Overview
The walt.id Enterprise Stack provides fine-grained access control using Role-Based Access Control (RBAC) with optional integration into external Identity and Access Management (IAM) systems.
This model clearly separates:
- Authentication: Who a caller is
- Authorization: What a caller is allowed to do
Authentication Methods
Authentication can be performed using:
| Method | Use Case |
|---|---|
| Local Accounts | Email/password authentication for users |
| API Keys | Machine-to-machine authentication |
| External IAM (OIDC) | Integration with enterprise identity providers |
Authorization Model
Authorization is enforced by the Enterprise Stack using RBAC.
- Request arrives with authentication token
- Resolve identity (account, API key, or OIDC user)
- Load assigned roles and their permissions
- Check allow rules: Does user have required permission?
Two-Layer Enforcement
The Enterprise Stack enforces permissions at two layers:
- Route-Level Authorization: Each API endpoint requires specific permissions. Requests without the required permission receive
403 Forbidden. - Persistence-Level Authorization: Database operations are filtered based on user permissions, ensuring users can only access resources they're authorized to see.
This dual-layer approach provides defense in depth, ensuring comprehensive security.
Resource Hierarchy
Resources in the Enterprise Stack follow a hierarchical structure:
Organization
│
├── Tenant A
│ ├── Issuer Service
│ ├── Verifier Service
│ └── KMS Service
│
└── Tenant B
└── Wallet Service
Permissions propagate top-down:
- A permission granted at the organization level applies to all tenants and services
- A permission granted at the tenant level applies to all services within that tenant
Security Best Practices
For production deployments:
| Practice | Description |
|---|---|
| Use External IAM | Integrate with your enterprise identity provider (OIDC) for workforce authentication |
| Least Privilege | Grant only the permissions necessary for each role |
| Narrow Scopes | Assign permissions at the narrowest scope needed |
| Rotate API Keys | Establish regular rotation schedules for API keys |
| Short-Lived Tokens | Use short-lived access tokens where possible |
| Avoid Super Admin | Use Super Admin only for initial setup, not for day-to-day operations |
| Monitor Audit Logs | Review logs for privileged operations and anomalies |
| Use Deny Rules | Apply deny rules to create exceptions for sensitive operations |
Learn More
Core Concepts
- RBAC Model - Understand roles, permissions, and evaluation logic
- Permissions - Complete reference of all available permissions
Managing Access
- Roles - Create and manage role definitions
- Accounts - Manage local user accounts
- API Keys - Create keys for machine-to-machine access
- Super Admin - Unrestricted administrative access
Integration
- IAM Integration - Connect to external identity providers via OIDC
- External Role Mapping - Automatically assign permissions based on IdP roles
- Permissions - Discover available permissions and their scope
- Roles - Define and manage user roles and their permission sets
- Accounts - Manage local user accounts and authentication
- API Keys - Create and manage API keys for machine-to-machine access
- Super Admin - Grant unrestricted administrative access with caution
Last updated on May 7, 2026