Security & compliance
Custom roles built from 24 fine-grained permissions, multi-factor auth, OIDC/SAML SSO, SCIM provisioning, IP allowlist, GDPR erasure, and SIEM audit streaming.
- Where:
- Settings → Security · Settings → Roles · Settings → Audit
- Permission:
- MANAGE_SETTINGS · MANAGE_ROLES · VIEW_AUDIT_LOGS
- Updated:
- July 2026
Overview
- MFA: TOTP, email OTP, SMS OTP, and recovery codes. Sensitive actions re-prompt for recent authentication.
- OIDC and SAML SSO support verified email domains and controlled JIT provisioning. SCIM 2.0 covers user create, update, and deprovision flows.
- IP allowlist applies to interactive login and is per-org. CIDR blocks, IPv4 + IPv6.
- GDPR Article 17 erasure (with a SHA-256 proof record) and Article 15 DSAR export are supported. Audit data spans operational, auth, and security events, and the operational stream exports as NDJSON for SIEM.
Step by step
- 01
Enforce MFA
Settings → Security → Authentication. Require MFA for all users, or for specific roles. Choose which factors are allowed (TOTP, email OTP, SMS OTP).
- 02
Wire OIDC or SAML SSO
Settings → Authentication. Verify the email domain, provide the IdP details (issuer/endpoints for OIDC, or the SAML entry point and certificate), then test SSO before requiring it.
- 03
Set the IP allowlist
Settings → Security → IP allowlist. Add CIDR blocks (e.g., 10.0.0.0/8). Once any range is set, interactive logins from outside the list are rejected with an audit event.
- 04
Stream audit to SIEM
Settings → Audit → SIEM stream. Generate a streaming token and point your SIEM at /api/audit/stream — NDJSON, one event per line, cursor-resumable.
Good to know
- Build a read-only reviewer role with VIEW_AUDIT_LOGS plus the entity read permissions and no writes — hand it to your auditor instead of an admin seat.
- GDPR erasure produces a SHA-256 proof record so future DSARs can be matched without retaining identity.