Fortress reimagines authorization by strictly separating Identity, Tenancy, and Authorization into distinct logical layers.
Permissions are never assigned to users. Every Principal receives a singleton group, ensuring all grants flow through a uniform Group-based evaluation engine.
Explicit denials always override allows at the same or higher specificity. This fail-secure approach is critical for regulatory compliance.
Resources are addressed via canonical paths (e.g., /org/acme/ns_main/api), allowing for intuitive inheritance and global wildcard policies.
Realms act as identity boundaries for different populations. A Principal belongs to exactly one Realm but can hold multiple credentials (SSO, Password, API Keys).
Realms separate populations (Employees vs. Customers), while Credentials define how they prove who they are.
| Realm Feature | Function | Typical Metadata |
|---|---|---|
| Federation | OIDC/SAML mapping. | idp_url, attribute_mapping. |
| Security | Environment restrictions. | ip_allowlist, geo_restrictions. |
| Lifecycle | Account maintenance. | auto_suspend_days, annual_review. |
The Tenancy layer manages resource boundaries across Organizations and Namespaces.
The primary tenant unit for business or legal separation.
Logical subdivisions within an Org. Every Org is provisioned with ns_main by default.