IAM & RBAC Monitoring Platform

Identity & Access Management (IAM) and RBAC Monitoring

Threatstealth IAM provides continuous identity monitoring, MFA enforcement, and RBAC drift detection across every organization in your multi-tenant environment — with real-time login anomaly alerting.

• RBAC drift detection — alert when role assignments deviate from approved baselines
• MFA enforcement — enforce multi-factor authentication for all users with policy-based exemption management
• Login anomaly detection — impossible travel, new device, off-hours access, and brute-force signals
• Access review automation — periodic reviewer workflows with evidence export for SOC 2 and ISO 27001
• Conditional access — deny or step-up access based on device compliance, location, and risk score
• Privileged access monitoring — track and alert on administrative actions across all tenants

RBAC Architecture: How Role-Based Access Control Is Modelled

The Threatstealth IAM module implements a hierarchical RBAC model where permissions are assigned to roles and roles are assigned to users — never direct permission-to-user assignments that bypass the role hierarchy. Roles are scoped to organisations in multi-tenant deployments, ensuring that a role assignment in one tenant cannot grant access to another tenant's resources. The super-admin role provides cross-tenant access with full audit logging of every cross-tenant action. Role definitions are versioned, allowing administrators to track role permission changes over time and review what permissions each role carried at any point in the past for compliance investigations.

• Hierarchical role model — permissions assigned to roles, roles assigned to users, no direct permission assignments
• Tenant-scoped roles — roles are scoped to organisations, enforcing isolation in multi-tenant deployments
• Role versioning — full history of role permission changes with timestamps and admin attribution
• Least-privilege enforcement — role templates designed around minimal permission sets for each job function
• Custom role creation — administrators can define custom roles for job functions not covered by default templates

MFA Enforcement and Authentication Security Policies

Multi-factor authentication enforcement in Threatstealth IAM operates at the policy level — administrators define MFA requirements for different user groups, authentication contexts, and resource access levels. Policy enforcement is strict: exemptions require explicit policy override with documented justification, and the platform provides continuous monitoring of MFA enrollment status across the user population. The platform supports time-based one-time password (TOTP), hardware security key (WebAuthn/FIDO2), push notification MFA, and backup codes. Step-up authentication can be triggered by conditional access policies for high-risk operations like privilege escalation, bulk data export, or access from unrecognised locations.

• Policy-based MFA enforcement — group-level MFA requirements with exemption workflow and justification requirement
• TOTP support — authenticator app compatibility with Google Authenticator, Authy, and any TOTP-compatible app
• WebAuthn/FIDO2 support — hardware security key and passkey authentication for phishing-resistant MFA
• Push notification MFA — mobile app approval-based MFA for users preferring push over TOTP
• Step-up authentication — additional MFA challenge triggered for high-risk operations via conditional access rules

Login Anomaly Detection and Identity Threat Signals

Threatstealth IAM continuously analyses login events against behavioural baselines to detect anomalous authentication patterns that may indicate compromised credentials or session hijacking. Detection signals include impossible travel (two authentication events from geographically separated locations within a timeframe that would be physically impossible), new device authentication (first login from a device not previously seen for this user), off-hours access patterns for accounts with defined working hour baselines, and brute-force attack patterns against user accounts. All anomaly signals generate alerts routed to the security operations queue and can trigger automated responses including account lockout, MFA step-up, and session termination.

• Impossible travel detection — simultaneous or near-simultaneous authentications from locations that cannot be physically reconciled
• New device alerting — notification and optional step-up authentication for first authentication from an unrecognised device
• Off-hours access monitoring — alerts when accounts authenticate outside their established working hour patterns
• Brute-force detection — multiple failed authentication attempts triggering account lockout and analyst notification
• Session anomaly detection — location and device changes within an active session indicating potential session hijacking

Access Review Automation for SOC 2 and ISO 27001 Compliance

Quarterly access reviews are a mandatory control in SOC 2 (CC6.2, CC6.3), ISO 27001 (A.8.2), and PCI DSS (Requirement 7.2.4). Threatstealth IAM automates the access review workflow from end to end: generating review tasks for each designated reviewer on the configured schedule, presenting each reviewer with a structured list of access assignments to approve or revoke, recording each decision with timestamp and reviewer identity, escalating overdue reviews to the reviewer's manager, and generating a formatted evidence export aligned to each compliance framework's evidence requirements. This automation eliminates the engineering overhead of manual access review programmes.

• Automated reviewer tasking — quarterly review requests sent to designated reviewers with access lists pre-populated
• Approve/revoke interface — structured reviewer workflow with one-click approve or revoke per access assignment
• Overdue escalation — automatic escalation to manager when review tasks are not completed within defined SLA
• Evidence export — formatted evidence export aligned to SOC 2 CC6.2/CC6.3 and ISO 27001 A.8.2 requirements
• Termination access removal — automated deprovision workflow triggered when HR notifies of employee departure