Enterprise Readiness Assessment
Comprehensive guide to evaluating and building enterprise-ready features including SSO, RBAC, audit logging, and data residency
The Enterprise Readiness workflow helps you evaluate your product's readiness for enterprise customers and guides you through implementing the necessary features.
Overview#
| Property | Value |
|---|---|
| Phases | 4 |
| Tier | Business |
| Typical Duration | 4-8 weeks |
| Best For | B2B SaaS, enterprise sales preparation |
Why Enterprise Readiness Matters#
Enterprise customers have specific requirements that differ significantly from SMB or consumer products:
- Security: Strict compliance requirements (SOC 2, GDPR, HIPAA)
- Control: Need for admin oversight and policy enforcement
- Integration: Must fit into existing IT infrastructure
- Support: Expect dedicated support and SLAs
Without these features, you'll lose deals to competitors or face lengthy procurement delays.
Enterprise Feature Checklist#
Must-Have Features#
| Feature | Priority | Description |
|---|---|---|
| SSO/SAML | Critical | Single Sign-On integration |
| RBAC | Critical | Role-based access control |
| Audit Logging | Critical | Track all user actions |
| Admin Console | High | Organization management |
| API Access | High | Programmatic access with tokens |
| Data Export | High | Full data portability |
Nice-to-Have Features#
| Feature | Priority | Description |
|---|---|---|
| SCIM Provisioning | Medium | Automated user management |
| Custom Domains | Medium | White-label capability |
| Data Residency | Medium | Region-specific data storage |
| Custom Contracts | Low | Flexible legal terms |
| On-Premise Option | Low | Self-hosted deployment |
Phases#
Phase 1: Assessment (3-5 days)#
Agents: architecture-expert, security-expert
Evaluate your current state against enterprise requirements.
Tasks:
- Audit current authentication system
- Review existing permission model
- Assess logging and monitoring coverage
- Identify compliance gaps
- Create prioritized implementation roadmap
Assessment Framework:
┌─────────────────────────────────────────────────────────────┐
│ ENTERPRISE READINESS SCORE │
├─────────────────────────────────────────────────────────────┤
│ Authentication [████████░░] 80% │ SSO needed │
│ Authorization [██████░░░░] 60% │ RBAC incomplete │
│ Audit & Logging [████░░░░░░] 40% │ Major gaps │
│ Admin Controls [██░░░░░░░░] 20% │ Not started │
│ API & Integrations [██████████] 100% │ Complete │
│ Data Management [██████░░░░] 60% │ Export needed │
├─────────────────────────────────────────────────────────────┤
│ Overall Score: 60% (Not Enterprise Ready) │
└─────────────────────────────────────────────────────────────┘
Phase 2: SSO Implementation (1-2 weeks)#
Agents: backend-expert, security-expert
Implement SAML-based Single Sign-On for enterprise identity providers.
