Identity, scope,and trust at every door.
Whether it's a person logging in, a vendor finishing a work order, or a vehicle approaching the gate, CtrlAtlas decides what's allowed in real time. One identity model. Every entry point.
Four ways in. One identity.
Whatever the user picks up, the platform sees the same identity, the same role, the same scope.
Enterprise single sign-on with SAML 2.0 and OIDC. Provision once, propagate everywhere.
- Okta, Azure AD, Google Workspace
- SCIM auto-provisioning
- JIT account creation
Signed session tokens carry user, organization, role, and scope through every request end-to-end.
- Short-lived access tokens
- Rotating refresh tokens
- Server-side revocation
TOTP, WebAuthn, and passkeys for high-tier roles and sensitive mutations.
- Passkey-first flow
- Step-up at the action
- Backup codes
Mobile biometric unlock and device-bound trust for staff in the field.
- Face / fingerprint
- Device attestation
- Lost-device wipe
9 tiers. Sharply scoped.
Every role lives on one of nine access tiers. The graph decides what a tier can see, what it can change, and where the boundary stops.
- Scope
- Platform-wide
- Perms
- Everything
- Scope
- Full organization
- Perms
- Org-wide read + write
- Scope
- Cross-portfolio
- Perms
- Portfolio cluster ops
- Scope
- Single portfolio
- Perms
- Buildings within portfolio
- Scope
- Single building
- Perms
- Floors, units, tenants
- Scope
- Floor planning
- Perms
- Plan geometry only
- Scope
- Parking module
- Perms
- Spaces & vehicles
- Scope
- Assigned work orders
- Perms
- Own jobs only
- Scope
- Own unit only
- Perms
- Personal portal
Every request, six checkpoints.
Nothing reaches the data layer without passing all six. The flow is uniform across web, mobile, API, and integrations.
Resolve identity from SSO, JWT, passkey, or device attestation.
Walk the DIG to compute where the user sits on the entity hierarchy.
Match the role tier against the action's required permission level.
Escalate to MFA or biometric for sensitive mutations.
Approve the action or refuse with a typed reason code.
Write the actor, scope, decision, and outcome to the immutable audit log.
Doors, visitors, vehicles.
Identity isn't just for software. CtrlAtlas extends the same scope and audit model to every physical entry point on the property.
HID and Mercury panels integrate directly. Credentials, schedules, and audit trails sync into the graph.
QR check-in, photo ID capture, host notification, and visitor passes time-boxed to the appointment.
ALPR cameras tie license plates to tenants and visitors. Gate triggers fire from the same scope checks.
Atlas watches access events, flags after-hours usage, repeated denials, and credentials seen in the wrong scope.
Get your team onboarded.
Tell us about your portfolio and we'll set up the right tier model for your roles. SSO wiring, role mapping, and tenant configuration handled before you sign in.