Skip to content

Documentation

Security & compliance

Custom roles built from 24 fine-grained permissions, multi-factor auth, OIDC/SAML SSO, SCIM provisioning, IP allowlist, GDPR erasure, and SIEM audit streaming.

Where:
Settings → Security · Settings → Roles · Settings → Audit
Permission:
MANAGE_SETTINGS · MANAGE_ROLES · VIEW_AUDIT_LOGS
Updated:
July 2026

Overview

  • MFA: TOTP, email OTP, SMS OTP, and recovery codes. Sensitive actions re-prompt for recent authentication.
  • OIDC and SAML SSO support verified email domains and controlled JIT provisioning. SCIM 2.0 covers user create, update, and deprovision flows.
  • IP allowlist applies to interactive login and is per-org. CIDR blocks, IPv4 + IPv6.
  • GDPR Article 17 erasure (with a SHA-256 proof record) and Article 15 DSAR export are supported. Audit data spans operational, auth, and security events, and the operational stream exports as NDJSON for SIEM.

Step by step

  1. 01

    Enforce MFA

    Settings → Security → Authentication. Require MFA for all users, or for specific roles. Choose which factors are allowed (TOTP, email OTP, SMS OTP).

  2. 02

    Wire OIDC or SAML SSO

    Settings → Authentication. Verify the email domain, provide the IdP details (issuer/endpoints for OIDC, or the SAML entry point and certificate), then test SSO before requiring it.

  3. 03

    Set the IP allowlist

    Settings → Security → IP allowlist. Add CIDR blocks (e.g., 10.0.0.0/8). Once any range is set, interactive logins from outside the list are rejected with an audit event.

  4. 04

    Stream audit to SIEM

    Settings → Audit → SIEM stream. Generate a streaming token and point your SIEM at /api/audit/stream — NDJSON, one event per line, cursor-resumable.

Good to know

  • Build a read-only reviewer role with VIEW_AUDIT_LOGS plus the entity read permissions and no writes — hand it to your auditor instead of an admin seat.
  • GDPR erasure produces a SHA-256 proof record so future DSARs can be matched without retaining identity.