Skip to main content

Identity and Access

Keeptrusts combines organization membership, teams, roles, IAM policies, authentication controls, and machine credentials. Use the narrowest mechanism that fits the job.

Access model

member or team
↓ assignment
role
↓ attachment
IAM policy
↓ evaluation
action + resource + conditions

An explicit matching deny wins, a matching allow grants access, and the default is deny.

Authentication establishes who the principal is. Authorization determines what that principal can do. SSO, MFA, and passkeys strengthen authentication; they do not grant product permissions.

Choose the right control

NeedControl
Add a person to the organizationInvitation and member lifecycle
Group people by function or ownershipTeam
Package a job functionRole
Define allowed or denied actions and resourcesIAM policy
Centralize workforce loginSAML or OIDC SSO
Provision and suspend directory usersSCIM
Require stronger interactive authenticationMFA/passkey and organization MFA policy
Inventory a planned delegated integrationOAuth client registry; the current OAuth endpoints do not provide a supported end-to-end public bearer flow
Let automation call the APIScoped token with the smallest applicable role

Do not use a shared human account or a broad owner role as an automation shortcut.

  1. Inventory existing owners, members, teams, roles, policies, tokens, and OAuth clients.
  2. Create least-privilege policies and roles for common job functions.
  3. Assign roles to teams; keep direct user grants exceptional.
  4. Test with a non-owner account.
  5. Configure MFA requirements.
  6. Configure and test SSO without enforcement only after the browser callback boundary in the SSO guide is resolved.
  7. Add directory mappings and SCIM where required.
  8. Test login, recovery, deprovisioning, and break-glass ownership.
  9. Enforce SSO only after the live callback path, complete login, and recovery ownership are verified.
  10. Review Trail after every administrative change.

Separate human and machine access

PrincipalRecommended credential
Console userSession established by password, SSO, MFA, or passkey flow
Human CLI administratorkt auth login profile
Control-plane automationScoped API token
Connected gatewayGateway machine/runtime credential
Application sending model trafficRequest-execution token appropriate to the gateway
Third-party delegated applicationNo supported production credential currently; do not adopt the OAuth registry and PKCE endpoints as a public bearer flow

Do not reuse a gateway machine credential as an application bearer token.

Review cadence

At least periodically and after role changes:

  • confirm every owner still requires owner access;
  • review inactive and pending members;
  • review team membership and direct user grants;
  • inspect role effective actions and assignments;
  • remove unused OAuth clients, redirects, tokens, and SCIM credentials;
  • confirm SSO certificates, discovery metadata, and mappings;
  • verify MFA recovery ownership; and
  • preserve Trail evidence for the review.

Next steps