Security
RBAC, permission model, SSO, vault secrets, audit logging, and prompt protection.
MechaMental is built with enterprise security requirements in mind. Every resource is protected by fine-grained access controls, secrets are encrypted at rest, and all actions are logged in an immutable audit trail.
Security Features at a Glance
- RBAC — role-based access control with custom roles and granular permission scopes
- SSO / OIDC — single sign-on support with SAML and OpenID Connect integration
- Vault — KMS-backed secrets management for API keys, credentials, and sensitive data
- Audit Logs — comprehensive, immutable activity logging for compliance and troubleshooting
- Workspace Isolation — resources in one workspace are completely isolated from others
- Prompt Protection — PII detection, content filtering, and deny lists for AI-specific threats
RBAC Model
Access control is structured around roles and policies:
- Roles — named collections of permissions (e.g., "Developer", "Viewer", "Admin"). You can create custom roles tailored to your organization.
- Policies — fine-grained rules that define what actions a role can perform on which resources.
Permission Format
Permissions follow the format:
resource:scope:actionWhere:
- resource — the type of entity (e.g.,
apps,endpoints,secrets,tools,models) - scope — the boundary the permission applies to (e.g., a specific workspace, app, or namespace)
- action — the operation being performed (e.g.,
read,write,manage,delete,execute,trigger)
Permission Scopes
| Resource | Available Actions |
|---|---|
| Workspace | read, write, manage |
| Apps | read, write, manage, delete |
| Endpoints | read, write, trigger |
| Augmentations | read, write, execute |
| Secrets (Vault) | read, write, delete |
| Models | read, write, manage |
| Tools | read, write, manage |
| Analytics | view |
SSO / OIDC
MechaMental supports single sign-on through SAML and OpenID Connect (OIDC). This lets your users authenticate with your existing identity provider (Okta, Azure AD, Google Workspace, etc.) without managing separate credentials.
Enterprise Authentication
SSO configuration is managed at the organization level by platform administrators. Once configured, all organization members authenticate through the identity provider.
Vault (Secrets Management)
The Vault stores sensitive values (API keys, tokens, credentials) encrypted at rest using KMS. Secrets can be scoped to three levels:
| Scope | Description |
|---|---|
| Workspace | Available to all apps and namespaces in the workspace |
| Namespace | Isolated to a specific namespace within an app |
| Environment | Different secret values per environment (development, staging, production) |
Secrets are referenced by name in tool configurations, pipeline templates, and credential mappings. The actual secret values are never exposed in the UI or API responses — only secret metadata (name, scope, status) is visible.
Audit Logging
Every action in MechaMental is logged with full context:
- Who — which user performed the action
- What — which resource was affected and what changed
- When — timestamp of the action
- Where — source IP or API client
Audit logs are immutable and can be filtered, searched, and exported. They are essential for compliance requirements (SOC 2, HIPAA, GDPR) and for investigating security incidents or troubleshooting operational issues.
Prompt Protection
MechaMental includes built-in defenses against prompt injection and other AI-specific security threats:
These protections can be applied at the pipeline level through dedicated step configurations, giving you granular control over which endpoints enforce which protections.