Role-based access with optional account-scoped and tag-scoped permissions. MFA is mandatory. SSO on Enterprise.
| User | Role | MFA | Scope | Last login |
|---|---|---|---|---|
| [email protected] | Owner | TOTP | all | now |
| [email protected] | Admin | TOTP | all | 12m ago |
| [email protected] | Viewer | TOTP | tag env=prod, Cost pillar only | 1h ago |
| [email protected] | Viewer | WebAuthn | account security, read-only, 7-yr audit | yesterday |
| [email protected] | Member | TOTP | accounts sandbox, staging | 2d ago |
| [email protected] | Member | TOTP | accounts sandbox, staging | 3d ago |
| [email protected] | Admin | TOTP | Security pillar only | 4h ago |
| [email protected] | Viewer | TOTP | dashboards + reports | 1d ago |
| Role | Capabilities |
|---|---|
| Owner | billing + everything |
| Admin | connectors + settings + findings triage + reports |
| Member | findings triage (scoped) + reports (scoped) |
| Viewer | read-only (scoped) |
Custom roles available on Enterprise.
Enterprise only. SAML 2.0 or OIDC with JIT account creation. SCIM 2.0 for user and group provisioning.
Enterprise upgrade required. pricing.
Configure SSO →| Time (UTC) | Actor | Event | Target |
|---|---|---|---|
| 2026-04-16 04:12 | system | connector.sync.completed | AWS prod-us-east-1 |
| 2026-04-16 03:44 | [email protected] | auth.login.success | . |
| 2026-04-15 22:02 | [email protected] | connector.create | Azure acme-data |
| 2026-04-15 18:10 | [email protected] | finding.exception.create | aws.rds.public-subnet |
| 2026-04-15 09:00 | system | report.generate.success | Cost deep dive · GCP |
Retention: 30 days (Free) / 1 year (Pro) / 7 years with S3 Object Lock export (Enterprise).