Skip to main content

Overview

Enterprise Governance extends Bifrost’s core governance capabilities with advanced security, compliance, and user management features designed for large-scale enterprise deployments. This module provides comprehensive identity management, regulatory compliance, and detailed audit capabilities. Enterprise Extensions:
  • Identity & Access Management - OpenID Connect integration with Okta and Microsoft Entra
  • User-Level Governance - Individual user authentication and budget allocation
  • Role-Based Access Control - Fine-grained permissions with custom roles and resource-level controls
  • Team Synchronization - Automatic team membership based on identity provider groups
  • Compliance Framework - SOC 2 Type II, GDPR, ISO 27001, and HIPAA compliance
  • Advanced Auditing - Comprehensive audit reports and compliance dashboards
Builds Upon Core Governance:
  • All standard Virtual Keys, Teams, and Customers functionality
  • Hierarchical budget management and rate limiting
  • Model and provider access controls
  • Usage tracking and cost management

Identity Provider Integration

Bifrost Enterprise supports OpenID Connect (OIDC) integration with popular identity providers for single sign-on (SSO) authentication. Users are automatically provisioned on first login, with roles and team memberships synchronized from your identity provider. Supported Identity Providers:
  • Okta - Full OIDC integration with custom roles and group sync
  • Microsoft Entra ID - Azure AD integration with app roles and group claims
Key Features:
  • Automatic User Provisioning - Users are created on first SSO login
  • Role Synchronization - Admin, Developer, and Viewer roles mapped from identity provider
  • Team Membership - Groups from your identity provider automatically create and sync teams
  • Secure Token Handling - JWT validation with automatic token refresh

Role Hierarchy

Bifrost uses a three-tier role hierarchy that maps to your identity provider roles:
RolePrivilege LevelDescription
AdminHighestFull access to all Bifrost features and settings
DeveloperMediumAccess to development features, API keys, and logs
ViewerLowestRead-only access to dashboards and reports
When a user has multiple roles, Bifrost automatically assigns the highest privilege role. For detailed information on managing roles and permissions, including creating custom roles and assigning granular permissions, see Role-Based Access Control.

Configuration

Identity provider configuration is done through the Bifrost UI:
  1. Navigate to WorkspaceSCIM in the Bifrost dashboard
  2. Select your identity provider (Okta or Microsoft Entra)
  3. Enter the required credentials from your identity provider
  4. Enable the provider and save
For detailed setup instructions, see the provider-specific guides:

User-Level Authentication & Budgeting

Enterprise Governance extends the hierarchical governance model to include individual user-level controls, providing granular access management and personalized budget allocation.

User Management

Enhanced Hierarchy: 
Customer (organization-level budget)

Team (department-level budget)

User (individual-level budget + authentication)

Virtual Key (API-level budget + rate limits)
User Features:
  • Individual Authentication - SSO-based login credentials
  • Personal Budgets - User-specific cost allocation
  • Access Controls - Per-user model and provider restrictions
  • Usage Tracking - Individual consumption monitoring
  • Audit Trails - User-specific activity logging

User Authentication Flow

SSO Authentication: 
# 1. User visits Bifrost login page
# 2. Redirected to identity provider (Okta/Entra)
# 3. After successful authentication, redirected back with tokens
# 4. Use access token for API requests

curl -X POST http://localhost:8080/v1/chat/completions \
  -H "Authorization: Bearer <access_token>" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "gpt-4o-mini",
    "messages": [{"role": "user", "content": "Hello!"}]
  }'
Virtual Key with User Context: 
# Use virtual key with user tracking
curl -X POST http://localhost:8080/v1/chat/completions \
  -H "x-bf-vk: vk-alice-personal" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "gpt-4o-mini",
    "messages": [{"role": "user", "content": "Hello!"}]
  }'

Compliance Framework

Enterprise Governance includes built-in compliance capabilities for major regulatory frameworks including SOC 2 Type II, GDPR, ISO 27001, and HIPAA compliance. These features provide automated compliance monitoring, policy enforcement, and audit trail generation to meet enterprise security and regulatory requirements.

Audit Reports & Compliance Dashboards

Enterprise Governance provides comprehensive audit reporting and compliance dashboards for regulatory requirements and internal governance.

