NEMORIONDocsThis page covers the platform's current access control model, the advanced authorization system coming in beta, and the advanced authentication modes on the roadmap.
The platform supports role-based access control (RBAC):
Deployments with audit capabilities enabled include comprehensive audit logging for compliance and investigation:
Audit logs are stored with configurable retention and can be exported to external log aggregation systems.
Audit logging requires a license with audit capabilities enabled. Without this feature, audit events are silently discarded. See Licensing for details.
For the platform-level tamper-evident audit chain — its architecture, the HIPAA Security Rule mapping, and the current coverage gaps — see the Trust Center HIPAA documentation.
[v1]Beyond the OIDC, Local, and Bypass modes shipping today, the federation stack shipping with v1 targets the authentication patterns required by classified, air-gapped, and high-side deployments.
SAML federation [v1] — assertion-based federation with on-premises identity providers (ADFS, Keycloak, Shibboleth). Unlike OIDC, SAML does not require Internet-reachable discovery endpoints, making it the viable federation choice for air-gapped facilities. Metadata exchange can be performed manually.
LDAP and Active Directory [v1] — direct directory binding for organizations that authenticate against on-premises AD/LDAP. Supports bridge configurations where AD fronts SAML for downstream federation.
PIV / CAC smartcard authentication [v1] — X.509 client-certificate authentication for U.S. federal civilian (PIV) and DoD (CAC) environments. Certificate identity is extracted at TLS termination on the reverse proxy and mapped to platform users; OCSP/CRL revocation checking is enforced per session.
Together, these modes form the federation stack typically used in environments that cannot reach the public Internet for OIDC discovery and require strong-factor user-presence verification.
[Roadmap]A multi-layer authorization system is on the roadmap for deployments that handle classified, defense, aerospace, and highly regulated workloads. The capability set described below is in design; commitment to a release version will follow evidence of customer demand for those specific controls.
Relationship-Based Access Control — Permissions are modeled as relationships between users, groups, and resources. A user's access to a workflow, document, or work item is determined by their position in the organizational hierarchy (organization → workspace → project → resource). Group memberships cascade permissions naturally, and changes propagate instantly.
Contextual Policies — After relationship-based access is confirmed, the system evaluates contextual conditions: network restrictions, time-of-day windows, and device posture. These policies run in-process with sub-millisecond overhead.
Classification Labels (Defense Tier) — An optional layer for deployments that handle classified information. Resources — including individual document blocks — can carry classification labels. The system enforces a strict "no read up, no write down" model with compartment-based lateral segmentation.
The classification layer is designed to support deployments that handle CUI per NIST 800-171, with TS/SCI compartment models and dissemination-control markings (NOFORN, ORCON, REL TO) on the roadmap. Administrators choose which classification levels to enable for their tenant — commercial deployments never see the layer. The access-control architecture is designed to align with NIST 800-53 controls AC-3, AC-4, AC-6, and AC-16.
In Orbit's collaborative documents, classification labels can be applied to individual content blocks. When a user opens a document, the system evaluates their clearance against each block's classification in real time. Blocks above the user's clearance are redacted from the sync frame — they never reach the client. This enables a single document to serve readers at multiple clearance levels without maintaining separate copies.
For organizations with hundreds or thousands of users, the authorization system integrates with your identity provider through SCIM provisioning. Group memberships from your IdP automatically map to platform permissions, ensuring zero drift between your directory and the application's access model.
Most commercial deployments will never need classification labels or SCIM provisioning. The relationship-based access control and contextual policies provide robust authorization for standard enterprise use cases. The defense tier is an optional layer that activates only when configured — it adds zero overhead to deployments that do not use it.