Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.lerian.studio/llms.txt

Use this file to discover all available pages before exploring further.

Every request to a Lerian product raises two questions: who is making it, and what are they allowed to do? Authentication answers the first, authorization the second. Access Manager handles both. Access Manager is Lerian’s access-control layer for our products and plugins. Instead of wiring identity and permissions into every product, you can manage them in one place: who your users are, which tokens they carry, and what those tokens can reach. Operators, administrators, and machine-to-machine integrations all pass through the same gate, and each one only touches the resources it’s cleared for. Under the hood, two services do the work, and protected products plug into them at the route level:
  • Auth runs the live side of access: issuing and refreshing tokens, validating sessions, checking permissions, handling logout and user info, and running MFA challenges.
  • Identity holds the data behind those decisions: users, groups, applications, communication providers, application-provider links, and MFA configuration.
When a request reaches a protected product, Access Manager checks it against the subject, the resource, and the action before any business logic runs. A back-office operator in a group like midaz-viewer-group can read Midaz data but can’t change it. A service integration that authenticates with client credentials gets exactly the machine-to-machine access it was configured for.
Test the Access Manager locallyRun Lerian’s plugins without deploying to Kubernetes using our plugins-docker-compose repository.Keep in mind that these services require a valid license to run. Without it, the application will not start. For license details, check our License documentation.

Why use Access Manager?

Use Access Manager when you want native, fine-grained access control across Lerian products, instead of stitching something together product by product. It lets you:
  • manage human users and the product groups that define their access;
  • create machine-to-machine applications for service integrations;
  • enforce permissions down to the resource and action, like reports:get, templates:post, or accounts:patch;
  • apply one access-control model across every Lerian product you run;
  • keep product APIs protected behind bearer tokens and route-level checks.
How it fits your stack depends on how you deploy it:
  • In SaaS deployments, it’s the platform access layer. JWT claims carry the authenticated subject and tenant context the platform relies on.
  • In BYOC multi-tenant deployments, tenant context comes from trusted token claims, never from request payloads or arbitrary headers.
  • In BYOC single-tenant deployments, you may already run your own identity provider. Access Manager can still add Lerian-native authorization and application credentials wherever you need that control.
Access Manager is available as an optional feature under the Enterprise model. If you’d like to learn more or evaluate it for your use case, get in touch with our team.

Technical specs

What you get out of the box:
  • REST APIs for Auth and Identity operations.
  • Lerian Console settings for supported visual user and application management.
  • Product-level authorization enforcement for protected HTTP and gRPC APIs.
  • PLUGIN_AUTH_ENABLED feature flag for enabling product-level authorization enforcement.
  • OAuth2/OIDC token flows for password and client credentials access.
  • MFA support for user authentication flows.
  • Valkey-backed caching for token, permission, and MFA-related operations.
  • RBAC aligned with product resources, actions, groups, and machine-to-machine applications.

Bootstrap and operation

Access Manager has two distinct lifecycle layers, and keeping them separate saves you trouble later:
LayerWhat it is used for
BootstrapInitial environment setup, including base organizations, built-in roles, groups, applications, and permission sets.
OperationDay-to-day management of users, group assignments, applications, providers, MFA, and access reviews.
Bootstrap is what seeds a brand-new environment. Once that environment is running, it’s no longer where you make changes. For the operator-level walkthrough of getting Auth and Identity up and ready before any product enforces access, see Installing Access Manager. From there on, manage access through the Identity APIs or Lerian Console. Console covers the everyday user and application work: creating users, assigning groups, updating passwords, and creating machine-to-machine applications. The Identity APIs give you the full operational surface, including providers, application-provider links, and MFA. Built-in resources, actions, roles, and permission sets are a different story. Ship changes to those through controlled platform updates like migrations or an idempotent reconciler, and don’t edit bootstrap seed data to change access in an environment that’s already running.

Multi-tenant behavior

In SaaS and BYOC multi-tenant deployments, the tenant is part of who the caller is, not something they pass in. Access Manager reads it from trusted JWT claims during user flows, and from the application’s organization during machine-to-machine flows. Clients never send tenant ownership in payloads, query parameters, or headers. That shapes behavior in three places:
  • Identity management — user, group, and application APIs return only records in the caller’s tenant organization.
  • Authentication — password and refresh-token flows keep token handling scoped to the tenant carried by the user context.
  • Authorization — permission checks evaluate only the groups, roles, and application permissions that belong to the resolved tenant.
Single-tenant deployments skip all of this and fall back to the configured default organization.
Don’t reuse a token from one tenant to manage users, applications, or permissions in another. Access Manager scopes those operations to the authenticated context.

Use cases

Access Manager fits scenarios such as:
  • Teams that want built-in authentication and authorization across Lerian products.
  • Organizations without an existing IAM solution.
  • Teams that already run an identity provider but still need product-level authorization.
  • Integrations that depend on secure machine-to-machine access.
  • Multi-product deployments that need one consistent access model for users, services, and tenants.