Enterprise Security

Granular access control, enterprise authentication, and comprehensive audit logging. Security features designed for regulated industries.

Overview

Aether implements a comprehensive security model inspired by Drupal's battle-tested permission system, extended with modern enterprise authentication standards and AI-powered content moderation.

Granular RBAC

Role-based access with field-level permissions

Enterprise SSO

SAML, OpenID, Azure B2C out of the box

Full Audit Trail

Who did what, when, and from where

Role-Based Access Control

Aether uses a hierarchical role system where permissions flow down through role inheritance. Built-in system roles provide sensible defaults, while custom roles let you model your organization's structure.

System Role Description
Anonymous Unauthenticated visitors
Authenticated Any logged-in user
Content Editor Can create and edit own content
Content Manager Can publish and manage all content
Site Builder Can configure site structure and themes
Administrator Full access to all features

Granular Permissions

Permissions are organized by module and follow a consistent pattern. Each entity type automatically generates permissions for create, edit, delete, and publish actions.

Permission Examples 
# Auto-generated per entity type
content.article.create
content.article.edit_own
content.article.edit_any
content.article.delete_own
content.article.delete_any
content.article.publish

# Module-specific permissions
media.upload
media.delete
taxonomy.manage_vocabularies
workflow.bypass_moderation
system.administer

Field-Level Security

Control access at the field level. Hide sensitive fields from certain roles, make fields read-only, or mask values (show ***** instead of actual data).

Field Access Policy 
type FieldAccess {
    can_view: Bool,       // Can user see this field?
    can_edit: Bool,       // Can user modify this field?
    mask_value: Bool,     // Show masked value?
    mask_pattern: String, // e.g., "***-**-1234"
}

Single Sign-On (SSO)

Aether supports enterprise SSO through multiple protocols. Users authenticate with your identity provider; Aether handles the rest.

SAML 2.0

Enterprise SSO with Okta, OneLogin, PingFederate, AD FS

OpenID Connect

Modern OAuth2-based authentication

Azure AD / B2C

Microsoft enterprise and customer identity

Social Login

Google, GitHub, LinkedIn, and more

SAML 2.0 Integration

Full SAML 2.0 support as a Service Provider (SP). Works with any SAML-compliant Identity Provider including enterprise solutions.

security.config 
auth:
  saml:
    enabled: true
    idp_entity_id: "https://idp.example.com/saml"
    idp_sso_url: "https://idp.example.com/sso"
    idp_certificate: "${IDP_CERT}"
    attribute_mapping:
      email: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
      name: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
      groups: "http://schemas.xmlsoap.org/claims/Group"
    role_mapping:
      - idp_group: "CMS Admins"
        aether_role: "administrator"
      - idp_group: "Content Team"
        aether_role: "content_editor"

OpenID Connect

Modern OAuth2-based authentication with OpenID Connect. Works with Auth0, Okta, Keycloak, and any OIDC-compliant provider.

security.config 
auth:
  oidc:
    enabled: true
    issuer: "https://auth.example.com"
    client_id: "${OIDC_CLIENT_ID}"
    client_secret: "${OIDC_CLIENT_SECRET}"
    scopes: ["openid", "profile", "email", "groups"]
    redirect_uri: "https://cms.example.com/auth/callback"

Azure AD B2C

Native integration with Microsoft Azure AD B2C for customer identity and access management. Perfect for sites with end-user authentication.

security.config 
auth:
  azure_b2c:
    enabled: true
    tenant: "yourcompany.onmicrosoft.com"
    policy: "B2C_1_SignUpSignIn"
    client_id: "${AZURE_CLIENT_ID}"
    client_secret: "${AZURE_CLIENT_SECRET}"
    scopes: ["openid", "profile"]

Audit Logging

Complete audit trail of all system activity. Track who accessed what, when, and from where. Export logs for compliance reporting.

Logged events include:

  • User authentication (login, logout, failed attempts)
  • Content changes (create, edit, delete, publish)
  • Permission changes (role assignments, policy updates)
  • Configuration changes (site settings, module config)
  • API access (all API calls with user and IP)
  • File uploads and downloads
Audit Log Entry 
{
  "timestamp": "2024-01-15T10:30:00Z",
  "event": "content.publish",
  "user_id": "user_abc123",
  "user_email": "editor@example.com",
  "resource": "article:456",
  "ip_address": "192.168.1.100",
  "user_agent": "Mozilla/5.0...",
  "changes": { "status": ["draft", "published"] }
}

AI Content Moderation

The Content Moderator AI specialist automatically reviews content for policy compliance before publication. Configurable policies let you define what's acceptable for your organization.

Built-in moderation checks:

  • Toxicity and hate speech detection
  • Violence and graphic content
  • Adult content filtering
  • Personally identifiable information (PII)
  • Custom policy rules

Human-in-the-Loop

Content flagged by the AI moderator is queued for human review. Reviewers can approve, reject, or request changes with a single click.