3. User Accounts & Security

Manage user identities, enforce strict authentication policies, and control granular access across the CyberVault enterprise platform.

🕒 Updated: Oct 24, 2025

📄 12 min read

🛡️ Security Critical

ℹ️

Security First CyberVault enforces a Zero Trust architecture. All user accounts, regardless of role, are subject to continuous verification and least-privilege access controls.

3.1 Authentication Methods

The platform supports multiple authentication mechanisms to balance security with usability. Administrators can enforce specific methods via the Security Policy configuration.

MFA / TOTP

Time-based One-Time Passwords generated via authenticator apps. Enforced by default for all Admin roles.

WebAuthn / FIDO2

Phishing-resistant hardware key authentication (YubiKey, etc.) for enhanced security requirements.

SAML 2.0 / OIDC

Enterprise Single Sign-On integration with Okta, Azure AD, PingIdentity, and custom IdPs.

API Keys

Scoped service account keys for automated integrations. Supports IP allowlisting and expiration.

Enforcing MFA via API

Administrators can require MFA for specific scopes using the POST /policies/mfa endpoint.

                    JSON
                    
{

  "policy_name": "strict_mfa_enforcement",

  "scope": "all_users",

  "require_mfa": true,

  "allowed_methods": ["totp", "webauthn"],

  "grace_period_hours": 0,

  "enforce_on_api_access": true

}

3.2 Role-Based Access Control (RBAC)

CyberVault utilizes a hierarchical RBAC model. Permissions are assigned to roles, and users are assigned to roles. Custom roles can be created to define granular permission sets.

Role	Description	Key Permissions	MFA Required
Super Admin	Full platform control, billing, and policy enforcement.	`system:write`, `audit:read`	Required
Security Analyst	Access to SOC dashboard, incident response, and threat intel.	`security:read`, `incident:write`	Required
Compliance Auditor	Read-only access to logs, reports, and configuration snapshots.	`audit:read`, `reports:read`	Required
Standard User	Basic access to assigned workspaces and alerts.	`workspace:read`, `alerts:read`	Optional

⚠️

Principle of Least Privilege Avoid granting Super Admin access to service accounts or shared team emails. Each admin account should map to a single identifiable human operator.

Managing Roles via API

                    HTTP
                    
GET /v1/roles
Authorization: Bearer <api_key>

3.3 Session Management

User sessions are secured using signed, encrypted JWT tokens with short lifespans and automatic rotation.

Session Timeout: Inactive sessions expire after 30 minutes for Analysts and 15 minutes for Admins.
Concurrent Sessions: Administrators can limit concurrent sessions per user to 1 to prevent credential sharing.
Device Trust: Trusted devices can bypass MFA for up to 30 days, configurable in security settings.

Revoke All Sessions

In the event of a suspected compromise, admins can instantly revoke all active sessions for a specific user.

                    HTTP
                    
POST /v1/users/:id/sessions/revoke-all
Authorization: Bearer <admin_key>

3.4 Audit Logging

Every action performed on the CyberVault platform is immutably logged. Audit logs include user identity, IP address, user-agent, timestamp, and detailed action metadata.

Log Retention

Audit logs are retained for 7 years in cold storage to meet compliance requirements.

Tamper Proofing

Logs are hashed in a Merkle tree structure to detect and prevent unauthorized modifications.

Querying Logs

Use the Audit API to query logs for security investigations or compliance reporting.

                    JSON
                    
{
  "action": "user.login",
  "user_id": "usr_8f3k29d",
  "metadata": {
    "ip": "203.0.113.45",
    "status": "success",
    "mfa_method": "webauthn",
    "device_trusted": true
  },
  "timestamp": "2025-10-24T14:32:01Z"
}
                    
                

← Previous 2. Quick Setup Guide

4. API Reference Next →