Documentation
PolicyCortex Cloud Governance User Management: RBAC, SSO & Compliance
Comprehensive user management system with role-based access control (RBAC), single sign-on (SSO) integration, and granular permissions for enterprise-scale governance operations. Manage teams, assign roles, and control access to sensitive compliance data.
PolicyCortex User Management Quick Start & Setup
Access Control Overview
Role-Based Access
Granular RBAC system with predefined roles and custom permission sets for different organizational needs.
• Predefined enterprise roles
• Custom permission matrices
• Hierarchical role inheritance
Enterprise SSO
Seamless integration with enterprise identity providers including SAML, OAuth, and LDAP systems.
• SAML 2.0 & OAuth 2.0
• Active Directory sync
• Multi-factor authentication
Team Collaboration
Organize users into teams with shared resources, collaborative workflows, and team-specific dashboards.
• Team-based resource sharing
• Collaborative policy development
• Shared compliance reporting
Enterprise Security Features
Security Controls
• Multi-Factor Authentication - TOTP, SMS, hardware keys
• Session Management - Automatic timeout, concurrent sessions
• IP Restrictions - Allowlist-based access control
• Audit Logging - Complete user activity tracking
Compliance Features
• Data Residency - Geographic data location controls
• Privacy Controls - GDPR and CCPA compliance
• Access Reviews - Periodic permission auditing
• Segregation of Duties - Critical operation approval workflows
Roles and Permissions
Predefined Roles
PolicyCortex provides enterprise-ready role templates that can be customized to match your organization's structure and compliance requirements.
System Administrator
Full system accessComplete access to all platform features, user management, and system configuration.
Core Permissions
• Full user and team management
• System configuration access
• Global policy management
• Security settings control
Advanced Features
• Audit log access
• Integration management
• Billing and subscription control
• Emergency access procedures
Compliance Manager
Compliance oversightFocused on compliance monitoring, reporting, and policy governance across all environments.
Compliance Operations
• Policy creation and modification
• Compliance report generation
• Violation management
• Framework configuration
Monitoring & Reporting
• Real-time compliance monitoring
• Executive dashboard access
• Scheduled report management
• Audit trail review
Security Analyst
Security monitoringSecurity-focused role with emphasis on threat detection, vulnerability management, and incident response.
Security Operations
• Security scan execution
• Vulnerability assessment
• Incident investigation
• Risk assessment reporting
Response Capabilities
• Emergency scan triggers
• Remediation plan creation
• Security alert management
• Threat intelligence integration
DevOps Engineer
Infrastructure focusInfrastructure and deployment-focused role with CI/CD integration and automation capabilities.
Infrastructure Management
• Environment configuration
• Cloud integration setup
• Automated scan scheduling
• API key management
Automation & Integration
• CI/CD pipeline integration
• Infrastructure as Code scans
• Automated remediation
• Monitoring configuration
Read-Only Auditor
View-only accessLimited access role for external auditors, stakeholders, and compliance reviewers.
Viewing Permissions
• Policy and scan result review
• Compliance report access
• Dashboard viewing
• Historical data analysis
Restrictions
• No modification capabilities
• Limited to assigned scopes
• Time-limited access options
• Watermarked report downloads
Custom Permissions Matrix
Create granular permission sets for specific organizational requirements. Mix and match capabilities to create roles that fit your exact needs.
Permission Configuration Examplejson
{
"custom_role": {
"name": "Senior Compliance Officer",
"description": "Enhanced compliance role with limited admin capabilities",
"permissions": {
"policies": {
"create": true,
"read": true,
"update": true,
"delete": false,
"deploy": true,
"scope": ["production", "staging"]
},
"scans": {
"create": true,
"read": true,
"cancel": true,
"schedule": true,
"scope": ["all_environments"]
},
"reports": {
"create": true,
"read": true,
"download": true,
"schedule": true,
"share": true,
"sensitive_data_access": true
},
"users": {
"invite": true,
"read": true,
"modify_roles": false,
"scope": ["compliance_team"]
},
"audit": {
"read": true,
"export": true,
"retention_period": "7_years"
},
"integrations": {
"read": true,
"configure": false
},
"environments": {
"production": "full_access",
"staging": "full_access",
"development": "read_only"
},
"data_access": {
"pii_access": true,
"financial_data": true,
"security_credentials": false
}
},
"restrictions": {
"ip_allowlist": ["10.0.0.0/8", "192.168.1.0/24"],
"time_restrictions": {
"business_hours_only": false,
"timezone": "America/New_York"
},
"mfa_required": true,
"session_timeout": "4h",
"concurrent_sessions": 2
}
}
}User Management Interface
User Provisioning Workflow
Streamlined user onboarding process with automated role assignment, resource provisioning, and compliance training integration.
