Directory & RBAC

Users, groups, roles, permissions.
Synced from Entra ID.

Organize users into security groups. Assign roles with fine-grained permissions. Sync directories from Entra ID, Okta, or Google Workspace via SCIM. One source of truth for who can do what — in your app, in the cloud, at the kernel.

The identity hierarchy

Users belong to groups. Groups carry roles. Roles grant permissions. Permissions protect everything — APIs, cloud resources, infrastructure.

👤
Users

People who access your app. Created via signup, SSO, SCIM, or API.

👥
Groups

Collections of users. Synced from Entra ID or managed manually. Carry roles.

🏷️
Roles

Named sets of permissions. Assigned to users directly or via groups.

🔑
Permissions

Granular actions like read:patients, write:notes, deploy:production.

User: Dr. Alice Chen   ├── Direct role: "viewer" → [read:dashboard]   │   ├── Group: "doctors"   │   └── Role: "physician" → [read:patients, write:notes, write:prescriptions]   │   └── Group: "oncology-dept"       └── Role: "specialist" → [read:imaging, order:labs] Effective permissions (union of all roles):   [read:dashboard, read:patients, write:notes, write:prescriptions, read:imaging, order:labs] // All included in the JWT automatically. Enforced at SDK, eBPF, and cloud level.

SCIM sync — real-time directory from Entra ID

User created in Entra ID? Appears in AuthFI in seconds. User deactivated? Sessions revoked immediately. Group membership changed? Roles update in real-time.

Entra ID

Entra ID

Microsoft Entra ID (formerly Azure AD). SCIM 2.0 provisioning app. Sync users, groups, membership in real-time.

Okta

Okta

Okta SCIM provisioning. Push users and groups to AuthFI. Deprovisioning blocks access instantly.

Google

Google Workspace

Google Workspace directory sync. Organizational units map to groups. Automatic provisioning and deprovisioning.

What happens when you add a user in Entra ID
E
Admin creates user in Entra ID
alice@acme.com added to Engineering group
t=0s
S
SCIM webhook fires to AuthFI
POST /scim/v2/{tenant}/Users — user + group membership
t=1s
A
AuthFI creates user + assigns groups + resolves roles
User active. Group "Engineering" → role "developer" → permissions applied.
t=2s
User can log in with correct permissions
App, cloud, eBPF, network — all access layers updated. No admin action needed.
t=2s

Live SCIM sync log

Every directory change is logged with source, action, and enforcement status.

TIMESOURCEEVENTDETAILSTATUSLATENCY
10:30:01Entra IDUser createdalice@acme.comsynced1.2s
10:30:02Entra IDGroup addalice → Engineeringsynced0.8s
10:31:15Entra IDUser updatedbob@acme.com (title changed)synced0.9s
10:32:00Entra IDUser deactivatedcharlie@acme.comsynced1.1s
10:32:01AuthFISession revokedcharlie@acme.com (all sessions)enforced0.3s
10:33:00Entra IDGroup removeddave → DevOpssynced0.7s

RBAC that flows everywhere

Define roles once. Permissions enforce at every layer — your app (SDK), your infrastructure (eBPF agent), and your cloud (GCP/AWS). One model, everywhere.

Real example: Healthcare RBAC
Role: doctor
read:patients
write:notes
write:prescriptions
read:imaging
order:labs
Role: nurse
read:patients
write:vitals
read:notes
administer:medications
Role: admin
manage:users
manage:roles
read:audit-logs
manage:settings
App layer (SDK)

Permission checks in code

SDK middleware reads JWT, checks permissions. Unauthorized requests get 403 before hitting your route handler.

auth.require('read:patients')
// 403 if user lacks permission
Infra layer (eBPF)

Kernel-level enforcement

eBPF agent reads roles from JWT, enforces access policy at the kernel. Unauthorized packets dropped in ~45us.

POST /api/patients/*
roles: [doctor]  MFA: required
Cloud layer (GCP/AWS)

Cloud role mapping

AuthFI groups map to cloud IAM roles. Group "devops" gets GCP roles/editor. No separate cloud identity needed.

group:devops → GCP roles/editor
group:viewers → GCP roles/viewer

Organization isolation

Each organization has its own directory — users, groups, roles, permissions. Complete isolation. Delegated admin. Ideal for B2B SaaS where each customer is an org.

MH
Memorial Hospital
250 users, 8 groups, 12 roles
Groups
doctors nurses admin radiology
SSO
Okta SAML
Admin
dr.smith@memorial-hospital.com
CC
City Clinic
40 users, 3 groups, 5 roles
Groups
staff physicians office
SSO
Azure AD OIDC
Admin
manager@cityclinic.com
RL
Rural Labs
15 users, 2 groups, 3 roles
Groups
lab-techs admin
SSO
Email / password
Admin
admin@rurallabs.org

Complete isolation

Users in Org A can never see data from Org B. Groups, roles, and permissions are scoped to the org. JWT includes org_id for server-side filtering.

Delegated admin

Each org has its own admins who manage users, groups, and roles within their org. They can configure SSO, MFA, and branding. They cannot access other orgs.

Full API + SDK for everything

Every operation available via REST API and SDKs. Create users, manage groups, assign roles, check permissions programmatically.

List users
GET /api/v1/users?org_id=xxx&limit=20
{ "users": [...], "total": 247, "cursor": "..." }
Create group
POST /api/v1/groups
{ "id": "grp-xxx", "name": "engineering", "description": "Engineering team" }
Assign role to group
POST /api/v1/groups/grp-xxx/roles
{ "role_id": "rol-xxx", "role_name": "developer", "permissions": ["read:code", "deploy:staging"] }
Check user permissions
GET /api/v1/users/usr-xxx/permissions
{ "effective": ["read:code", "deploy:staging", "read:dashboard"], "source": {...} }

SDK permission check — one line

Node.js
// Protect a route
app.get('/api/patients',
  auth.require('read:patients'),
  handler
);

// Check in handler
if (req.user.can('write:notes')) {
  // allowed
}
Go
// Middleware
r.With(
  auth.Require("read:patients"),
).Get("/api/patients", h)

// In handler
if auth.Can(ctx, "write:notes") {
  // allowed
}
Python
# Decorator
@auth.require('read:patients')
def get_patients():
  pass

# In handler
if request.user.can('write:notes'):
  # allowed

Offboarding in seconds, not days

Deactivate a user in Entra ID. AuthFI revokes all sessions, blocks all access, removes cloud permissions — automatically.

User deprovisioned: charlie@acme.com Entra ID: user deactivated         t=0s SCIM webhook → AuthFI: user deactivated   t=1s AuthFI: all active sessions revoked     t=1s AuthFI: refresh tokens invalidated     t=1s eBPF agent: JWKS updated, user blocked   t=30s Cloud access: GCP/AWS sessions revoked   t=30s Total time from deactivation to full revocation: ~30 seconds. No manual steps. No forgotten access. No zombie accounts.

Related features

Enterprise SSO

SAML, OIDC, LDAP — SSO users auto-provision via SCIM

Authentication

Every auth method feeds into the directory and RBAC system

Control Plane

Roles defined here are enforced across all 4 layers

Available on Free and above. See pricing →

One platform. Every identity layer.
Free to start.

Free for 5,000 users. Upgrade when you're ready.

Start building free →

Startups and enterprises get 1 year free →