Access control + SSO
Who can do what.
Five roles per org, designed to match how real security teams work. Invite teammates with a link. SAML / OIDC SSO on Enterprise. Owner cannot be demoted without an ownership transfer.
The five roles
Full access. Manages billing, members, and every resource. Every org has at least one owner.
Day-to-day product use. Sends events to the Audit Vault, calls the gateway, reads + edits policies, detectors, API keys. Cannot manage billing or members.
Read across everything plus the ability to toggle policies + detectors and call the gateway. For the team that owns posture but does not ship the code.
Read + export receipts. Cannot ingest, cannot change policies, detectors, keys, or members. The seat you give external auditors -- and the role for read-only API keys feeding a SIEM.
Scoped dev access for outside consultants. Read everything, ingest events, call the gateway, create + revoke API keys. Cannot edit policies, detectors, or members.
Permission matrix
| Permission | Owner | Developer | Security | Audit | Contractor |
|---|---|---|---|---|---|
| See member list | ✓ | ✓ | ✓ | ✓ | ✓ |
| Invite teammates | ✓ | - | - | - | - |
| Change a member's role | ✓ | - | - | - | - |
| Remove members | ✓ | - | - | - | - |
| Manage billing + plan | ✓ | - | - | - | - |
| Read receipts | ✓ | ✓ | ✓ | ✓ | ✓ |
| Export receipts | ✓ | ✓ | ✓ | ✓ | - |
| See policies | ✓ | ✓ | ✓ | ✓ | ✓ |
| Enable/disable built-in policies | ✓ | ✓ | ✓ | - | - |
| Author + edit custom policies | ✓ | ✓ | ✓ | - | - |
| Delete custom policies | ✓ | ✓ | ✓ | - | - |
| See detectors | ✓ | ✓ | ✓ | ✓ | ✓ |
| Enable/disable detectors | ✓ | ✓ | ✓ | - | - |
| See API keys | ✓ | ✓ | ✓ | - | ✓ |
| Create API keys | ✓ | ✓ | - | - | ✓ |
| Revoke API keys | ✓ | ✓ | - | - | ✓ |
Inviting teammates
From /dashboard/members, enter an email and pick a role. We mint a single-use invite link that expires in 14 days. Share the link out-of-band (Slack, email, whatever). There's no SMTP dependency.
When the invitee clicks the link they sign up or log in; on acceptance they're added as a member with the role from the invite. Revoke an invite from the dashboard to instantly invalidate the link.
SAML / OIDC SSO
SSO is available on the Enterprise plan via Supabase Auth Pro (the underlying identity stack Prova runs on). It supports:
- SAML 2.0 (Okta, Azure AD / Entra ID, Google Workspace, OneLogin, JumpCloud)
- Just-in-time provisioning so a new SSO user gets the default role at first login
- Group-claim role mapping that maps your IdP groups to Prova roles
- Enforced for everyone in the org once enabled (no password fallback)
We turn it on per-org when Enterprise contracts are signed. Coordinate with founders@prova.cobound.dev to schedule the IdP configuration call. Typical setup takes ~30 minutes once your IdP admin is on the line.
Ownership transfer
Every org has at least one owner. You cannot demote yourself if you're the only owner; you cannot remove the last owner. To rotate ownership:
- Invite the incoming owner with the Developer role first.
- After they accept, email founders@prova.cobound.dev to promote them to Owner.
- The current owner can then demote themselves or leave.
Promotion to Owner is intentionally not a self-serve dashboard action. It's a one-way trust boundary and we'd rather lose 24 hours of latency than hand ownership over by accident.