Enterprise Governance

SoftQCOS provides comprehensive governance features for organizations requiring access control, compliance, and audit capabilities for quantum computing workloads.

Overview

┌─────────────────────────────────────────────────────────────────┐
│                   ENTERPRISE GOVERNANCE                         │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐              │
│  │    RBAC     │  │  TENANTS    │  │   QUOTAS    │              │
│  │ ENFORCEMENT │  │ ISOLATION   │  │   LIMITS    │              │
│  └─────────────┘  └─────────────┘  └─────────────┘              │
│        │                │                │                       │
│        └────────────────┼────────────────┘                       │
│                         │                                        │
│                         ▼                                        │
│              ┌─────────────────────┐                            │
│              │   POLICY ENGINE     │                            │
│              └─────────────────────┘                            │
│                         │                                        │
│        ┌────────────────┼────────────────┐                       │
│        │                │                │                       │
│        ▼                ▼                ▼                       │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐              │
│  │   AUDIT     │  │  APPROVAL   │  │ COMPLIANCE  │              │
│  │  LOGGING    │  │  WORKFLOWS  │  │  REPORTS    │              │
│  └─────────────┘  └─────────────┘  └─────────────┘              │
│                                                                  │
└─────────────────────────────────────────────────────────────────┘

---

Role-Based Access Control (RBAC)

Predefined Roles

Role	Permissions
viewer	View jobs, view results
submitter	Submit jobs, view own jobs
researcher	Submit, cancel own jobs, export results
team_lead	Manage team, approve jobs, view team reports
admin	Full access, manage users, budgets, policies
billing	View costs, export reports, manage budgets

Role Hierarchy

                    admin
                      │
          ┌───────────┼───────────┐
          │           │           │
       billing    team_lead   researcher
          │           │           │
          │           │           │
          └───────────┼───────────┘
                      │
                  submitter
                      │
                   viewer

Assigning Roles

from softqcos_sdk import QCOSClient

client = QCOSClient(api_key="admin-api-key")

# Assign role to user
client.governance.assign_role(
    user_id="user-123",
    role="researcher",
    tenant_id="research-alpha",
    expires_at="2026-12-31T23:59:59Z"
)

# List user roles
roles = client.governance.get_user_roles(user_id="user-123")
for role in roles:
    print(f"{role.role} in {role.tenant_id} (expires: {role.expires_at})")

Custom Roles

Define custom roles with specific permissions:

# custom-roles.yaml
roles:
  quantum_intern:
    description: "Limited access for interns"
    permissions:
      - job:submit:simulator_only
      - job:view:own
      - result:view:own
    limits:
      max_shots_per_job: 1000
      max_jobs_per_day: 10
      backends:
        - simulator

  senior_researcher:
    description: "Full research access"
    inherits: researcher
    permissions:
      - job:submit:any_backend
      - job:priority:high
      - budget:view:team
    limits:
      max_shots_per_job: 100000
      max_jobs_per_day: 100

# Apply custom roles
client.governance.create_role(
    name="quantum_intern",
    permissions=["job:submit:simulator_only", "job:view:own"],
    limits={"max_shots_per_job": 1000}
)

---

Multi-Tenancy

Tenant Isolation

Each tenant operates in complete isolation:

┌─────────────────────────────────────────────────────┐
│                    QCOS PLATFORM                     │
├─────────────────────────────────────────────────────┤
│                                                      │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐ │
│  │  TENANT A   │  │  TENANT B   │  │  TENANT C   │ │
│  │             │  │             │  │             │ │
│  │ ┌─────────┐ │  │ ┌─────────┐ │  │ ┌─────────┐ │ │
│  │ │  Users  │ │  │ │  Users  │ │  │ │  Users  │ │ │
│  │ ├─────────┤ │  │ ├─────────┤ │  │ ├─────────┤ │ │
│  │ │ Budgets │ │  │ │ Budgets │ │  │ │ Budgets │ │ │
│  │ ├─────────┤ │  │ ├─────────┤ │  │ ├─────────┤ │ │
│  │ │  Jobs   │ │  │ │  Jobs   │ │  │ │  Jobs   │ │ │
│  │ ├─────────┤ │  │ ├─────────┤ │  │ ├─────────┤ │ │
│  │ │ Policies│ │  │ │ Policies│ │  │ │ Policies│ │ │
│  │ └─────────┘ │  │ └─────────┘ │  │ └─────────┘ │ │
│  └─────────────┘  └─────────────┘  └─────────────┘ │
│                                                      │
└─────────────────────────────────────────────────────┘

