Govern who is who, what they may do, and which tenant they may touch, with every credential encrypted at rest and every read scope-enforced.
Identity and access control decides everything else. Before a finding is read or a scan launched, PMAP answers three questions: who is this principal, what may they do, and which tenant data may they touch. Seven backend domains answer them together: auth, mfa, session, apikey, rbac, company, and license.
Every sensitive surface is built defensively. Nothing in this design surfaces a plaintext secret after issuance, replays a refresh token, or lets a credential be cracked, brute-forced, or guessed within the platform controls. Secrets are encrypted or hashed at rest with no reversible path.
These domains form the outer edge of the platform. Auth is the first handler touched on every session; RBAC sits upstream of every business domain; company is the tenant root.
At a glance
- Login: Local bcrypt or LDAP/AD bind; complexity rule plus five-entry reuse history
- Step-up: TOTP MFA (RFC 6238), AES-256-GCM secret at rest, bcrypt recovery codes
- Sessions: Tracked per device, single-use refresh-token rotation, concurrent-session eviction
- Machine access: API keys hashed with SHA-256, pmap_v1_ prefix, secret shown exactly once
- Authorization: 10 entities by 6 actions, global/company/project scope, time-bound grants
- Tenant boundary: ScopeFilter on every list, export, and facet; empty allow-list is default-deny
- License gate: Ed25519-signed token verified offline; writes blocked when expired or revoked
How it works
Identity is verified once, authorization is resolved from one matrix, and the tenant boundary is enforced in every domain, with every credential encrypted or hashed at rest and no plaintext secret ever surfaced after issuance.
The auth domain owns every credential exchange. Login falls through three ordered cases, evaluated per request so directory changes take effect without a restart, and a verified principal receives short-lived tokens, never a long-lived secret in reversible form.
RBAC is the authorization backbone: a role is any subset of 60 entity-action pairs, granted at one of three scopes with an optional expiry. The company row is the tenant boundary, and an Ed25519 license gate guards every write.
Key capabilities
- A single permission matrix. 10 entity types by 6 actions (60 pairs), fixed in code and served to the role builder by a metadata endpoint so the frontend never hardcodes it. platform_admin short-circuits to wildcard, guarded by both the is_system flag and the name.
- Three scopes, time-bound. global, company, or project, each with an optional expiry. A project-scoped grant does not open the owning company, so a consultant sees only their project, not sibling projects. A lapsed grant drops from scope within seconds.
- Scope-enforced by construction. Every repository applies a ScopeFilter over allowed company UUIDs. A non-unrestricted scope with an empty allow-list is default-deny, returning nothing rather than everything, and cross-tenant access by ID is rejected explicitly.
- No token replay. Every refresh atomically rotates the refresh JTI in one statement, so a captured refresh token is worthless the instant the legitimate client uses it once. Access tokens expire in 15 minutes, bounding any window.
Use cases
- Enforce step-up platform-wide. A CISO marks MFA required for all users. Sign-ins without an authenticator are walked through TOTP enrollment, the 160-bit secret is stored AES-256-GCM encrypted, and ten one-time recovery codes are shown once.
- Contain a compromised session. A SOC lead opens the target user session list, sees each device by label, IP, and last-active time, and force-terminates the suspect session. The revoked session blocks the next refresh immediately.
- Grant time-bound subsidiary access. A manager assigns a reviewer a company-scoped role over one subsidiary, expiring at quarter end. The reviewer sees only that subsidiary, never sibling tenants, and the grant drops from scope within seconds when it lapses.
Verified once, authorized from one matrix, scope-enforced in every domain.
