Security & Access Control
Security & Access Control

Who can do what.
Down to the field level.

Enterprise authentication and authorization — SSO/LDAP/MFA, role-based + attribute-based access control, row-level security, granular permissions per module/action/field, encrypted token rotation, and complete audit trail per Aadhaar Act §29 and IT Act §43A.

Request a Demo ← All Modules

RBAC

+ ABAC

<100ms

perm lookup

AES-256

encrypted

100%

audit coverage

How It Works

Access Control Flow

LoginMFA/SSO
TokenJWT signed
Permission CheckRBAC + ABAC
Row Filterdata scope
Resource Accessgranted
Audit Logrecorded
Authentication
Authentication

Authentication

MFA. SSO. LDAP. JWT.

Multi-factor authentication, SSO integration with corporate identity providers, LDAP/Active Directory sync, JWT with refresh + blacklist, brute-force protection, and per-username throttling.

  • JWT access + refresh tokens
  • Token blacklisting on logout
  • MFA + SSO + LDAP/AD integration
  • Brute-force protection (10/min IP)
  • Per-username throttling (5/15min)
  • Password complexity + reset workflows
Roles & Permissions
Roles & Permissions

Roles & Permissions

Granular. Hierarchical. Cloneable.

Define roles with granular permissions per module (read, write, approve, execute), clone roles for variations, assign multiple roles per user, scope by company/branch, with conditional logic and row-level security at query level.

  • Permissions per module + action + field
  • Role cloning + bulk permission updates
  • Multi-role assignment per user
  • Company + branch scoping
  • Row-level security at query layer
  • Conditional access (time, IP, context)
Audit & Compliance
Audit & Compliance

Audit & Compliance

Every access. Logged. Reviewable.

Complete audit trail for CREATE / UPDATE / DELETE / READ operations, sensitive data access logging (Aadhaar, PAN, bank), failed login tracking, suspicious activity alerts, and compliance-ready reports.

  • Audit log per CRUD operation
  • Sensitive data access logging (Aadhaar Act §29)
  • Failed login tracking + alerts
  • Suspicious activity detection
  • Compliance reports (SOC 2, ISO 27001 ready)
  • Tamper-proof immutable audit log

Every Feature

Complete capability matrix.

Click any capability to drill in.

Preview — available on requestRoadmap — planned within 12 months
Drill in

Multi-Factor Auth

TOTP authenticator apps, SMS codes, and hardware security keys (FIDO2/WebAuthn) — enforced per role or per user. High-privilege actions (payroll release, mass approvals) can require MFA re-prompt.

Drill in

SSO / LDAP

Single Sign-On via SAML 2.0, OAuth 2.0, or OIDC. LDAP / Active Directory user sync with automated role mapping; deprovisioning happens instantly when corporate access is revoked. Zero standing access for ex-employees.

Drill in

Role Templates

Pre-built roles for common positions (Sales Rep, Plant Manager, Finance Controller, Auditor) and a no-code editor for custom roles. Clone-and-modify pattern lets you create variants without starting from scratch.

Drill in

Row-level Security

Data filtering applied at the query layer — a sales rep sees only their territory's customers, a branch manager only their branch's data, an auditor sees everything but can change nothing. No workaround possible.

Drill in

Field-level Masking

Mask sensitive fields (Aadhaar, PAN, bank account, salary) based on role. Authorized roles see full data; others see masked patterns (XXXX-XXXX-1234). Compliance with PII rules without breaking workflows.

Drill in

Audit Trail

Tamper-proof log of every create, update, delete, and read operation. Every entry has user, timestamp, IP, before/after values. Auditor mode lets you replay any record's full lifecycle.

Drill in

Anomaly Alerts

Suspicious access patterns trigger real-time alerts — impossible-travel logins, mass data exports, off-hours access to sensitive modules, repeated failed permission checks. Security team gets immediate notification.

Drill in

Token Rotation

JWT access tokens with short lifetimes and refresh tokens with rotation. Logged-out tokens blacklisted in Redis instantly; compromised tokens can be killed organization-wide in seconds.

Drill in

Compliance Ready

Controls and evidence trails designed for SOC 2, ISO 27001, and GDPR audits out of the box. Export audit reports, access reviews, and security incident logs in standard formats — saves weeks of audit prep.

Integrations

Works with everything else.

Every RBAC action flows into the other modules — no manual data re-entry, no reconciliation pain.

RBACAll Modules

Action → permission check

Block unauthorized operations

RBACHR

Sensitive PII access → audit

Aadhaar Act §29 compliance

RBACAudit

Every action → log entry

Tamper-proof trail

RBACNotifications

Suspicious login → alert

Real-time security event

Paper mill

Ready to modernize your mill?

See Papyrus BPApp
in your mill.

Book a personalized demo. We'll walk through every module relevant to your operation — from Deckle optimization to GSTR-3B compliance.

Request a DemoEmail us directly
CallRequest Demo