system.owner
platform
Owns installer, licensing, updates, security, and tenant recovery.
Access Console
Auth bootstrap and RBAC policy
Review first-admin requirements, root roles, MFA posture, API token constraints, and Phase 1 permission coverage.
RBAC-ready
security.admin
tenant
Manages audit, security events, token policy, and recovery controls.
tenant.owner
tenant
Manages company users, roles, branches, and tenant settings.
Access Policies
MFA for system owner
RequiredMFA for recovery
RequiredAPI tokens
HashedToken expiry
90 day defaultPhase 1 Permissions
installer.manage
license.manage
updates.manage
security.view
security.manage
security.audit.export
identity.manage
tenants.manage
users.manage
roles.manage
api_tokens.manage