1. Access principles
Least privilege: users and services receive only the permissions required for their role. Access is scoped to the minimum necessary to perform the function.
Unique identity: human users must use unique accounts. Shared accounts are prohibited for production administration.
Tenant isolation: access is scoped to the customer tenant and environment authorised for the user. Cross-tenant access is blocked at the application layer and covered by automated tests.
Need-to-know support access: Cloudryption personnel access customer data only when needed for support, security, operations, or legal obligations, and such access is logged.
Auditability: privileged actions, access changes, exports, and sensitive operations are logged in the audit trail.
2. Role model
Platform Owner / Admin: manages platform-level configuration, feature flags, providers, and security settings. Restricted to trusted Cloudryption internal personnel.
Tenant Admin: manages customer tenant users, environments, connectors, scan settings, integrations, retention, and tenant-level security configuration.
Security Admin: manages scans, findings workflow, remediation planning, exports, and security configuration. Does not have platform-level administration.
Security Analyst: views findings, attack paths, evidence, recommendations, trends, and reports. May trigger scans or recalculations if authorised by Tenant Admin.
Viewer / Executive: read-only access to dashboards, reports, trends, and executive summaries. No write access.
Auditor: read-only access to audit logs, reports, control mapping, and evidence exports as authorised.
API / Service Account: non-human account for automation. Scoped API permissions with key rotation requirements and no interactive login.
3. RBAC capability matrix
| Capability | Platform Admin | Tenant Admin | Security Admin | Analyst | Viewer | Auditor | API / Service |
|---|---|---|---|---|---|---|---|
| Manage platform feature flags | Yes | No | No | No | No | No | No |
| Manage tenant users / roles | Support-only | Yes | Optional | No | No | Read | No |
| Configure cloud connectors | Support-only | Yes | Yes | No | No | Read | Scoped |
| Start scans / recalculate engines | Support-only | Yes | Yes | Optional | No | Read | Scoped |
| View findings / attack paths | Support-only | Yes | Yes | Yes | Yes | Yes | Scoped |
| Manage remediation workflow | No | Yes | Yes | Partial | No | No | Scoped |
| Export reports / evidence | Support-only | Yes | Yes | Yes | Read-only | Yes | Scoped |
| View audit logs | Yes | Yes | Read | No | No | Yes | Scoped |
| Manage API keys / service accounts | Yes | Yes | No | No | No | No | Scoped |
| Configure AI features | Yes | Yes | No | No | No | No | No |
4. Authentication requirements
- MFA required for all privileged users (Tenant Admin, Security Admin, Platform Admin) and strongly recommended for all users
- Enterprise SSO (SAML / OIDC) supported for enterprise plans. SCIM provisioning available or on roadmap for enterprise customers
- Sessions are securely generated, stored in hardened cookies where browser-based, and revoked on logout or access termination
- Idle session timeout is enforced
- Password policies enforce minimum length and complexity; reset flows are protected against account takeover
- API keys are long-lived but should be scoped to minimum permissions and rotated periodically
5. Provisioning and review
- Access requests for elevated roles should be approved by an authorised Tenant Admin before granting
- Privileged access (Tenant Admin, Security Admin) is reviewed at least quarterly
- Customer tenant access is reviewable by Tenant Administrators through the platform UI and audit logs
- Access is removed promptly upon role change, termination, contract termination, customer request, or suspected compromise
- Cloudryption internal access to customer data is governed by the same least-privilege and review requirements
6. Support and break-glass access
Cloudryption personnel access to production customer data is:
- Limited to cases with a legitimate operational, security, or support justification
- Logged in the audit trail with actor identity, timestamp, and justification
- Time-bound where technically feasible
- Reviewed periodically to ensure no inappropriate standing access exists
Break-glass access (emergency access for incidents or urgent operations) requires post-use review and triggers heightened logging. Enterprise customers may request customer-visible support access logs.
7. Contact
For questions about access control, role management, or to report a suspected access violation: security@cloudryption.com