Case Study — Government Data Platform

Koverse.
Designing for decisions
you can't take back.

When data engineers configure access control on classified records, they make permanent decisions. Most of them don't fully understand that — until it's too late. My job was to make sure they did.

Role
Lead Product Designer
Team
SAIC Innovation Factory
Stack
React · Figma
Timeline
2021 – 2025
Status
Deployed across DoD naval and classified government programs
Koverse Aether main dashboard

The Problem

One wrong decision.
Permanent consequences.

Koverse is a data platform for ingesting, managing, and analyzing large datasets in secure government environments. Its most technically significant feature is ABAC — Attribute-Based Access Control — a security mechanism that determines who can see what data based on matching attributes between records and users.

Configuring ABAC correctly at the moment of ingest is critical. Getting it wrong doesn't just cause access issues — it can result in classified data being exposed to users who shouldn't see it, or locked away from analysts who need it. And once the data is imported, the ABAC labels can never be changed.

"The design question: how to make a permanently consequential decision feel weighty without making the product feel hostile."

Koverse also has an edge extension — a platform for managing data across distributed, geographically dispersed deployments. Think: a network of military field sites, each running local data infrastructure, all feeding back to a central node. Two different products, one shared design philosophy: the interface is responsible for making the consequences of decisions visible, especially when those consequences are severe and irreversible.

Part One — ABAC Configuration

Key Screen — Access Control Config

The ABAC flow.
Three decisions that define the design.

ABAC configuration screen
Decision 01
Irreversibility as a first-class signal
A warning seen after committing is already half-ignored. This one appears before the decision.
Decision 02
Progressive disclosure as a commitment device
Nothing shows until the user commits. Configuration as consequence, not surprise.
Decision 03
Branching flows by data type
The kind of data you're ingesting determines the kind of access control you need. The UI makes that explicit.

The Data Layer

Structured + unstructured.
In the same view.

Mixed structured and unstructured dataset view

Koverse handles both structured tabular records and unstructured documents — images, PDFs, raw files — within the same dataset container. The mixed dataset view had to present both data types coherently, without forcing users into a mode-switched interface that felt like two separate products.

Each record renders its file thumbnail alongside its raw metadata — body text, document ID, record type, file storage flags. The SQL/Lucene search bar and the JSON view toggle give power users the control they need without cluttering the default view for analysts who just need to see what's there.

Part Two — Edge Data Management

Key Screen — Most Operationally Specific

The map that tells you
what it can't show you.

Aether geospatial site map
Decision 01
The hidden site pattern
In a classified deployment, some sites can't appear on a map — operators know how many sites they can see. The count is information. The location is protected.
Decision 02
Dark map as operational language
The dark-themed map isn't aesthetic — it's operational. Dark base layer makes pin density, clustering, and anomalous absences instantly readable.

The Site Manager

Status states, not
data structures.

Aether site manager dashboard

At the site level, the design problem shifts from geographic overview to operational monitoring. The operator needs to know: is this site healthy? Is data flowing correctly? I organized the site manager around status states rather than data structures.

Published, Connected, Available — these states map to operator actions, not technical conditions. An operator who sees "Available" when they expect "Published" knows exactly what to investigate without understanding the underlying data architecture. The throughput metrics (80 GB/s, 307.8 upload speed) are displayed in real time because in an edge environment, a site showing 0 GB/s when it should be showing 80 is a site that may be offline, disconnected, or under active disruption.

Takeaways

What building this
taught me.

The most important moment is the one before the irreversible action
When the consequences outlast the interaction, the design work happens before the click.
Operational constraints are design requirements
Security requirements aren't obstacles to good design. They're the brief.
The gap between capability and accomplishment is always a design gap
The technology was sound. The design work was translating capability into clarity. Both are necessary. Only one was missing.
No pattern library has a solution for every problem
Classified, high-stakes, operationally constrained — no pattern library covers this. You reason from first principles or you get it wrong.
← BACK All Work
NEXT → DHS