1. User Invitation
• Email-based invitation system
• Bulk invitation capabilities
• Custom onboarding messages
• Invitation expiration controls
2. Identity Verification
• SSO integration (SAML/OAuth)
• Multi-factor authentication setup
• Identity provider synchronization
• Manual verification process
3. Role Assignment
• Automatic role mapping from IdP
• Manual role selection
• Temporary elevated privileges
• Role inheritance from teams
4. Resource Provisioning
• Automatic environment access
• API key generation
• Dashboard customization
• Notification preferences
5. Compliance Training
• Platform training modules
• Security awareness training
• Role-specific certifications
• Ongoing compliance updates
6. Access Verification
• Initial access testing
• Permission validation
• Welcome dashboard tour
• Manager approval workflow
User Profile Management
User Profile Configurationjson
{
"user_profile": {
"basic_info": {
"email": "john.doe@company.com",
"first_name": "John",
"last_name": "Doe",
"title": "Senior Compliance Officer",
"department": "Risk & Compliance",
"manager": "jane.smith@company.com",
"cost_center": "CC-001",
"employee_id": "EMP-12345"
},
"authentication": {
"sso_provider": "okta",
"sso_id": "john.doe@company.com",
"mfa_enabled": true,
"mfa_methods": ["totp", "sms"],
"backup_codes_generated": true,
"last_password_change": "2024-01-15T00:00:00Z"
},
"preferences": {
"timezone": "America/New_York",
"date_format": "MM/DD/YYYY",
"notification_channels": ["email", "slack"],
"dashboard_layout": "executive",
"default_environment": "production"
},
"access_patterns": {
"last_login": "2024-01-21T09:15:00Z",
"login_frequency": "daily",
"preferred_features": ["reports", "compliance_dashboard"],
"session_duration_avg": "3h15m"
}
}
}Team Structure
Team Organizationjson
{
"teams": [
{
"name": "Compliance Team",
"description": "Corporate compliance oversight",
"team_lead": "sarah.johnson@company.com",
"members": [
"john.doe@company.com",
"alice.wilson@company.com"
],
"shared_resources": {
"environments": ["production", "staging"],
"policies": ["financial_compliance", "data_protection"],
"reports": ["monthly_soc2", "quarterly_audit"]
},
"team_permissions": {
"policy_approval": true,
"report_scheduling": true,
"user_invitation": true
}
},
{
"name": "Security Operations",
"description": "Security monitoring and response",
"team_lead": "mike.chen@company.com",
"members": [
"lisa.brown@company.com",
"david.garcia@company.com"
],
"shared_resources": {
"environments": ["all"],
"policies": ["security_baseline", "incident_response"],
"alerts": ["high_priority", "critical"]
}
}
]
}Single Sign-On Integration
Enterprise Identity Provider Support
PolicyCortex integrates seamlessly with enterprise identity providers, supporting modern authentication protocols and automated user provisioning.
Microsoft Entra ID
Azure Active Directory integration with automatic user sync
Okta
Full Okta integration with group mapping and MFA
Auth0
Auth0 SAML and OAuth integration
Google Workspace
Google SSO with domain verification
SAML Configuration Examplexml
<!-- SAML 2.0 Configuration for PolicyCortex -->
<EntityDescriptor entityID="https://app.policycortex.com/saml/metadata"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor AuthnRequestsSigned="true"
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<!-- Assertion Consumer Service -->
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://app.policycortex.com/saml/acs"
index="1"/>
<!-- Single Logout Service -->
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://app.policycortex.com/saml/sls"/>
<!-- Required Attributes -->
<AttributeConsumingService index="1">
<ServiceName xml:lang="en">PolicyCortex</ServiceName>
<RequestedAttribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="true"/>
<RequestedAttribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<RequestedAttribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<RequestedAttribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
</AttributeConsumingService>
</SPSSODescriptor>
</EntityDescriptor>Automated Provisioning
SCIM User Provisioningjson
{
"scim_config": {
"enabled": true,
"endpoint": "https://app.policycortex.com/scim/v2",
"authentication": {
"type": "bearer_token",
"token": "scim_token_xyz789"
},
"user_attributes": {
"email": "required",
"firstName": "optional",
"lastName": "optional",
"department": "optional",
"title": "optional",
"manager": "optional"
},
"group_mapping": {
"PolicyCortex-Admins": "system_administrator",
"PolicyCortex-Compliance": "compliance_manager",
"PolicyCortex-Security": "security_analyst",
"PolicyCortex-DevOps": "devops_engineer",
"PolicyCortex-Auditors": "read_only_auditor"
},
"provisioning_rules": {
"create_users": true,
"update_users": true,
"deactivate_users": true,
"sync_groups": true,
"sync_frequency": "15_minutes"
}
}
}MFA Configuration
Multi-Factor Authenticationjson
{
"mfa_policy": {
"enforcement": "required",
"methods": {
"totp": {
"enabled": true,
"issuer": "PolicyCortex",
"period": 30,
"digits": 6
},
"sms": {
"enabled": true,
"providers": ["twilio", "aws_sns"],
"rate_limit": "3_per_hour"
},
"hardware_keys": {
"enabled": true,
"supported_protocols": ["fido2", "u2f"],
"required_for_admins": true
},
"push_notifications": {
"enabled": true,
"timeout": "60s",
"fallback_to_otp": true
}
},
"backup_codes": {
"enabled": true,
"count": 10,
"regeneration_frequency": "quarterly"
},
"risk_based": {
"enabled": true,
"factors": ["location", "device", "time"],
"bypass_trusted_devices": true,
"trusted_device_duration": "30d"
}
}
}Access Reviews and Compliance
Automated Access Reviews
Regular access reviews ensure compliance with SOX, SOC2, and other regulatory requirements through automated workflows and manager attestations.
