Access Control
The right access for
the right people.
Invite-only onboarding with a 6-role RBAC system — enforced at the database layer, not just the UI. Every user gets exactly the access their role requires. Nothing more, nothing less.
6 roles — least-privilege by design
Admin
Full system access — invite, edit, and delete users; manage all settings
Auditor
Full audit management — write controls, upload evidence, manage questionnaires
Risk Owner
Edit own assigned risks (status, mitigation, notes); read-only elsewhere
Member
Update status on assigned audit controls and upload evidence to assigned controls
Viewer
Read-only access across all areas — for stakeholders who need visibility, not edit rights
External Auditor
Limited temporary access via OTP-verified portal — scoped to what you choose to share
What it does
Secure by default. Managed with ease.
Invite-only onboarding
No open registration. Admins invite users by email and role. Invitees receive a secure link, set their own password, and land directly in the organisation. The invite link is single-use and expires after 24 hours.
6-role RBAC
Admin, Auditor, Risk Owner, Member, Viewer, External Auditor. Each role is defined with specific, minimal permissions — enforced in both API middleware and Supabase Row Level Security write policies.
Database-layer enforcement
Permissions aren't just enforced at the UI layer. Every role check goes through `get_my_role()` — a SECURITY DEFINER function that enforces the access model at the database itself. There's no way to bypass it from the frontend.
Team visibility
See every active user, their role, their last login, and their current status. Admins can update roles instantly — without any downtime or re-invitation required.
Last login tracking
Every login event is tracked with a timestamp per user. Know who's active, who hasn't logged in recently, and when access patterns change — all without a separate audit tool.
Full user deletion
Remove a user completely — their profile row and their Supabase Auth account are deleted atomically. No orphaned auth records, no data leakage, no ghost accounts.
How it works
Invite. Assign. Control.
Invite by email and role
Enter the user's email and select their role. RiskGuard sends them a secure invite link. They click it, set their password, and are immediately placed into your organisation with exactly the permissions their role carries — nothing more.
They join — you stay in control
From the moment they join, every action they take is governed by their role. A Risk Owner can edit their assigned risks and nothing else. A Member can update controls they're assigned to. The system enforces this at every layer — not just the page they can see.
Update or remove anytime
Promote a Member to Auditor. Downgrade a role. Remove a user entirely. All changes take effect immediately. When someone leaves the organisation, their account is deleted — auth record and all. No cleanup required.
SOC 2 CC6.1 — Logical access controls
Access controls your auditor will actually believe.
SOC 2 Trust Services Criteria CC6.1 requires that logical access to systems is restricted to authorised users and based on least privilege. RiskGuard's 6-role system satisfies this by design — each role is defined with the minimum permissions needed and nothing more.
And because enforcement happens at the database layer via Row Level Security — not just in the UI — your SOC 2 auditor can verify the access controls are real, not just a UI lock on a page that a direct API call could bypass.
Works seamlessly with
The rest of your compliance workflow
External Auditor Portal
External auditors don't need a user account. They get a time-limited, OTP-verified portal link that gives them exactly the access scope you define.
Learn moreEvidence Locker
Row-level security means users can only access evidence from their own organisation. The RBAC system and the locker's security model are built on the same foundation.
Learn morePDF Audit Reports
Audit reports show control assessments, findings, and corrective actions. The RBAC system controls who can generate, view, and export these reports.
Learn moreReady to get
audit-ready?
Book a 30-minute demo and see how RiskGuard can get your startup compliant — without the consultant fees.