Identity & Access
Ventryx IAM gives you precise control over who can access what — across team members, API clients, and machine identities — with a consistent permission model across all platform resources.
Identity types
| Identity type | How it authenticates | Use case |
|---|---|---|
| Human users | Email + password / SSO | Dashboard and management operations |
| API keys | Bearer token in header | Server-to-server integrations |
| OAuth apps | Access token via OAuth 2.0 flow | Third-party apps acting on behalf of users |
Roles and permissions
Every human user in an organization is assigned a role. Roles determine what API operations and dashboard features they can access.
| Role | Billing | API keys | Team | Resources |
|---|---|---|---|---|
| Owner | Full | Full | Full | Full |
| Admin | View only | Full | Invite/remove | Full |
| Member | None | None | None | Read/write |
| Viewer | None | None | None | Read only |
Single Sign-On (SSO)
Enterprise organizations can configure SSO via SAML 2.0 or OIDC. Supported identity providers include:
- Okta
- Azure Active Directory
- Google Workspace
- OneLogin
- Any SAML 2.0-compliant IdP
When SSO is enforced, all team members must authenticate through your identity provider. Password-based login is disabled for SSO-enrolled organizations.
SCIM provisioning
Enterprise plans support SCIM 2.0 for automated user provisioning and deprovisioning. Connect your identity provider's SCIM endpoint to automatically sync team membership as users join or leave your organization in your IdP.
API key scopes
Machine identities (API keys) are not role-based — they're scope-based. Each key carries an explicit list of permitted operations. See the Authentication page for the full scope list.