Access Control

Reoclo enforces multi-tenancy at the data layer. Tenant-scoped collections include tenant_id, and queries are constrained by the selected tenant context so users in one organization cannot access resources in another. This boundary applies to operational records such as servers, applications, deployments, and related activity.

Authorization is role-based through memberships, with tenant_admin, member, and viewer roles controlling tenant actions. Platform operators use super_admin in a reserved platform tenant and can act across tenants through explicit context selection rather than bypassing identity checks.

JWT sessions carry sub, tenant_id, and role claims derived from the active membership. This gives API handlers and data repositories enough context to enforce both identity and tenant scope consistently across internal API requests.