Velaxe
AccessGuard — IAM with JWT, MFA, RBAC & SSO (SAML/OIDC) | Velaxe

AccessGuard

Configure RBAC roles & permissions

Create roles, map capabilities, and assign least-privilege access.

20 min Intermediate Security Engineer, Platform Lead Updated Sep 19, 2025
View App All Guides

Overview

Create roles, map capabilities, and assign least-privilege access.

Prerequisites

None.

Permissions required

iam:configure users:manage

Downloads & Templates

Sample RBAC JSON

Spec

Steps (4)

Estimated: 20 min
  1. 1

    Create roles

    Security 5 min Back to top

    Navigate to Settings → RBAC → Roles → New. Name roles (e.g., “viewer”, “analyst”, “admin”).

    Tips

    Validation

    • Roles appear in the list with unique slugs.

    Success criteria

  2. 2

    Map permissions

    Security 7 min Back to top

    Assign capabilities like users:read, sessions:read, profiles:write, iam:configure.

    Tips

    • Use “viewer” for read-only; keep “iam:configure” to a minimal set.

    Validation

    Success criteria

  3. 3

    Assign to users or groups

    Admin 5 min Back to top

    Open Users → select a user → Roles tab. For SSO, set group/claim → role rules.

    Tips

    Validation

    Success criteria

    • All admins have two-person control; no broad admin on service accounts.
  4. 4

    Audit & export

    Security 3 min Back to top

    Export role matrix and verify no privilege creep.

    Tips

    Validation

    Success criteria

About this guide

AccessGuard secures apps and external sites with hosted authentication and short-lived JWTs. Enable MFA, define RBAC permissions, and connect enterprise identity via SAML or OIDC. A lightweight HMAC bridge lets you embed login, registration, and token refresh flows on any domain without CORS pain.

Admins manage users, sessions, connections, and policies from one console. Profiles consolidate verified emails/phones, consents, KYC docs, and risk flags. Events and metrics provide visibility for security and ops.

Designed for velocity and safety: opinionated defaults, least-privilege keys, Prometheus counters, and exportable audit logs.