User Access Control
User access control is a critical aspect of Axvero’s security and compliance framework. It ensures that users only have access to the data and features necessary for their roles, protecting sensitive information and supporting regulatory requirements.
What is User Access Control?
User access control defines how users are authenticated, authorized, and managed within the system. It determines:
- Who can log in
- What resources and actions each user can access
- How access is granted, modified, and revoked
How Access is Granted
- Role-Based Access Control (RBAC): Users are assigned roles (e.g., Administrator, Organization, User) that determine their permissions.
- Permission Sets: Each role has a defined set of permissions for system features and data.
- Temporary Access: Time-limited access can be granted for special cases (e.g., coverage, audits).v2.0
How Access is Enforced
- Authentication: Secure login with email and password, with optional two-factor authentication (2FA).
- Session Management: Automatic session timeouts and activity monitoring to prevent unauthorized use.
- Access Restrictions: Users can only see and interact with data and features allowed by their role and permissions.
- Audit Logging: All access and permission changes are logged for compliance and review.
Access Control During and After Organization Registration
When you register a new organization in Axvero, user access control is enabled immediately—even during the trial period. Here’s how access is managed from the start:
- Default Admin Role: The email used for registration becomes the primary administrator, with full access to all features and user management.
- Default Roles and Permissions: Standard roles (Admin, User, Viewer) are pre-configured for immediate assignment to invited team members.
- Immediate Enforcement: Role-based access control (RBAC), multi-factor authentication (MFA), and audit logging are active from your first login.
- Inviting Users: After registration, you can invite team members and assign them roles right away. Each new user’s access is determined by their assigned role.
- Trial Period Access: During the 30-day trial, all features and access controls are fully enabled. There are no user or feature limitations.
- Post-Trial or Deactivation: If the trial expires without subscription, or if the organization is deactivated, all user access is suspended until reactivation or payment is completed.
For more details on the registration and onboarding process, see Organization Registration.
Reviewing and Revoking Access
- Regular Reviews: Administrators should periodically review user access and roles for appropriateness.
- Deactivation: Access is immediately revoked when a user is deactivated or removed.
- Temporary Access Expiry: Temporary permissions automatically expire after the set period.
- Audit Trails: All changes to user access are recorded for transparency and compliance.
Best Practices for Secure Access Management
- Assign users the minimum permissions needed for their responsibilities (principle of least privilege).
- Use strong authentication methods and enable 2FA where possible.
- Regularly review and update user roles and permissions.
- Promptly deactivate users who no longer need access.
- Monitor audit logs for unusual or unauthorized access attempts.
Related Documentation
Effective user access control is essential for protecting your organization’s data, ensuring compliance, and maintaining trust with users and clients.