PUBLIC WEBSITE
← Trust Center

Enterprise Identity & Access

Identity & Access

ReguShield's identity and access model — what is live today and what is on the enterprise roadmap. Role-based access control, the invite/membership flow and session audit are implemented; enterprise SSO, SAML, OIDC, SCIM and MFA enforcement are honestly labelled Planned / Roadmap. Authentication and tenant isolation (Supabase Auth + row-level security) remain the security boundary.

6

Implemented

5

Planned

4

Roadmap

Posture

Identity & Access Capabilities

SSO, SAML, OIDC, SCIM, MFA, session, network, device and RBAC — with honest maturity.

Authentication · OAuth2 / JWT

Implemented

Supabase Auth (email/password) with JWT sessions; access scoped to the verified session email.

Single Sign-On (SSO) · SSO

Planned

Enterprise SSO via the customer's identity provider — planned for the Infrastructure tier.

SAML 2.0 · SAML 2.0

Roadmap

SAML 2.0 federation with enterprise IdPs (Okta, Entra ID, Ping) — roadmap.

OpenID Connect (OIDC) · OIDC

Planned

OIDC federation; the underlying auth provider supports OIDC connectors — planned to expose per-tenant.

SCIM Provisioning · SCIM 2.0

Roadmap

Automated user provisioning/de-provisioning and group sync from the IdP — roadmap.

Multi-Factor Authentication · TOTP / WebAuthn

Planned

TOTP-based MFA; the auth provider supports MFA enrolment — planned to enforce per-tenant policy.

Identity Policies · Policy

Planned

Per-tenant password, MFA-required and login policies — basic policy live; configurable enforcement planned.

Session Controls · Session

Implemented

JWT sessions with sign-out and server-side verification on every request; configurable idle/absolute timeout planned.

IP Allow-listing · IP allow-list

Roadmap

Restrict workspace access to allow-listed IP ranges/CIDRs — roadmap.

Device Trust · Device posture

Roadmap

Managed/trusted-device posture checks at sign-in — roadmap.

Role-Based Access Control · RBAC

Implemented

Five workspace roles with a documented permission matrix; enforced in UI and by RLS at the data layer.

Enterprise Directory · Directory

Implemented

Per-organisation member roster (pilot_organization_members) with roles and invited/active status; IdP directory sync planned.

Access Reviews · Access certification

Planned

Periodic review/recertification of member access and roles — process + surface planned.

Session & Access Audit · Audit

Implemented

Append-only audit of access-relevant actions; per-session authentication audit being expanded.

Invite Flow · Provisioning

Implemented

Owner invites members (invited → active) via the accept-invite flow; role assigned at invite.

Federation

SSO Protocol Support

ProtocolStatusTarget IdPs
SAML 2.0RoadmapOkta, Microsoft Entra ID, Ping, OneLogin
OpenID ConnectPlannedEntra ID, Google Workspace, Okta
SCIM 2.0RoadmapOkta, Entra ID (user/group sync)

Authorization

RBAC Matrix

The live role → permission matrix enforced across the workspace (and at the data layer via RLS).

PermissionOwnerCompliance OfficerRisk ManagerAuditorViewer
Manage Organization
Invite Members
Edit Member Roles
Upload Evidence
Review Evidence
Create Remediation Actions
Close Remediation Actions
Generate Reports
View Audit Trail
Manage Regulatory Submissions

Owner: Full access. Manages workspace setup, entities, and pilot activation.

Compliance Officer: Manages remediation actions, evidence, and regulatory submissions.

Risk Manager: Reviews risk scores, alerts, and audit readiness. Cannot change workspace settings.

Auditor: Read-only access to evidence, audit packages, and reports for independent review.

Viewer: Read-only access to dashboards and reports. Cannot take any action.

Controls

Identity Policies & Session Controls

Identity Policies

Password authenticationImplemented
MFA required (per tenant)Planned
IP allow-listingRoadmap
Device trust / postureRoadmap
SSO-only enforcementPlanned

Session Controls

JWT session verification (server-side)Implemented
Explicit sign-out / session revocationImplemented
Idle / absolute session timeout (configurable)Planned
Concurrent-session limitsRoadmap

Lifecycle

Directory, Invite Flow & Access Reviews

Invite Flow

Implemented
  1. 1. Owner invites a member by email and assigns a role.
  2. 2. Member record is created with status 'invited'.
  3. 3. Member accepts via the accept-invite flow and is set to 'active'.
  4. 4. Access is governed by the assigned role (RBAC) and RLS.

Access Reviews

Planned

Cadence: Periodic (recommended quarterly) + on role change

  • Member roster vs intended access
  • Role appropriateness (least privilege)
  • Removal of departed members
  • Owner/admin role concentration

Identity posture labels: Implemented (live) · Planned (in progress) · Roadmap (intended, not yet in place). Authentication and tenant isolation (Supabase Auth + RLS) are the security boundary. Decision-support — not legal advice.