Zelosify Logo
Security & Compliance

Role-Based Access Control

How Zelosify enforces least-privilege access through its role-based permission system.

RBAC Principles in Zelosify

  1. Least Privilege: Users get only the minimum access needed for their role
  2. Separation of Duties: Critical actions require multiple roles (e.g., contract creation vs. financial approval)
  3. Deny by Default: If no explicit permission grants access, access is denied
  4. Tenant Boundary: Users can never access data from other organizations, regardless of role
  5. Role Immutability: Roles are assigned at the user level and enforced at every API call

How RBAC is Enforced

Request → JWT Verification → Role Extraction → Permission Check → 
Data Filtering (tenant_id) → Response (only permitted data)
  • Authentication layer (Keycloak): Verifies identity and issues JWT with role claims
  • Authorization middleware: Checks role against route-level requirements
  • Data layer: All queries automatically filtered by tenant_id (impossible to query cross-tenant)
  • API response: Sensitive fields masked/removed based on role

Permission Inheritance

  • Admin inherits all permissions from all other roles
  • Vendor Manager inherits Business User permissions
  • No lateral permission sharing between roles

Custom Roles (Enterprise Only)

Enterprise plans can define custom roles with granular permissions:

  • Select specific capabilities from a permission matrix
  • Assign custom roles to users
  • Useful for: read-only auditors, limited contractors, department-scoped managers

Data Encryption & Storage

How Zelosify encrypts and stores your data — at rest and in transit.

Audit Logs & Activity History

Track every action in your Zelosify organization with comprehensive audit logging.

On this page

RBAC Principles in ZelosifyHow RBAC is EnforcedPermission InheritanceCustom Roles (Enterprise Only)