Tasks:
- Choose SSO library (Auth0, WorkOS, or custom)
- Implement SAML 2.0 support
- Add identity provider configuration UI
- Handle JIT (Just-In-Time) provisioning
- Test with common IdPs (Okta, Azure AD, OneLogin)
SSO Implementation Example:
1// lib/auth/sso.ts
2import { SamlConfig } from 'saml2-js';
3
4export interface SSOConnection {
5 id: string;
6 organizationId: string;
7 provider: 'okta' | 'azure' | 'onelogin' | 'custom';
8 metadataUrl?: string;
9 certificate: string;
10 entryPoint: string;
11 issuer: string;
12}
13
14export async function initiateSSOLogin(
15 organizationSlug: string,
16 redirectUrl: string
17): Promise<string> {
18 const connection = await prisma.ssoConnection.findFirst({
19 where: { organization: { slug: organizationSlug } }
20 });
21
22 if (!connection) {
23 throw new Error('SSO not configured for this organization');
24 }
25
26 const samlRequest = createSAMLRequest({
27 issuer: process.env.SAML_ISSUER,
28 destination: connection.entryPoint,
29 assertionConsumerServiceUrl: `${process.env.APP_URL}/api/auth/sso/callback`,
30 state: { redirectUrl, orgId: connection.organizationId }
31 });
32
33 return connection.entryPoint + '?SAMLRequest=' + encodeURIComponent(samlRequest);
34}
35
36export async function handleSSOCallback(
37 samlResponse: string
38): Promise<{ user: User; session: Session }> {
39 const assertion = await validateSAMLResponse(samlResponse);
40
41 // Extract user attributes
42 const email = assertion.getAttribute('email');
43 const firstName = assertion.getAttribute('firstName');
44 const lastName = assertion.getAttribute('lastName');
45
46 // JIT provisioning - create user if doesn't exist
47 const user = await prisma.user.upsert({
48 where: { email },
49 update: { firstName, lastName, lastLoginAt: new Date() },
50 create: {
51 email,
52 firstName,
53 lastName,
54 organizationId: assertion.orgId,
55 authMethod: 'sso'
56 }
57 });
58
59 const session = await createSession(user.id);
60 return { user, session };
61}Phase 3: RBAC Implementation (1-2 weeks)#
Agents: backend-expert, database-expert
Build a flexible role-based access control system.
Tasks:
- Design permission model (roles, permissions, resources)
- Create database schema
- Implement permission checking middleware
- Build role management UI
- Set up default roles (Admin, Member, Viewer)
RBAC Database Schema:
1// prisma/schema.prisma
2
3model Organization {
4 id String @id @default(cuid())
5 name String
6 slug String @unique
7 users OrganizationUser[]
8 roles Role[]
9 ssoConfig SSOConnection?
10}
11
12model Role {
13 id String @id @default(cuid())
14 name String
15 description String?
16 organizationId String
17 organization Organization @relation(fields: [organizationId], references: [id])
18 permissions Permission[]
19 users OrganizationUser[]
20 isSystem Boolean @default(false)
21
22 @@unique([organizationId, name])
23}
24
25model Permission {
26 id String @id @default(cuid())
27 resource String
28 action String // create, read, update, delete, manage
29 roles Role[]
30
31 @@unique([resource, action])
32}
33
34model OrganizationUser {
35 id String @id @default(cuid())
36 userId String
37 organizationId String
38 roleId String
39 user User @relation(fields: [userId], references: [id])
40 organization Organization @relation(fields: [organizationId], references: [id])
41 role Role @relation(fields: [roleId], references: [id])
42
43 @@unique([userId, organizationId])
44}Permission Check Implementation:
1// lib/auth/permissions.ts
2
3export type Resource =
4 | 'projects'
5 | 'members'
6 | 'settings'
7 | 'billing'
8 | 'api_keys'
9 | 'audit_logs';
10
11export type Action = 'create' | 'read' | 'update' | 'delete' | 'manage';
12
13export async function hasPermission(
14 userId: string,
15 organizationId: string,
16 resource: Resource,
17 action: Action
18): Promise<boolean> {
19 const membership = await prisma.organizationUser.findUnique({
20 where: {
21 userId_organizationId: { userId, organizationId }
22 },
23 include: {
24 role: {
25 include: { permissions: true }
26 }
27 }
28 });
29
30 if (!membership) return false;
31
32 return membership.role.permissions.some(
33 p => p.resource === resource && (p.action === action || p.action === 'manage')
34 );
35}
36
37// Middleware for API routes
38export function requirePermission(resource: Resource, action: Action) {
39 return async (req: NextRequest) => {
40 const session = await getSession(req);
41 if (!session) {
42 return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
43 }
44
45 const orgId = req.headers.get('x-organization-id');
46 if (!orgId) {
47 return NextResponse.json({ error: 'Organization required' }, { status: 400 });
48 }
49
50 const allowed = await hasPermission(session.userId, orgId, resource, action);
51 if (!allowed) {
52 return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
53 }
54
55 return null; // Continue to handler
56 };
57}Phase 4: Audit Logging (1 week)#
Agents: backend-expert, database-expert, security-expert
Implement comprehensive audit logging for compliance and security.
