standing guarantees. Authentication, authorization, tenant isolation, export, and billing fail closed — a missing, ambiguous, or denied permission blocks the operation; it never degrades into access. (This is the deliberate inverse of the AI hot path, which fails open so Venturi can never block your production traffic.) Every administrative change writes an immutable audit entry, and no control on these pages sits on the gateway latency budget.

What an admin can — and cannot — do

A Tenant Admin governs access, identity, and policy within their tenant. No role, custom role, delegation, impersonation, or support session can ever reach across the tenant boundary: a cross-tenant request fails closed with 403 TENANT_MISMATCH regardless of who makes it. Tenant isolation is evaluated before any grant, so a grant can only ever narrow within your tenant — never widen past it.

What you administer

  • Single sign-on (SSO)

    Federate authentication to your own IdP over SAML 2.0 or OIDC, map IdP groups to Venturi roles, and enforce SSO-only access tenant-wide.

    Configure SSO

  • SCIM provisioning

    Create, update, and deprovision users and groups automatically from your IdP. Deprovision in your IdP, and access is removed in Venturi — fail-closed.

    Set up SCIM

  • Roles & RBAC

    Four canonical roles plus an attribute overlay, scoped to your org chart, with separation of duties and an "explain access" preview on every grant.

    Roles & RBAC

  • Admin console

    One coherent surface for users, identity, policy, access recertification, and tenant settings — each control showing its current state and its safe default.

    Admin console

  • Audit logs

    An immutable, append-only record of every consequential action — mutations, exports, access, overrides, support sessions — written to storage Venturi cannot alter.

    Audit logs

The model in one picture

Access in Venturi is scoped: a grant is meaningful only relative to a position in a containment tree. From outermost to innermost:

Organization        legal customer entity; billing & residency boundary
└─ Tenant/Account    isolation boundary — its own database and encryption key
   └─ Workspace       a bounded analytic estate (e.g. a business unit)
      └─ Team          the org-chart unit that owns cost & adoption
         └─ Project     the work unit attribution rolls up to
            └─ Object   a saved view, export, dashboard, override set, budget, connector

A user's effective access is the intersection of their role, the scope the role is granted at, any attribute conditions (residency, data classification, environment), inherited grants, object-level sharing, and any active delegation. The admin console can compute and explain that intersection for any user at any scope node — so you can always answer why someone can see a thing, not only that they can.

A safe operating posture by default

Venturi ships every identity control with the conservative default already selected, and shows you that state on the admin console:

Control Safe default Where to change it
SSO-only enforcement Off until you opt in (and verify your IdP first) SSO
Just-in-time (JIT) provisioning Off; when on, new users get the lowest role SCIM
Multi-factor authentication Enforceable tenant-wide or per role Admin console
Step-up for sensitive operations Required for privileged actions, always Roles & RBAC
Venturi support access No standing access; customer-approved break-glass only Admin console
Stale access at recertification Restricted to read-only, not retained Roles & RBAC

Where to start

  1. Federate identity. Stand up SSO against your IdP and claim your email domains.
  2. Automate the lifecycle. Turn on SCIM provisioning so joiners, movers, and leavers flow from your IdP.
  3. Right-size access. Map IdP groups to roles, scope them to your org chart, and run your first access recertification.
  4. Verify continuously. Hand your security team the audit log and the trust center.

See Security, privacy & compliance for how these controls are enforced and independently verified.