Sovereign Platform is in pre-launch alpha.
Not yet available to purchase. Sign up for our mailing list for upcoming launch dates.
Loading documentation, please wait.
Sovereign Platform is in pre-launch alpha.
Not yet available to purchase. Sign up for our mailing list for upcoming launch dates.
This page covers the platform's current access control model, the advanced authorization system coming in beta, and the advanced authentication modes on the roadmap.
The platform supports role-based access control (RBAC):
Deployments with audit capabilities enabled include comprehensive audit logging for compliance and investigation:
Audit logs are stored with configurable retention and can be exported to external log aggregation systems.
License Required
Audit logging requires a license with audit capabilities enabled. Without this feature, audit events are silently discarded. See Licensing for details.
[Roadmap]Beyond the OIDC, Local, and Bypass modes shipping today, the federation roadmap targets the authentication patterns required by classified, air-gapped, and high-side deployments.
SAML federation [Roadmap] — assertion-based federation with on-premises identity providers (ADFS, Keycloak, Shibboleth). Unlike OIDC, SAML does not require Internet-reachable discovery endpoints, making it the viable federation choice for air-gapped facilities. Metadata exchange can be performed manually.
LDAP and Active Directory [Roadmap] — direct directory binding for organizations that authenticate against on-premises AD/LDAP. Supports bridge configurations where AD fronts SAML for downstream federation.
PIV / CAC smartcard authentication [Roadmap] — X.509 client-certificate authentication for U.S. federal civilian (PIV) and DoD (CAC) environments. Certificate identity is extracted at TLS termination on the reverse proxy and mapped to platform users; OCSP/CRL revocation checking is enforced per session.
Together, these modes form the federation stack typically used in environments that cannot reach the public Internet for OIDC discovery and require strong-factor user-presence verification.
[v1]The next major release introduces a multi-layer authorization system designed to meet the needs of defense, aerospace, and highly regulated industries.
Relationship-Based Access Control — Permissions are modeled as relationships between users, groups, and resources. A user's access to a workflow, document, or work item is determined by their position in the organizational hierarchy (organization → workspace → project → resource). Group memberships cascade permissions naturally, and changes propagate instantly.
Contextual Policies — After relationship-based access is confirmed, the system evaluates contextual conditions: network restrictions, time-of-day windows, and device posture. These policies run in-process with sub-millisecond overhead.
Classification Labels (Defense Tier) — An optional layer for deployments that handle classified information. Resources — including individual document blocks — can carry classification labels. The system enforces a strict "no read up, no write down" model with compartment-based lateral segmentation.
Designed for Regulated Deployments
The classification layer is designed to support deployments that handle CUI per NIST 800-171, with TS/SCI compartment models and dissemination-control markings (NOFORN, ORCON, REL TO) on the roadmap. Administrators choose which classification levels to enable for their tenant — commercial deployments never see the layer. The access-control architecture is designed to align with NIST 800-53 controls AC-3, AC-4, AC-6, and AC-16.
In Orbit's collaborative documents, classification labels can be applied to individual content blocks. When a user opens a document, the system evaluates their clearance against each block's classification in real time. Blocks above the user's clearance are redacted from the sync frame — they never reach the client. This enables a single document to serve readers at multiple clearance levels without maintaining separate copies.
For organizations with hundreds or thousands of users, the authorization system integrates with your identity provider through SCIM provisioning. Group memberships from your IdP automatically map to platform permissions, ensuring zero drift between your directory and the application's access model.
Most commercial deployments will never need classification labels or SCIM provisioning. The relationship-based access control and contextual policies provide robust authorization for standard enterprise use cases. The defense tier is an optional layer that activates only when configured — it adds zero overhead to deployments that do not use it.