Cosmo Access Control

Control who accesses your federated graph

Role-based permissions, SSO, SCIM provisioning, API keys with scoped access, and a complete audit log — all built into Cosmo. No third-party access management layer required.

Start Free Talk to Sales

RBAC, SSO, SCIM, audit logging. No additional tooling required.

Overview

Access controls, built into Cosmo

Cosmo ships with a complete access control stack. Enable RBAC to assign roles at the organization, namespace, graph, and subgraph levels. Use groups to manage access for entire teams and CI/CD service accounts through a single system.

Connect your identity provider via OIDC for SSO, layer in SCIM for automated provisioning and deprovisioning, and use API keys with group-scoped permissions for automation. Every action — human or automated — is captured in the audit log.

Why federation-native access control matters

Why teams need graph-aware access control

In a federated graph, many teams publish subgraphs independently. Generic access control tools have no concept of subgraphs, namespaces, or federation roles. The result: either teams get too much access, or access becomes a manual bottleneck.

Four problems that come up repeatedly without federation-native access control.

Teams get more access than they need.

Without subgraph-level roles, the safest option is broad access. Developers end up with permissions to resources they should never touch.

CI/CD keys carry admin-level permissions.

Without scoped API keys, automation runs with the same access as a human admin. One compromised key affects the entire platform.

User provisioning is manual and slow.

Without SSO and SCIM, every new hire needs a manual invitation and every departure requires a manual revocation. Both steps are easy to miss.

No record of who changed what.

Without an audit log, compliance reporting and incident investigations require piecing together context from multiple systems — if it exists at all.

Cosmo Access Control handles all of this natively. No external tools, no manual glue, no blind spots.

Cosmo Access Control capabilities

Role-Based Access Control (RBAC)

Assign permissions to roles at organization, namespace, graph, and subgraph levels. Users inherit access through their assigned roles. Four organization roles (Admin, Developer, API Key Manager, Viewer), two namespace roles, two graph roles, and four subgraph roles. Requires Scale plan or higher.

Scale / Enterprise

Groups & Group Rules

Centralize access for both organization members and API keys using groups. Each group holds one or more rules defining roles and resource scopes. Built-in admin, developer, and viewer groups ship by default. Integrates with SSO OIDC mappers for automated group assignment, plus SCIM for user provisioning. Requires Scale plan or higher.

Scale / Enterprise

Which access control capability do you need?

If you are…	Start here
Assigning different permissions to different teams	RBAC
Managing team access through groups and rules	Groups & Group Rules
Connecting an identity provider like Okta or Auth0	Single Sign-On
Automating user provisioning and deprovisioning	SCIM Provisioning
Creating API keys for CI/CD pipelines	API Keys
Tracking who made changes for compliance	Audit Logging
Inviting colleagues to your organization	User Invitations
Understanding session lifetime and timeout behavior	Session Management

How Cosmo Access Control compares

	Cosmo Access Control	Generic IAM tools	Custom solutions
Subgraph-level roles	Yes	No	Requires implementation
Unified groups for users and API keys	Yes	Varies	Requires implementation
OIDC SSO and SCIM	Built-in	Requires integration	Requires implementation
Federated graph audit log	Yes	No	Requires implementation
Setup time	Minutes	Hours	Days / weeks

Use cases

Access control use cases

Real patterns for team access, pipeline security, and compliance — and the Cosmo capability behind each one.

Team access

Teams manage their subgraphs without touching others

Scenario

Multiple teams publish subgraphs to a shared federated graph. Each team needs admin access to their own subgraphs but should not be able to modify others.

How Cosmo handles it

Create a group per team with Subgraph Admin scoped to their namespace. Add a Namespace Viewer rule for read-only visibility across the organization. Assign team members to their group.

Outcome

Each team operates independently. Accidental cross-team changes are not possible by design.

CI/CD automation

Pipelines publish schemas with exactly the permissions they need

Scenario

A CI/CD pipeline needs to publish subgraph schema changes on every merge. It should not be able to create graphs, modify organization settings, or access production namespaces.

How Cosmo handles it

Create a group with Subgraph Publisher scoped to the target namespace. Generate an API key assigned to that group. Store the key in your pipeline secrets. Use it with the wgc CLI.

Outcome

Automated deployments run with minimal permissions. No risk of unintended administrative actions.

Compliance

Audit trail captures who changed what, and when

Scenario

A security team needs to demonstrate access control and change management for SOC 2 compliance. They require records of who made each change and whether it was a human or automated system.

How Cosmo handles it

Enable audit logging (Pro and above). Every action — user or API key — is captured with actor, action, and timestamp. Visual indicators in the log distinguish human from automated actions.

Outcome

Compliance evidence is always available. No manual documentation required.

Why teams use Cosmo Access Control

One permission model for humans and machines. Groups work the same way for organization members and API keys. No duplicate configuration, no divergence between user and service account permissions.
Subgraph-level granularity. Roles apply at organization, namespace, graph, and subgraph levels. Teams get exactly the access they need for their resources — and nothing more.
Identity provider integration without glue code. SSO and SCIM connect Cosmo to your existing IdP. User lifecycle — onboarding, role changes, offboarding — flows from your identity system automatically.

Get started

Secure your federated graph from day one

Start Free Talk to Sales