Access Control
Witboost provides comprehensive, enterprise-grade access control that integrates with your existing identity infrastructure.
Identity Provider Integration
Witboost delegates authentication to the customer's own identity provider using OAuth2 / OpenID Connect (OIDC). Supported providers include:
- Microsoft Entra ID (Azure AD)
- Okta
- Keycloak
- Any OIDC-compliant provider
The customer retains full control over:
- User provisioning and deprovisioning
- Multi-factor authentication (MFA) policies
- Session duration and idle timeout
- Password policies and complexity requirements
- Access revocation
Important
Agile Lab does not operate or have access to the identity provider. The IdP is the customer's own system and is not a sub-processor.
Role-Based Access Control (RBAC)
Witboost implements fine-grained RBAC with the following hierarchy:
| Role Level | Description |
|---|---|
| Platform Admin | Full platform administration, policy management, template management |
| Domain Owner | Manages products and governance within an assigned domain |
| Product Owner | Manages a specific product, its components, and access grants |
| Data Consumer | Can browse the marketplace and request access to output ports |
| Viewer | Read-only access to the catalog and marketplace |
These are the default roles provided out of the box. Customers can define any number of custom roles, each with its own set of permissions and scoped to specific levels of the organisational hierarchy:
- Domain — restrict a role to one or more business domains
- System — scope permissions to individual products or applications
- Landscape — apply roles across an entire deployment landscape
- Environment — differentiate permissions between development, staging, and production environments
This means organisations can model role structures that mirror their governance policies exactly, without being constrained by a fixed set of profiles.
Key RBAC Features
- Least-privilege principle — Users receive only the minimum permissions necessary for their role
- Flexible assignment — Roles can be assigned to groups from the identity provider or to individual users, at the customer's discretion
- Granular visibility — Different catalog areas can be restricted to specific roles or groups
- No shared accounts — All actions are attributable to individual, authenticated users
Access Request Workflow
Access to products follows a governed workflow:
- Consumer requests access through the Marketplace UI
- Product Owner reviews the request with full context (requester identity, purpose, scope)
- Approval or rejection is recorded with an audit trail
- Access is provisioned automatically upon approval via the appropriate Tech Adapter
- Access can be revoked at any time by the Product Owner
Multi-Step Approval Workflows
Witboost supports configurable approval workflows for sensitive operations:
- Access requests can be routed through multiple approval steps, involving different stakeholders at each stage
- Approval chains are fully customisable — organisations can define who needs to approve, in what order, and under which conditions
- Every step is recorded with approver identity, decision, and timestamp, providing a complete audit trail
- Periodic access reviews can be implemented to ensure permissions remain appropriate over time
Privileged Access Management
- No default admin accounts — Administrative access is provisioned through the customer's IdP
- Session controls — Inactive sessions are automatically terminated after a configurable timeout
- Complete audit trail — All privileged actions are logged with tamper-evident, write-protected audit records
- SIEM integration — Access logs can be forwarded to the customer's SIEM for centralised monitoring
Access Logging
All access events are recorded:
| Event Type | Details Logged |
|---|---|
| Authentication | User login/logout, authentication method, source IP |
| Authorization | Resource accessed, permission evaluated, result (allow/deny) |
| Data Access | Which metadata was accessed, by whom, when |
| Administrative | Configuration changes, role assignments, policy modifications |
| Deployment | Who deployed what, approval chain, timestamp |