Scoped admin access with full audit trails

Give support agents exactly the access they need. Audit every action. Prevent accidental or unauthorized changes.

The scenario

Your support team needs to view customer data to resolve tickets. Engineers need broader access for debugging. But you need to ensure support agents can only read, not modify, and every access is logged for compliance.

Audit Log
10:42:15 agent_sarah VIEW customer:12345 [ALLOWED]
10:42:16 agent_sarah DELETE customer:12345 [DENIED]
10:43:00 engineer_mike UPDATE config:db_schema [ALLOWED]

The problem with hard-coded logic

All-or-nothing access

Support agents often get admin access because there's no way to give them read-only access to specific resources.

No audit trail

You can't prove who accessed what customer data or when. Compliance reviews become a nightmare.

Shared credentials

Teams share admin logins or API keys because building per-user scoped access is too much work.

Inconsistent internal tooling

Each internal tool has its own access control, and they're all implemented differently.

How Bailiff models it

Scoped roles for internal users

Create a "Support Agent" role with read-only permissions on customer data. Engineers get a separate role with write access.

await bailiff.assign('sarah', 'support_agent', 'customer:12345');
// support_agent can only VIEW, not EDIT or DELETE.

Same API for internal and external tools

Use the same Bailiff instance for your internal admin tools and your customer-facing product. One model, one API, one audit trail.

Every action is audited

Every check is logged with the full decision path. Export audit data for compliance reviews. Answer "who accessed what" instantly.

Try it in the playground

The Support Console scenario demonstrates scoped agent access with audit trails. Switch between support and engineering identities to see the difference.

Try the Playground Book a Migration Review