Access Control

Principal model + federation entrypoints + Cedar ABAC + per-Org markings. Role-derived permissions, entity scope restrictions, hash-chained audit logging, Ed25519 signing, and encrypted secret storage.

Principals & Roles

6 principal types, 7 roles, role hierarchy, badge colors.

Permissions

42 granular permissions across 7 groups. HashSet-based PermissionSet.

Registry & Profiles

UserProfile, Group, AgentProfile, CustomRoleDefinition, permission resolution.

Audit Trail

SHA-256 hash-chained entries, Ed25519 signatures, NDJSON persistence.

Secret Store

Environment, keyring, encrypted file backends. Per-key access control.

ABAC & Cedar policies

Fine-grained policy enforcement on every authenticated request. Bounded LRU decision cache.

Markings & propagation

Security labels through ingest. SDK envelope → WAL → per-frame fan-out filter.

Federation & SSO

SAML, OIDC OP/RP, SCIM 2.0 provisioning, smart cards (PIV/CAC), WebAuthn.

Auth Flow

graph TD REQ["Action Request"] --> CTX["AuthProvider.context_for(principal)"] CTX --> ROLE["Role.default_permissions()"] ROLE --> GRP["Group overrides applied"] GRP --> USR["User overrides applied"] USR --> AC["AuthContext"] AC --> PERM{"require(Permission)?"} PERM -->|Allowed| ENT{"require_entity()?"} ENT -->|Allowed| OK["✓ Proceed"] PERM -->|Denied| ERR["✗ PermissionDenied"] ENT -->|Denied| ERR

Questions?

Reach out for help with integration, deployment, or custom domain codecs.

Get Started Request a Demo