Audit Report Types

1. Access Audit Reports
  • User login/logout activities
  • Failed authentication attempts
  • Privilege escalation events
  • Unusual access patterns
2. Usage Audit Reports
  • API request tracking
  • Model and provider usage
  • Budget consumption patterns
  • Rate limit violations
3. Data Audit Reports
  • Data access and modification
  • Data export activities
  • Data deletion requests
  • Consent management tracking
4. Compliance Reports
  • SOC 2 Type II control evidence
  • GDPR compliance status
  • ISO 27001 risk assessments
  • HIPAA safeguard compliance

Report Generation

  • Web UI
  • API
  1. Navigate to Audit Reports
    • Go to EnterpriseAudit & Compliance
    • Select Generate Report
  2. Report Configuration
Report Type:
  • Access Report: Authentication and authorization events
  • Usage Report: API consumption and cost analysis
  • Compliance Report: Regulatory compliance status
  • Security Report: Security events and incidents
Date Range:
  • Last 24 Hours: Recent activity
  • Last 7 Days: Weekly summary
  • Last 30 Days: Monthly analysis
  • Custom Range: Specific date range
Filters:
  • Users: Specific users or all users
  • Teams: Specific teams or all teams
  • Customers: Specific customers or all customers
  • Event Types: Filter by event categories
Export Options:
  • PDF: Formatted compliance report
  • CSV: Raw data for analysis
  • JSON: Structured data export

Compliance Dashboards

Real-Time Monitoring:
  • Security Posture: Current security status and alerts
  • Compliance Status: Regulatory compliance health check
  • Risk Assessment: Identified risks and mitigation status
  • Audit Trail: Recent audit events and activities
Dashboard Widgets: 
curl -X GET http://localhost:8080/api/enterprise/dashboard/compliance \
  -H "Authorization: Bearer admin-token"

# Response includes:
{
  "security_posture": {
    "overall_score": 95,
    "active_alerts": 2,
    "failed_logins_24h": 5,
    "privilege_escalations": 0
  },
  "compliance_status": {
    "soc2_type2_compliance": "compliant",
    "gdpr_compliance": "compliant",
    "iso27001_compliance": "in_progress",
    "hipaa_compliance": "not_applicable"
  },
  "risk_assessment": {
    "high_risk_items": 0,
    "medium_risk_items": 3,
    "low_risk_items": 12,
    "mitigation_progress": "85%"
  },
  "recent_activities": [
    {
      "timestamp": "2024-01-15T10:30:00Z",
      "type": "user_login",
      "user": "alice@company.com",
      "status": "success"
    }
  ]
}

Automated Compliance Monitoring

Continuous Monitoring: 
curl -X POST http://localhost:8080/api/enterprise/compliance/monitoring \
  -H "Content-Type: application/json" \
  -d '{
    "monitoring_rules": [
      {
        "name": "Failed Login Monitoring",
        "type": "security_event",
        "condition": "failed_logins > 10 in 1h",
        "action": "alert_security_team",
        "severity": "high"
      },
      {
        "name": "Data Export Monitoring",
        "type": "data_access",
        "condition": "data_export_size > 1GB",
        "action": "require_approval",
        "severity": "medium"
      },
      {
        "name": "Budget Threshold Alert",
        "type": "budget_usage",
        "condition": "usage > 80% of budget",
        "action": "notify_manager",
        "severity": "low"
      }
    ],
    "notification_channels": {
      "email": ["security@company.com", "compliance@company.com"],
      "slack": "#security-alerts",
      "webhook": "https://company.com/security-webhook"
    }
  }'

Error Responses

Enterprise Governance extends standard governance errors with additional authentication and compliance-related responses: Authentication Errors: 
{
  "error": {
    "type": "authentication_required",
    "message": "SSO authentication required"
  }
}

{
  "error": {
    "type": "mfa_required", 
    "message": "Multi-factor authentication required"
  }
}
Authorization Errors: 
{
  "error": {
    "type": "user_not_authorized",
    "message": "User does not have permission to access this model"
  }
}
Compliance Errors: 
{
  "error": {
    "type": "compliance_violation",
    "message": "Request violates GDPR data minimization requirements"
  }
}

Next Steps