Enterprise Identity & Access
Identity & Access
ReguShield's identity and access model — what is live today and what is on the enterprise roadmap. Role-based access control, the invite/membership flow and session audit are implemented; enterprise SSO, SAML, OIDC, SCIM and MFA enforcement are honestly labelled Planned / Roadmap. Authentication and tenant isolation (Supabase Auth + row-level security) remain the security boundary.
6
Implemented
5
Planned
4
Roadmap
Posture
Identity & Access Capabilities
SSO, SAML, OIDC, SCIM, MFA, session, network, device and RBAC — with honest maturity.
Authentication · OAuth2 / JWT
ImplementedSupabase Auth (email/password) with JWT sessions; access scoped to the verified session email.
Single Sign-On (SSO) · SSO
PlannedEnterprise SSO via the customer's identity provider — planned for the Infrastructure tier.
SAML 2.0 · SAML 2.0
RoadmapSAML 2.0 federation with enterprise IdPs (Okta, Entra ID, Ping) — roadmap.
OpenID Connect (OIDC) · OIDC
PlannedOIDC federation; the underlying auth provider supports OIDC connectors — planned to expose per-tenant.
SCIM Provisioning · SCIM 2.0
RoadmapAutomated user provisioning/de-provisioning and group sync from the IdP — roadmap.
Multi-Factor Authentication · TOTP / WebAuthn
PlannedTOTP-based MFA; the auth provider supports MFA enrolment — planned to enforce per-tenant policy.
Identity Policies · Policy
PlannedPer-tenant password, MFA-required and login policies — basic policy live; configurable enforcement planned.
Session Controls · Session
ImplementedJWT sessions with sign-out and server-side verification on every request; configurable idle/absolute timeout planned.
IP Allow-listing · IP allow-list
RoadmapRestrict workspace access to allow-listed IP ranges/CIDRs — roadmap.
Device Trust · Device posture
RoadmapManaged/trusted-device posture checks at sign-in — roadmap.
Role-Based Access Control · RBAC
ImplementedFive workspace roles with a documented permission matrix; enforced in UI and by RLS at the data layer.
Enterprise Directory · Directory
ImplementedPer-organisation member roster (pilot_organization_members) with roles and invited/active status; IdP directory sync planned.
Access Reviews · Access certification
PlannedPeriodic review/recertification of member access and roles — process + surface planned.
Session & Access Audit · Audit
ImplementedAppend-only audit of access-relevant actions; per-session authentication audit being expanded.
Invite Flow · Provisioning
ImplementedOwner invites members (invited → active) via the accept-invite flow; role assigned at invite.
Federation
SSO Protocol Support
| Protocol | Status | Target IdPs |
|---|---|---|
| SAML 2.0 | Roadmap | Okta, Microsoft Entra ID, Ping, OneLogin |
| OpenID Connect | Planned | Entra ID, Google Workspace, Okta |
| SCIM 2.0 | Roadmap | Okta, Entra ID (user/group sync) |
Authorization
RBAC Matrix
The live role → permission matrix enforced across the workspace (and at the data layer via RLS).
| Permission | Owner | Compliance Officer | Risk Manager | Auditor | Viewer |
|---|---|---|---|---|---|
| Manage Organization | ✓ | — | — | — | — |
| Invite Members | ✓ | — | — | — | — |
| Edit Member Roles | ✓ | — | — | — | — |
| Upload Evidence | ✓ | ✓ | — | — | — |
| Review Evidence | ✓ | ✓ | ✓ | ✓ | — |
| Create Remediation Actions | ✓ | ✓ | ✓ | — | — |
| Close Remediation Actions | ✓ | ✓ | — | — | — |
| Generate Reports | ✓ | ✓ | ✓ | ✓ | — |
| View Audit Trail | ✓ | ✓ | ✓ | ✓ | — |
| Manage Regulatory Submissions | ✓ | ✓ | — | — | — |
Owner: Full access. Manages workspace setup, entities, and pilot activation.
Compliance Officer: Manages remediation actions, evidence, and regulatory submissions.
Risk Manager: Reviews risk scores, alerts, and audit readiness. Cannot change workspace settings.
Auditor: Read-only access to evidence, audit packages, and reports for independent review.
Viewer: Read-only access to dashboards and reports. Cannot take any action.
Controls
Identity Policies & Session Controls
Identity Policies
Session Controls
Lifecycle
Directory, Invite Flow & Access Reviews
Invite Flow
Implemented- 1. Owner invites a member by email and assigns a role.
- 2. Member record is created with status 'invited'.
- 3. Member accepts via the accept-invite flow and is set to 'active'.
- 4. Access is governed by the assigned role (RBAC) and RLS.
Access Reviews
PlannedCadence: Periodic (recommended quarterly) + on role change
- • Member roster vs intended access
- • Role appropriateness (least privilege)
- • Removal of departed members
- • Owner/admin role concentration
Identity posture labels: Implemented (live) · Planned (in progress) · Roadmap (intended, not yet in place). Authentication and tenant isolation (Supabase Auth + RLS) are the security boundary. Decision-support — not legal advice.