Product Specifications

The complete technical manifest of the Fortress Access Control Engine.

👤

Identity & Realms

  • Identity Boundaries: Dedicated Realms for Internal, Partner, and Customer populations.
  • Federation Engine: Native support for OIDC, SAML, and OAuth providers (Okta, Google, GitHub).
  • Multi-Credential Principals: Single identities supporting Passwords, SSO, and API Keys simultaneously.
  • Verified XIDs: Multi-identifier tracking (Email, Phone, Username) with verification lifecycle.
  • Realm-Level Policies: Independent MFA requirements, password strength, and registration flows per Realm.
🔑

Zero-Trust Sessions

  • Session Diversity: Native tracking for Web, Mobile, CLI, and long-lived API sessions.
  • Device Fingerprinting: Metadata tracking for OS version, browser engine, and trusted status.
  • Geo-Intelligence: IP-based city/country tracking with VPN detection and risk scoring.
  • Dual Expiration: Independent idle-timeout and absolute-timeout enforcement.
  • Security Context: Real-time tracking of auth_strength and MFA completion status.
🛡️

Granular Authorization

  • Action Code Syntax: Standardized character actions (r, w, d, x, s, a, n, q, l, *).
  • Path-Based Tags: Hierarchical resource addressing with terminal and segment wildcards.
  • Grants-First Engine: All permissions flow through Groups, eliminating individual user logic.
  • DENY Overrides: Explicit DENY effect that overrides ALLOW at the same or higher specificity.
  • Resource Constraints: IP-range, time-of-day, and day-of-week conditional access.
🌐

Tenancy & Routing

  • Logical Isolation: Infinite Organization support with hard data/logic boundaries.
  • Namespace Depth: Sub-tenant divisions (ns_main) for environment and regional isolation.
  • Domain Mapping: Map Host/Paths to specific Orgs, Realms, and branding configurations.
  • Data Residency: Region-specific routing for GDPR and other compliance frameworks.
  • Dynamic Branding: Domain-level logo, color, and support email customization.
📋

Compliance & Governance

  • Immutable Audit: Full-trace logging of authentication, resource access, and grant changes.
  • Separation of Duties: Mutually exclusive role detection to prevent privilege conflicts.
  • Review Lifecycle: Scheduled access reviews with mandatory reviewed_by and risk flags.
  • Delegation Control: Controlled permission delegation with depth limits and expiration.
  • Regulatory Mapping: Native constructs for SOC 2, ISO 27001, HIPAA, and GDPR.
⚙️

Operational Tooling

  • API-First Design: 100% of functionality exposed via RESTful endpoints.
  • Idempotent Provisioning: Atomic "upsert" patterns for safe infrastructure-as-code deployments.
  • Context Injection: Security context required for every service-layer transaction.
  • Global Admin Flow: Dedicated "Crown" bootstrap for system-wide root administration.
  • Scalable Storage: PostgreSQL and CockroachDB compatibility for global deployments.