Tasks:
- Design audit log schema
- Create logging middleware
- Implement log retention policies
- Build audit log viewer UI
- Add export capabilities
Audit Log Implementation:
1// lib/audit/logger.ts
2
3export interface AuditEvent {
4 actor: {
5 userId: string;
6 email: string;
7 ip?: string;
8 userAgent?: string;
9 };
10 action: string;
11 resource: {
12 type: string;
13 id: string;
14 name?: string;
15 };
16 organizationId: string;
17 metadata?: Record<string, unknown>;
18 timestamp: Date;
19}
20
21export async function logAuditEvent(event: AuditEvent): Promise<void> {
22 await prisma.auditLog.create({
23 data: {
24 actorId: event.actor.userId,
25 actorEmail: event.actor.email,
26 actorIp: event.actor.ip,
27 actorUserAgent: event.actor.userAgent,
28 action: event.action,
29 resourceType: event.resource.type,
30 resourceId: event.resource.id,
31 resourceName: event.resource.name,
32 organizationId: event.organizationId,
33 metadata: event.metadata,
34 timestamp: event.timestamp
35 }
36 });
37}
38
39// Higher-order function for automatic audit logging
40export function withAuditLog<T>(
41 action: string,
42 resourceType: string,
43 handler: (req: NextRequest, context: any) => Promise<T>
44) {
45 return async (req: NextRequest, context: any): Promise<T> => {
46 const session = await getSession(req);
47 const startTime = Date.now();
48
49 try {
50 const result = await handler(req, context);
51
52 await logAuditEvent({
53 actor: {
54 userId: session.userId,
55 email: session.email,
56 ip: req.headers.get('x-forwarded-for') || req.ip,
57 userAgent: req.headers.get('user-agent')
58 },
59 action,
60 resource: {
61 type: resourceType,
62 id: context.params?.id || 'unknown',
63 },
64 organizationId: session.organizationId,
65 metadata: {
66 duration: Date.now() - startTime,
67 success: true
68 },
69 timestamp: new Date()
70 });
71
72 return result;
73 } catch (error) {
74 await logAuditEvent({
75 actor: {
76 userId: session?.userId || 'anonymous',
77 email: session?.email || 'unknown',
78 ip: req.headers.get('x-forwarded-for') || req.ip,
79 userAgent: req.headers.get('user-agent')
80 },
81 action,
82 resource: {
83 type: resourceType,
84 id: context.params?.id || 'unknown',
85 },
86 organizationId: session?.organizationId || 'unknown',
87 metadata: {
88 duration: Date.now() - startTime,
89 success: false,
90 error: error.message
91 },
92 timestamp: new Date()
93 });
94
95 throw error;
96 }
97 };
98}Starting the Workflow#
1# Start the enterprise readiness assessment
2bootspring workflow start enterprise-readiness
3
4# Check current status
5bootspring workflow status
6
7# Run specific phase
8bootspring workflow run enterprise-readiness --phase sso
9
10# Generate readiness report
11bootspring enterprise readiness-reportDeliverables#
A successful Enterprise Readiness workflow produces:
- Enterprise readiness score and gap analysis
- SSO integration with SAML 2.0 support
- RBAC system with customizable roles
- Comprehensive audit logging
- Admin console for organization management
- API documentation for enterprise integrations
- Security compliance documentation
Best Practices#
- Start with assessment - Know your gaps before building
- Prioritize based on deals - Build what customers are asking for
- Use proven libraries - Don't roll your own crypto or auth
- Test with real IdPs - Set up test accounts with Okta, Azure AD
- Document everything - Enterprise procurement needs documentation
- Plan for scale - Audit logs grow fast, plan retention
Common Pitfalls#
- Building SSO without customer validation
- Over-engineering RBAC before understanding needs
- Insufficient audit log coverage
- Poor admin UI leading to support burden
- Ignoring data residency requirements