Platform

Workspaces and tenants

Tenant context drives authorization, data visibility, and action scope across every platform route and API. Understanding how workspaces, users, and access interact helps you manage your environment securely.

Tenant-scoped authorization

Session identity and tenant membership are validated before sensitive read, mutation, export, and integration operations are executed. There is no opt-out from this check — every API and platform route enforces it by construction.

Workspace boundary controls

Data is partitioned by tenant context. Operational paths are designed to prevent cross-tenant data access, accidental leakage, and ambiguous ownership. A workspace member cannot view, modify, or export data belonging to a different workspace.

User roles and access levels

Access within the platform is role-based. Roles determine which features, data, and operations are available to a given user:

  • Workspace Admin — can manage users within their workspace, configure integrations, generate reports and board packs, and manage the full vulnerability lifecycle within their tenant.
  • Member — can view workspace data, review vulnerability findings, and interact with assigned workflows within their tenant.
  • Platform Admin — a privileged role for CyberSec Consultants staff that can operate across multiple workspaces. Not assigned to customers.

Users are always confined to their own workspace unless explicitly granted cross-tenant access by a Platform Admin.

Adding and removing users

User provisioning and deprovisioning for a workspace is managed by your Workspace Admin or by the CyberSec Consultants team. When removing a user, their session access is invalidated and they are removed from the workspace scope — they will not be able to authenticate or access workspace data after removal.

To add or remove users from your workspace, contact your CyberSec Consultants account representative. User changes are recorded in the audit trail.

API key access

API keys are an alternative authentication method for integrations and automated workflows. Each key is tied to a specific user identity within a workspace and carries an explicit set of permitted operation scopes. Keys are not cross-workspace.

The secret component of an API key is presented once at creation time and cannot be retrieved afterward. If a key is lost or compromised, revoke it from the platform and generate a new one. Revocation is immediate and is recorded in the audit trail.

Failed API key authentication attempts are rate-limited per source address. Repeated failures generate an audit event, allowing you to detect and investigate potential credential abuse.

Session lifecycle

Sessions are cryptographically signed and verified on every request. They have a defined expiry. An expired or tampered session is rejected and cleared before any platform processing occurs. You will be redirected to sign in again with a clear indication that your session has expired — the platform will attempt to return you to the page you were on once you re-authenticate.

Signing out invalidates your session immediately. Closing a browser tab without signing out leaves the session active until its natural expiry. We recommend signing out on shared or managed devices.

Was this page helpful?

Trust and legal

Trust and legal baselinePrivacy notice (POPIA)PAIA manualCookie and tracking noticeWebsite termsSecurity testing authorizationPlatform termsResponsible disclosure