Creating Tenants

# Create tenant
tenant = client.governance.create_tenant(
    name="Research Lab Alpha",
    tenant_id="research-alpha",
    settings={
        "default_backend": "simulator",
        "require_job_approval": False,
        "allow_priority_queue": True
    },
    budget={
        "monthly_limit_usd": 5000,
        "alert_threshold_percent": 80
    }
)

# Create project within tenant
project = client.governance.create_project(
    tenant_id="research-alpha",
    project_id="quantum-ml",
    name="Quantum Machine Learning",
    settings={
        "cost_center": "CC-12345",
        "grant_id": "NSF-2026-001"
    }
)

Tenant Settings

# tenant-config.yaml
tenant:
  id: research-alpha
  name: "Research Lab Alpha"

settings:
  # Default execution settings
  default_backend: simulator
  default_shots: 1024
  max_shots: 100000

  # Governance
  require_job_approval: false
  approval_threshold_usd: 100.00
  allow_priority_queue: true

  # Security
  mfa_required: true
  session_timeout_minutes: 60
  ip_whitelist:
    - 192.168.1.0/24
    - 10.0.0.0/8

  # Notifications
  notify_on_budget_warning: true
  notify_on_job_failure: true
  notification_channels:
    - email
    - slack

# Projects
projects:
  - id: quantum-ml
    name: "Quantum ML"
    cost_center: "CC-12345"

  - id: chemistry
    name: "Molecular Simulation"
    cost_center: "CC-67890"

---

Quotas & Limits

Resource Limits

# Set tenant limits
client.governance.set_limits(
    tenant_id="research-alpha",
    limits={
        # Job limits
        "max_concurrent_jobs": 10,
        "max_jobs_per_hour": 100,
        "max_jobs_per_day": 500,

        # Resource limits
        "max_qubits_per_circuit": 50,
        "max_circuit_depth": 1000,
        "max_shots_per_job": 100000,
        "max_batch_size": 100,

        # Backend limits
        "allowed_backends": ["simulator", "ibm_brisbane", "ionq_aria"],
        "blocked_backends": [],

        # Priority limits
        "allow_priority_queue": True,
        "max_priority_jobs_per_day": 10
    }
)

Per-User Limits

# Override limits for specific user
client.governance.set_user_limits(
    user_id="user-123",
    tenant_id="research-alpha",
    limits={
        "max_jobs_per_day": 50,  # Lower than tenant default
        "allowed_backends": ["simulator"]  # Restricted backends
    }
)

---

Approval Workflows

Configuring Approvals

# approval-workflow.yaml
workflows:
  high_cost_job:
    trigger:
      condition: "estimated_cost_usd > 50"
    approvers:
      - role: team_lead
      - user: admin@example.com
    timeout_hours: 24
    on_timeout: reject
    notify:
      - submitter
      - approvers

  hardware_access:
    trigger:
      condition: "backend != 'simulator'"
    approvers:
      - role: admin
    auto_approve_for:
      - role: senior_researcher
    timeout_hours: 4
    on_timeout: escalate

  priority_queue:
    trigger:
      condition: "priority == 'high'"
    approvers:
      - role: team_lead
    max_approvals_per_day: 5

Approval API

# Submit job requiring approval
result = client.execute(
    circuit=circuit,
    backend="ibm_brisbane",
    shots=100000
)

if result.status == "pending_approval":
    print(f"Job {result.job_id} pending approval")
    print(f"Approvers notified: {result.approvers}")

# Approve job (as approver)
client.governance.approve_job(
    job_id="job-xyz789",
    decision="approve",
    comment="Approved for quarterly experiment"
)

# Or reject
client.governance.approve_job(
    job_id="job-xyz789",
    decision="reject",
    comment="Budget concerns - please use simulator"
)

---

Audit & Compliance

Audit Logging

All actions are automatically logged:

# Query audit logs
logs = client.governance.query_audit_logs(
    tenant_id="research-alpha",
    start_date="2026-01-01",
    end_date="2026-01-31",
    actions=[
        "job:submit",
        "job:cancel",
        "user:role_change",
        "budget:exceeded"
    ],
    users=["user-123", "user-456"]
)

for entry in logs:
    print(f"""
    Time: {entry.timestamp}
    User: {entry.user_id}
    Action: {entry.action}
    Resource: {entry.resource_type}/{entry.resource_id}
    Outcome: {entry.outcome}
    Details: {entry.details}
    """)

