Skip to main content

Core Concepts

AccessLedger is built around a few simple objects. Understanding them makes the UI and audit log much easier to use.

Organization

An organization is a tenant boundary. All credentials, requests, users, and audit events are scoped to an organization.

In the hosted SaaS product, your organization is provisioned for you and all data stays scoped to your tenant.

User

A user can log in and perform actions based on their role.

Key fields you will see in the UI and audit log:

  • Name
  • Email
  • Role

See Roles and Permissions for what each role can do.

Credential

A credential is an inventory record for a high-value account or secret.

In the UI, each credential includes:

  • Credential name
  • System/service
  • Account identifier
  • Storage type and storage location
  • Risk level (Low / Medium / High)
  • Optional rotation interval (days)
  • Optional notes

AccessLedger does not store secret material. It stores where the secret lives and how it should be handled.

Access Request

An access request is the break-glass workflow.

A request:

  • References a credential
  • Records who requested access and why
  • Can be approved or denied by an approver
  • If approved, expires after a fixed duration
  • Is closed by the requester (or an admin) with post-use notes

Request status vs derived status

Internally, requests have statuses like pending, approved, denied, closed.

In the UI, an approved request is shown as:

  • Active: approved and not yet expired
  • Expired: approved but past the expiry time

Rotation

Credentials can optionally have a rotation interval. AccessLedger uses this to compute:

  • Overdue rotations
  • Rotations due soon (next 30 days)
  • On-schedule rotations
  • Credentials with no schedule

The Rotation page is a dashboard. Marking a rotation done updates the credential record and writes an audit event.

Audit Events

AccessLedger writes audit events for key actions (logins, request workflow steps, credential changes, exports, settings changes).

The Audit Log page shows events and supports filtering. Admins and auditors can export the audit log to CSV.

Notifications

If email notifications are enabled for your organization, AccessLedger can send notifications for request workflow events and access-expiry reminders.

The admin controls reminder cadence in Settings -> Notification Settings.