deepgram-enterprise-rbac

# Deepgram Enterprise RBAC

## Overview
Implement role-based access control for enterprise Deepgram deployments with team management and scoped permissions.

## Prerequisites
- Deepgram enterprise account
- Multiple projects configured
- Team management system
- Audit logging enabled

## Deepgram Permission Scopes

| Scope | Description | Use Case |
|-------|-------------|----------|
| `listen:*` | All transcription operations | Production services |
| `manage:*` | All management operations | Admin users |
| `usage:read` | View usage data | Billing team |
| `usage:write` | Modify usage | Service accounts |
| `keys:read` | View API keys | Security audits |
| `keys:write` | Create/delete keys | Admin users |

## Role Definitions

```typescript
// config/roles.ts
export interface Role {
  name: string;
  description: string;
  deepgramScopes: string[];
  appPermissions: string[];
}

export const roles: Record<string, Role> = {
  admin: {
    name: 'Administrator',
    description: 'Full access to all Deepgram resources',
    deepgramScopes: ['manage:*', 'listen:*', 'usage:*', 'keys:*'],
    appPermissions: ['*'],
  },
  developer: {
    name: 'Developer',
    description: 'Transcription and development access',
    deepgramScopes: ['listen:*', 'usage:read'],
    appPermissions: [
      'transcription:create',
      'transcription:read',
      'projects:read',
    ],
  },
  analyst: {
    name: 'Analyst',
    description: 'Read-only access to transcriptions and usage',
    deepgramScopes: ['usage:read'],
    appPermissions: [
      'transcription:read',
      'usage:read',
      'reports:read',
    ],
  },
  service: {
    name: 'Service Account',
    description: 'Automated service access',
    deepgramScopes: ['listen:*'],
    appPermissions: [
      'transcription:create',
      'transcription:read',
    ],
  },
  auditor: {
    name: 'Auditor',
    description: 'Security and compliance access',
    deepgramScopes: ['usage:read', 'keys:read'],
    appPermissions: [