Back to Home

Core Concepts

Understand the fundamental building blocks of AccessIQ and how they work together to provide comprehensive identity management.

Tenants

A Tenant represents your account in AccessIQ. It's the top-level container that holds all your organizations, users, and configurations. Each tenant is completely isolated from others.

Example: If you're building a project management SaaS, your company would have one tenant. Each of your customers (Acme Corp, TechStart, etc.) would be organizations within your tenant.

Organizations

Organizations represent your customers. Each organization can have its own:

  • Identity provider configuration (SAML, OIDC)
  • Users and their roles
  • Custom branding and settings
  • Feature flag overrides
Organization Hierarchies
AccessIQ supports up to 5 levels of organization hierarchy, allowing you to model complex B2B structures like holding companies, subsidiaries, and departments.

Users

Users are individuals who access your application. Users always belong to at least one organization and can have different roles in different organizations.

User Properties

  • email - Primary identifier
  • name - Display name
  • roles - Assigned roles
  • mfa_enabled - MFA status
  • metadata - Custom attributes

Roles & Permissions

AccessIQ uses a flexible Role-Based Access Control (RBAC) system:

Permissions

Granular actions like users:read, users:write,settings:manage

Roles

Collections of permissions like Admin, Manager,Viewer

Roles can be defined at the tenant level (shared across all organizations) or at the organization level (custom to each customer).

Feature Flags

Feature Flags allow you to control feature availability at multiple levels:

  • Global - Enable/disable for all users
  • Organization - Enable for specific customers
  • User - Enable for individual users
  • Percentage - Gradual rollouts

JWT Integration: Enabled feature flags are automatically included in JWT token claims, eliminating the need for additional API calls to check feature access.

Identity Providers

AccessIQ acts as an identity broker, allowing each organization to use their preferred identity provider:

SAML 2.0

Enterprise SSO with Okta, Azure AD, OneLogin, etc.

OpenID Connect

Modern authentication with any OIDC provider

SCIM 2.0

Automatic user provisioning and deprovisioning