Audit Log Schema

{
  "audit_id": "audit-20260104-abc123",
  "timestamp": "2026-01-04T10:30:00Z",
  "tenant_id": "research-alpha",
  "user_id": "user-123",
  "session_id": "sess-xyz789",
  "action": "job:submit",
  "resource": {
    "type": "quantum_job",
    "id": "job-abc123"
  },
  "request": {
    "backend": "ibm_brisbane",
    "shots": 10000,
    "estimated_cost_usd": 0.50
  },
  "outcome": "success",
  "ip_address": "192.168.1.100",
  "user_agent": "softqcos-sdk/2.1.0"
}

Compliance Reports

# Generate compliance report
report = client.governance.generate_compliance_report(
    tenant_id="research-alpha",
    report_type="soc2",
    period="2026-Q1",
    format="pdf"
)

report.download("soc2-q1-2026.pdf")

Available Report Types:

Report	Description
soc2	SOC 2 Type II compliance evidence
iso27001	ISO 27001 audit trail
access_review	User access review
budget_usage	Budget utilization summary
job_summary	Job execution statistics
security_events	Security-related events

---

Policy Engine

Policy Definition

# policies.yaml
policies:
  # Prevent expensive jobs on weekends
  - name: "weekend_cost_limit"
    enabled: true
    condition: |
      day_of_week in ['Saturday', 'Sunday']
      and estimated_cost_usd > 10
    action: block
    message: "Jobs over $10 blocked on weekends"

  # Require tags for hardware jobs
  - name: "require_experiment_tag"
    enabled: true
    condition: |
      backend != 'simulator'
      and not tags.experiment
    action: block
    message: "Hardware jobs require 'experiment' tag"

  # Auto-route to simulator in dev
  - name: "dev_to_simulator"
    enabled: true
    condition: |
      tags.environment == 'development'
    action: modify
    modifications:
      backend: simulator

  # Notify on large jobs
  - name: "large_job_notification"
    enabled: true
    condition: |
      shots > 50000 or estimated_cost_usd > 25
    action: notify
    notify:
      - role: team_lead
      - channel: slack

Applying Policies

# Create policy
client.governance.create_policy(
    tenant_id="research-alpha",
    policy={
        "name": "weekend_cost_limit",
        "enabled": True,
        "condition": "day_of_week in ['Saturday', 'Sunday'] and estimated_cost_usd > 10",
        "action": "block",
        "message": "Jobs over $10 blocked on weekends"
    }
)

# List policies
policies = client.governance.list_policies(tenant_id="research-alpha")

# Disable policy
client.governance.update_policy(
    tenant_id="research-alpha",
    policy_name="weekend_cost_limit",
    updates={"enabled": False}
)

---

Security Features

API Key Management

# Create scoped API key
key = client.governance.create_api_key(
    name="ci-pipeline",
    scopes=["job:submit", "job:view"],
    expires_at="2026-12-31",
    allowed_ips=["192.168.1.0/24"],
    rate_limit=100  # requests per minute
)

print(f"API Key: {key.key}")  # Only shown once!
print(f"Key ID: {key.id}")

# Rotate key
new_key = client.governance.rotate_api_key(key_id=key.id)

# Revoke key
client.governance.revoke_api_key(key_id=key.id)

Session Management

# List active sessions
sessions = client.governance.list_sessions(user_id="user-123")

# Terminate session
client.governance.terminate_session(session_id="sess-xyz789")

# Terminate all sessions for user
client.governance.terminate_all_sessions(user_id="user-123")

IP Allowlisting

# security.yaml
security:
  ip_allowlist:
    enabled: true
    mode: enforce  # enforce | audit
    allowed:
      - 192.168.1.0/24
      - 10.0.0.0/8
      - 2001:db8::/32
    blocked:
      - 0.0.0.0/0  # Block everything else

---

Getting Started

1. Enable Governance

from softqcos_sdk import QCOSClient

client = QCOSClient(
    api_key="admin-api-key",
    governance_enabled=True
)

2. Create Tenant Structure

# Create tenant
client.governance.create_tenant(
    tenant_id="my-org",
    name="My Organization"
)

# Create projects
client.governance.create_project(
    tenant_id="my-org",
    project_id="research",
    name="Research Team"
)

3. Configure Roles

# Assign roles
client.governance.assign_role(
    user_id="alice",
    role="researcher",
    tenant_id="my-org"
)

4. Set Policies

# Create budget
client.governance.set_budget(
    tenant_id="my-org",
    monthly_limit_usd=1000
)

# Create policies
client.governance.create_policy(
    tenant_id="my-org",
    policy={
        "name": "require_tags",
        "condition": "not tags.project",
        "action": "block"
    }
)

---

Support

• Documentation: docs.softquantus.com/governance
• Enterprise Support: enterprise@softquantus.com
• Security Issues: security@softquantus.com