Access Control Guide
This guide documents the roles, permissions, and access control configuration available to operators of Enprivacy 3.0.
Overview
Section titled “Overview”Enprivacy 3.0 uses role-based access control (RBAC). Access is granted by assigning users to one or more roles, and data is segregated into workspaces configured by administrators. Administrators define workspaces, categories, categorisation rule sets, redaction plans, databases, document repositories, and credentials.
Authentication and authorisation are handled by an external platform reachable at auth.enprivacy.com (see the Network Security Guide), via your identity provider (SSO/OIDC/SAML) or passwordless email authentication. Local accounts are not supported.
Enprivacy 3.0 groups capabilities under three headings — Manage, Monitor, and Explore. Roles combine these capabilities; the exact role names and granular permissions are configured per deployment.
| Capability | Who | Description |
|---|---|---|
| Manage | Administrative users | Configure platform settings: workspaces, categories, categorisation rule sets, redaction plans, databases, document repositories, and secure credentials |
| Monitor | Designated users | View reports and analytics of platform activity |
| Explore | Designated users | Use the Graph, Documents, and Database Explorers, plus Chat and Search, to work with processed data (anonymised and original) |
Configuring SSO / Identity Provider
Section titled “Configuring SSO / Identity Provider”MFA Enforcement
Section titled “MFA Enforcement”API Keys
Section titled “API Keys”API keys provide programmatic access to the Enprivacy 3.0 API. They are scoped and can be rotated.
Audit Log Events Related to Access
Section titled “Audit Log Events Related to Access”The following access-related events are captured in the audit log:
- User login and logout
- Failed authentication attempts
- Role assignment and revocation
- API key creation and rotation