StellarBase
Docs Security & Compliance Auth & RBAC
Security & Compliance

Auth & RBAC

Identity and role-based access control — the foundation of [zero-trust](/docs/security/zero-trust). Integrates with your existing identity provider, scopes permissions to individual documents and tools.

Identity providers

StellarBase integrates with any mainstream identity provider via standard protocols:

ProtocolTypical IdPs
SAML 2.0Okta, Azure AD, ADFS, Google Workspace, Auth0, Keycloak, Ping
OIDCSame — most IdPs support both
SCIM 2.0Automated user / group provisioning from Okta, Azure AD, etc.
LDAP / Active DirectoryDirect binding for on-prem deployments

For organizations without an IdP (small teams, pilots), local password-based auth + MFA is available but not recommended for production.

MFA

Multi-factor authentication is enforced via your IdP. StellarBase respects the MFA assertion from SAML/OIDC tokens. For sensitive actions (admin operations, bulk exports), a step-up re-authentication can be required even within an active session.

Role hierarchy

Three tiers:

  1. Organization — top-level billing + SSO config + global admin
  2. Base — content, agents, workflows for one project / matter / department
  3. Resource — individual documents, collections, agents, tools

A user’s effective permission is the intersection of organization role, Base role, and resource ACL.

Standard roles

Organization level

RoleCan do
OwnerEverything — billing, SSO, user lifecycle, all Bases
AdminAll except billing and ownership transfer
UserCreate own Bases, join invited Bases

Base level

RoleCan do
Base adminManage sources, agents, workflows, members; see audit log
EditorRead + write content, configure agents, trigger workflows
ReviewerRead + comment + approve HITL gates; cannot modify
ViewerRead-only access to specified collections
ExternalTime-limited, narrowly-scoped access

Custom roles

Define your own role with a specific permission matrix. Examples:

  • Senior Reviewer — Reviewer + ability to override HITL rejections
  • Analyst — Editor minus agent-configuration (analysts use agents but don’t tune them)
  • Compliance Officer — Cross-Base audit-log read + policy-configuration write

Custom roles are defined as JSON policies; the policy editor has autocomplete for every available permission.

Resource-level ACLs

Any Base-level role can be overridden per resource. Common patterns:

  • Documents tagged “privileged” are visible only to a named list of users, regardless of Base role
  • A specific agent can only be invoked by users in a named group
  • A specific workflow can only be triggered by admins

Permission inheritance

Collections inherit from Bases. Documents inherit from collections. Tags and per-document ACLs can override inheritance — always restricting, never broadening.

Source-system permissions

Connectors can carry through source-system permissions:

  • Google Drive, SharePoint, Box: native ACL preserved. A doc a user can’t read in Drive is a doc they can’t read in StellarBase.
  • Databases: row-level security via configured column filters
  • Custom: you provide the permission mapping

Agent permissions

Agents are principals too. An agent’s permissions are the intersection of:

  • The user who invoked it (for interactive calls)
  • The agent’s configured knowledge scope
  • The agent’s tool allowlist

This means an agent can never see more than the user invoking it — even if the agent is technically configured with broader access.

Service accounts

For API integrations, create service accounts with scoped API keys. Each service account has:

  • A set of permissions (same model as users)
  • A rate limit
  • An optional expiry
  • An IP allowlist

External users

Invite users outside your organization with tightly-scoped access:

  • Scope: single Base, single collection, or single document
  • Duration: default 7 days, configurable
  • Auth: SAML/OIDC from their IdP, or email + verification code
  • Audit: all their actions logged with external=true flag

Session management

  • Default session lifetime: 12 hours
  • Refresh tokens extend automatically for active users
  • Admin can revoke all active sessions instantly
  • Step-up re-auth required for high-risk actions

Audit

Every auth event logged: login, logout, MFA challenge, permission change, role assignment, failed authorization. See Audit Log.

Related

Previous Overview Next Zero-Trust