3-Level RBAC with Separation of Duties
The person who operates the data is not the person who governs it. By design.
Framework / standard: ISO/IEC 38505-1 (Authority) · SoD (SOX/DORA) · ISO/IEC TR 38505-2 §6
The DBA who operates a table should not be able to approve the business term that describes it. Linedat separates who operates from who governs, with a three-level authorisation model and a single source of truth for permissions.
Three levels, one enum
Authorisation combines organisation role, domain role and resource ownership, all through a single permission enum. No role checks scattered across components, no copy-pasted conditionals: every authorisation decision goes through the same place.
Technical custodian without governance authority
The custodian role (technical operations) is deliberately below steward and does not inherit governance actions (approving terms, assigning owners). It is genuine separation of duties, aligned with what SOX and DORA require.
The limits (what we do not claim)
The organisation-level permission is the load-bearing gate; domain groups restrict within that permission, they do not grant above it. A role change can take up to the auth cache lifetime (~30 s) to propagate across processes if not explicitly invalidated.
How Linedat helps
Linedat gives you granular enterprise RBAC without complexity, with genuine separation of duties — the person who operates the data is not the person who governs it.
Related capabilities
Access with a typed purpose and an expiry date. Not "just because".
Consented and Time-Bounded Authority DelegationAuthority is not imposed: it is delegated, the delegate accepts it, and it expires on its own.
The Catalogue in Your IDE: Native MCP ServerYour IDE queries the catalogue without leaving the editor — and without bypassing a single permission.
