Access Controls¶
This page describes how access to NTWIST products is authenticated, authorized, and audited, both for customer users and for NTWIST personnel operating on customer environments.
Customer user access¶
Authentication¶
- NTWIST products integrate with the customer's identity provider via SAML 2.0 or OpenID Connect.
- Local accounts are supported only as a fallback for break-glass scenarios; their use is logged.
- Multi-factor authentication is enforced at the identity provider; NTWIST products honor that enforcement.
Authorization¶
- NTWIST uses role-based access control (RBAC) with role definitions configured during deployment.
- Typical role tiers: operator, supervisor, engineer, administrator, viewer.
- Per-product and per-resource permissions are configurable, so an engineer working on one product or area does not gain access to others by default.
Session and audit¶
- Session lifetime is configured at the identity provider and respected by NTWIST products.
- Authentication and authorization events are written to the audit log.
- Failed authentication attempts produce alertable events.
NTWIST personnel access¶
NTWIST customer success engineering may need direct access to a customer deployment to support, configure, or troubleshoot the system. Access is mediated by the following controls:
| Control | Description |
|---|---|
| Zero-trust gateway | All NTWIST access to customer environments is brokered through a zero-trust access gateway. Direct VPN is not used. |
| Multi-factor authentication | MFA is enforced on the zero-trust gateway for every NTWIST user. |
| Just-in-time access | Where the customer has chosen JIT access, NTWIST users request access per session, with the request and approval logged. |
| Audit log | All NTWIST access events, including session start, commands executed, and session end, are logged and made available to the customer. |
| Least privilege | NTWIST personnel access is scoped to the role and resources needed for the specific support engagement. |
| Background verification | All NTWIST personnel with customer access have completed background verification. |
| Annual security training | All NTWIST personnel complete annual security awareness training, including secure customer engagement practices. |
Provisioning and deprovisioning¶
- Provisioning is initiated through the NTWIST customer success channel and approved by the customer's identity administrator.
- Departing NTWIST personnel are deprovisioned across the zero-trust gateway and all customer-facing tools on the same business day as separation.
- Customer-side users are provisioned and deprovisioned through the customer's identity provider; NTWIST products inherit those decisions.
Periodic access review¶
NTWIST conducts quarterly internal access reviews across its corporate systems and customer-facing tools. Findings are tracked to remediation. Customers conducting their own periodic access reviews can request the NTWIST personnel access log for inclusion in their review.
Reporting an access concern¶
If a customer believes an access event is anomalous, they should engage NTWIST through the Incident Reporting channel. NTWIST acknowledges access concerns within one business day.