Review Process
1. Automated Initiation
System automatically triggers reviews based on schedule or risk events
2. Manager Review
Direct managers review and attest to user access appropriateness
3. Compliance Validation
Compliance team validates high-risk access and approvals
4. Automated Remediation
System automatically revokes unapproved access and documents changes
Review Configuration
Access Review Settingsjson
{
"access_review": {
"schedule": {
"frequency": "quarterly",
"offset_days": 7,
"duration": "14_days",
"reminder_schedule": ["7d", "3d", "1d"]
},
"scope": {
"include_roles": ["all"],
"high_risk_roles": [
"system_administrator",
"compliance_manager"
],
"include_temporary_access": true,
"include_api_keys": true
},
"reviewers": {
"primary": "direct_manager",
"fallback": "department_head",
"compliance_validation": true,
"escalation_path": [
"vp_security",
"chief_compliance_officer"
]
},
"automation": {
"auto_approve_standard_roles": false,
"auto_revoke_expired": true,
"auto_extend_with_approval": true,
"require_justification": true
}
}
}Compliance Reporting
- • SOX Compliance - Segregation of duties reporting
- • SOC 2 - Access control documentation
- • ISO 27001 - Information security management
- • GDPR - Data processing access tracking
- • HIPAA - Healthcare data access controls
- • Custom Frameworks - Organization-specific requirements
Audit Trail Features
- • Complete user activity logging
- • Role change audit trails
- • Permission modification tracking
- • Failed access attempt monitoring
- • Data export for external audits
- • Immutable log storage with checksums
API Integration
User Management API Examples
Programmatically manage users, roles, and permissions using the PolicyCortex Users API. Perfect for automated provisioning and integration with HR systems.
User Management API Examplesbash
# Create new user
curl -X POST "https://api.policycortex.com/v1/users" \
-H "Authorization: Bearer sk_live_1234567890abcdef" \
-H "Content-Type: application/json" \
-d '{
"email": "new.user@company.com",
"first_name": "New",
"last_name": "User",
"role": "compliance_manager",
"teams": ["compliance_team"],
"send_invitation": true,
"temporary_access": {
"expires_at": "2024-12-31T23:59:59Z",
"requires_approval": true
}
}'
# Update user role
curl -X PATCH "https://api.policycortex.com/v1/users/usr_1234567890abcdef" \
-H "Authorization: Bearer sk_live_1234567890abcdef" \
-H "Content-Type: application/json" \
-d '{
"role": "security_analyst",
"reason": "Department transfer to Security Operations",
"effective_date": "2024-02-01T00:00:00Z"
}'
# List users with filtering
curl -X GET "https://api.policycortex.com/v1/users?role=compliance_manager&status=active&team=compliance_team" \
-H "Authorization: Bearer sk_live_1234567890abcdef"
# Deactivate user
curl -X POST "https://api.policycortex.com/v1/users/usr_1234567890abcdef/deactivate" \
-H "Authorization: Bearer sk_live_1234567890abcdef" \
-H "Content-Type: application/json" \
-d '{
"reason": "Employee termination",
"transfer_resources_to": "usr_manager123",
"revoke_api_keys": true,
"schedule_data_retention": "90d"
}'
# Bulk user operations
curl -X POST "https://api.policycortex.com/v1/users/bulk" \
-H "Authorization: Bearer sk_live_1234567890abcdef" \
-H "Content-Type: application/json" \
-d '{
"operation": "role_update",
"users": [
{"id": "usr_123", "role": "senior_analyst"},
{"id": "usr_456", "role": "senior_analyst"}
],
"reason": "Quarterly role review",
"effective_date": "2024-04-01T00:00:00Z"
}'
# Generate access review report
curl -X POST "https://api.policycortex.com/v1/users/access-review" \
-H "Authorization: Bearer sk_live_1234567890abcdef" \
-H "Content-Type: application/json" \
-d '{
"scope": {
"teams": ["compliance_team", "security_team"],
"roles": ["system_administrator", "compliance_manager"],
"include_temporary_access": true
},
"reviewers": {
"include_managers": true,
"include_compliance_team": true
},
"format": "pdf",
"delivery": {
"email": ["compliance@company.com"],
"due_date": "2024-02-15T17:00:00Z"
}
}'