Access Control
The Access Control service provides centralized authentication and authorization for the VirtueAI platform. It manages identities, roles, and access control policies across all Virtue applications.
This guide targets DevOps and Infrastructure teams responsible for deploying and configuring the service.
The service is being rolled out in phases and currently supports basic authentication and authorization. It does support multi-tenancy if large organizations require strict isolation between divisions or groups.
Architecture
The service implements a Role-Based Access Control (RBAC) model with strict multi-tenant isolation.
| Component | Description |
|---|---|
| API | FastAPI service |
| Database | PostgreSQL |
| Authentication | JWT tokens (access + refresh) |
Core Concepts:
- Multi-Tenancy: Data is logically isolated by Tenant. Users belong to one or more tenants.
- Scope:
- System Scope: Managed by the
systemtenant. Handles global resources (tenants, system admins). System admins can administer any tenant. - Tenant Scope: Users and roles within a specific tenant. Access is controlled by role assignments.
- System Scope: Managed by the
- Tokens: JWT tokens are tenant-scoped. A token is valid only for the tenant it was issued for.
Deployment
Docker Compose
# Set required environment variables
export SECRET_KEY=$(openssl rand -hex 32)
export BOOTSTRAP_ADMIN_USERNAME=admin@yourcompany.com
export BOOTSTRAP_ADMIN_PASSWORD=your-secure-password
# Start services
docker-compose up -d
Environment Variables
| Variable | Required | Default | Description |
|---|---|---|---|
SECRET_KEY | Yes | - | JWT signing key (use openssl rand -hex 32) |
BOOTSTRAP_ADMIN_USERNAME | Yes* | - | Initial system admin email, required only once |
BOOTSTRAP_ADMIN_PASSWORD | Yes* | - | Initial system admin password, required only once |
DATABASE_URL | No | (docker-compose default) | PostgreSQL connection string |
ACCESS_TOKEN_EXPIRE_MINUTES | No | 60 (1 hour) | JWT access token expiry |
REFRESH_TOKEN_EXPIRE_DAYS | No | 1 | Refresh token expiry |
Bootstrap
On the first startup, the service automatically bootstraps the administrative environment.
Initialization Process
When the container starts:
- Creates the System Tenant (
system). - Creates the System Admin user using the provided credentials in
BOOTSTRAP_ADMIN_USERNAMEandBOOTSTRAP_ADMIN_PASSWORD. - Assigns the
system_adminrole to this user.
Note:
BOOTSTRAP_ADMIN_USERNAMEandBOOTSTRAP_ADMIN_PASSWORDare only required on first startup. Once the system admin exists, the service starts without it.
Default Roles
The system comes with two primary roles designed for different levels of administration and usage.
| Role | Scope | Description |
|---|---|---|
| System Admin | System Tenant | Platform Owner. Can create tenants, manage users, and oversee the entire deployment. |
| VirtueRed User | Specific Tenant | Standard User. Can create and run scans, view results, and manage their own resources within VirtueRed. |
Setup Guide
This section outlines the process of setting up a new customer environment (Tenant) and onboarding users.
1. Log in as System Admin
Access the Access Control Dashboard and log in using the bootstrapped system credentials.
2. Create a Tenant
A Tenant represents a customer organization or any other kind of isolated logical grouping.
- Navigate to Tenants > Create Tenant.
- Enter the Tenant Name (e.g.,
acme-corp) and Description. - Confirm creation.
3. Add Users
Users must be created within a specific tenant. They can be added to more tenants if needed later.
- Switch context to the newly created tenant.
- Navigate to Users > Add User.
- Provide the user's email and initial password.
4. Assign Roles
By default, a new user has no permissions. You must assign a role to grant access.
- Select the newly created user.
- Go to the Roles tab.
- Assign the VirtueRed User role.
The user can now log in to the VirtueRed application using their credentials.
Multi-Tenant Setup (Optional)
To support multiple customers or isolated teams, repeat the Create Tenant process.
Each tenant is completely isolated:
- Users in Tenant A cannot see or access resources in Tenant B.
- System Admins can view and manage all tenants.
API Documentation
Interactive API documentation is available at http://localhost:8010/swagger.
Support
For assistance, contact support@virtueai.com