Enterprise Bridge
Enterprise readiness for OpenClaw: audit logging + RBAC + SSO bridge. Make your agent deployment compliance-ready.
Quick Start
# Initialize enterprise features (creates config + audit log)
python3 scripts/enterprise-bridge.py init
# Enable audit logging (logs all agent actions)
python3 scripts/enterprise-bridge.py audit start
# View recent audit entries
python3 scripts/enterprise-bridge.py audit view --last 50
# Search audit log
python3 scripts/enterprise-bridge.py audit search --actor "iceman" --action "file_write"
# Export audit log (JSON, CSV, or SIEM-compatible format)
python3 scripts/enterprise-bridge.py audit export --format json --output audit-export.json
# RBAC: Create a role
python3 scripts/enterprise-bridge.py rbac create-role --name "developer" --permissions "read,write,execute"
# RBAC: Assign role to agent
python3 scripts/enterprise-bridge.py rbac assign --agent "iceman" --role "developer"
# RBAC: Check permission
python3 scripts/enterprise-bridge.py rbac check --agent "iceman" --action "file_write" --resource "/workspace/skills/"
# RBAC: List all roles and assignments
python3 scripts/enterprise-bridge.py rbac list
# SSO: Generate SAML/OIDC config template
python3 scripts/enterprise-bridge.py sso template --provider okta
# Compliance: Generate SOC 2 readiness report
python3 scripts/enterprise-bridge.py compliance report
Audit Logging
Every agent action is logged with:
- Timestamp (ISO 8601 UTC)
- Actor (agent name or user)
- Action (file_read, file_write, exec, api_call, model_switch, etc.)
- Resource (file path, URL, command)
- Result (success/failure)
- Session ID (for tracing)
- Metadata (token count, cost, duration)
Audit log stored at ~/.openclaw/enterprise/audit.jsonl
Log Format
{
"ts": "2026-04-06T05:00:00Z",
"actor": "iceman",
"action": "file_write",
"resource": "/workspace/skills/new-skill/SKILL.md",
"result": "success",
"session_id": "abc123",
"metadata": {"bytes_written": 4096, "duration_ms": 12}
}
Retention & Rotation
- Default retention: 90 days
- Auto-rotate at 100MB (compressed archives in
audit-archive/) - Configure in
enterprise-config.json
RBAC (Role-Based Access Control)
Built-in Roles
| Role | Permissions | Use Case |
|------|------------|----------|
| admin | * (all) | Full access — workspace owner |
| developer | read, write, execute, git | Build and test skills |
| analyst | read, search, export | Read-only analysis |
| operator | read, execute, deploy | Run but not modify |
| auditor | audit_read, export | Compliance review only |
Permission Types
read— Read files and memorywrite— Create/modify filesexecute— Run scripts and commandsgit— Git operations (commit, push)deploy— Deploy to production (website, Stripe)api_call— Make external API callsmodel_switch— Change AI modelaudit_read— Read audit logsexport— Export dataadmin— All permissions + role management
Resource Scoping
Permissions can be scoped to specific paths:
{
"role": "developer",
"permissions": ["read", "write", "execute"],
"scope": ["/workspace/skills/*", "/workspace/memory/*"]
}
SSO Integration
Generate config templates for enterprise identity providers:
- Okta (SAML 2.0)
- Azure AD (OIDC)
- Google Workspace (OIDC)
- Auth0 (OIDC)
- OneLogin (SAML 2.0)
Templates include callback URLs, entity IDs, and attribute mappings.
Compliance Report
Generates a readiness assessment covering:
- Audit logging status (enabled/disabled, retention policy)
- RBAC enforcement status
- SSO configuration
- Data encryption at rest/in transit
- Secret management practices
- Agent permission boundaries
- Recommendations for gaps