Identity and Access
Keeptrusts combines organization membership, teams, roles, IAM policies, authentication controls, and machine credentials. Use the narrowest mechanism that fits the job.
Access model
member or team
↓ assignment
role
↓ attachment
IAM policy
↓ evaluation
action + resource + conditions
An explicit matching deny wins, a matching allow grants access, and the default is deny.
Authentication establishes who the principal is. Authorization determines what that principal can do. SSO, MFA, and passkeys strengthen authentication; they do not grant product permissions.
Choose the right control
| Need | Control |
|---|---|
| Add a person to the organization | Invitation and member lifecycle |
| Group people by function or ownership | Team |
| Package a job function | Role |
| Define allowed or denied actions and resources | IAM policy |
| Centralize workforce login | SAML or OIDC SSO |
| Provision and suspend directory users | SCIM |
| Require stronger interactive authentication | MFA/passkey and organization MFA policy |
| Inventory a planned delegated integration | OAuth client registry; the current OAuth endpoints do not provide a supported end-to-end public bearer flow |
| Let automation call the API | Scoped token with the smallest applicable role |
Do not use a shared human account or a broad owner role as an automation shortcut.
Recommended rollout
- Inventory existing owners, members, teams, roles, policies, tokens, and OAuth clients.
- Create least-privilege policies and roles for common job functions.
- Assign roles to teams; keep direct user grants exceptional.
- Test with a non-owner account.
- Configure MFA requirements.
- Configure and test SSO without enforcement only after the browser callback boundary in the SSO guide is resolved.
- Add directory mappings and SCIM where required.
- Test login, recovery, deprovisioning, and break-glass ownership.
- Enforce SSO only after the live callback path, complete login, and recovery ownership are verified.
- Review Trail after every administrative change.
Separate human and machine access
| Principal | Recommended credential |
|---|---|
| Console user | Session established by password, SSO, MFA, or passkey flow |
| Human CLI administrator | kt auth login profile |
| Control-plane automation | Scoped API token |
| Connected gateway | Gateway machine/runtime credential |
| Application sending model traffic | Request-execution token appropriate to the gateway |
| Third-party delegated application | No supported production credential currently; do not adopt the OAuth registry and PKCE endpoints as a public bearer flow |
Do not reuse a gateway machine credential as an application bearer token.
Review cadence
At least periodically and after role changes:
- confirm every owner still requires owner access;
- review inactive and pending members;
- review team membership and direct user grants;
- inspect role effective actions and assignments;
- remove unused OAuth clients, redirects, tokens, and SCIM credentials;
- confirm SSO certificates, discovery metadata, and mappings;
- verify MFA recovery ownership; and
- preserve Trail evidence for the review.