New Sciple is live. Connect your AWS in 10 minutes and explore the platform with a sandbox workspace. Book a demo
sciple

Access and audit

Sciple ships the access controls, credential storage, and audit trail as first-class product features. This page describes how each one works and how to configure it.

Authentication

Sciple supports SSO via OIDC, configurable per workspace. Wire up Okta, Entra ID, Google Workspace, or any OIDC-compliant provider. Local username and password login stays available for emergency access. API keys are issued separately and scoped to groups, so service-to-service calls do not need a human credential.

Groups and permissions

Permissions are named, registered, and grouped into named groups. A group carries an explicit permission set. Onboarding a new role is a checkbox list in the dashboard, not a code change. Permissions are organised by feature area, with separate read and manage permissions for services, cloud, Kubernetes, credentials, secrets, dashboard, and platform-wide settings.

The credentials store

Sciple manages your integration credentials with AWS Secrets Manager. The full breadth of credential kinds is supported, including passwords, API tokens, SSH keys, TLS certificates, GPG keys, OAuth2 clients, cloud provider credentials across AWS, Azure, and GCP, source-control tokens for GitHub, GitLab, and Bitbucket, Kubernetes kubeconfig and service account tokens, container registry credentials, webhook signing secrets, database connection strings, Slack and Teams bot tokens, LDAP bind credentials, and license keys. The values stay in your AWS account. Sciple holds the reference, the expiry, the rotation schedule, the ownership, and the audit trail.

Other modules in the platform never see a credential value, and neither does the AI assistant. They reference credentials by identifier and let AWS Secrets Manager retrieve the value at the moment it is needed, scoped to the call that needs it.

The audit trail

Every create, update, and delete in the platform writes an audit event in the same database transaction as the change itself. If the audit write fails, the change rolls back. The audit log and the state of the world cannot disagree.

Each entry records the acting principal, the action name, the target resource, the before-and-after snapshot, the timestamp, and the workspace in which the action ran. The API returns an audit identifier in the response so any operation can be traced after the fact. Sensitive values are never written to audit metadata.

Data isolation

Workspace boundaries are enforced strictly. Every read happens inside the caller’s own workspace. There is no admin shortcut that bypasses scoping, even for Sciple support. Cross-workspace reach is impossible by design.

Compliance posture

The features on this page map to the controls auditors ask about. Sciple is designed and operated to align with SOC 2 and ISO 27001 controls; a formal SOC 2 Type II audit is on the roadmap. Under NDA we share the controls matrix, the sub-processor list, and the standard CAIQ and SIG-Lite questionnaires. See the trust page for what we can share and how to ask.