Access Controls Policy
Owner: Fluent Terrain LLC Security and Engineering. Effective: May 11, 2026. Last updated: May 11, 2026.
This policy documents how GlacialBooks limits access to production assets, sensitive financial data, and internal support tooling through centralized identity, RBAC, MFA, tenant scoping, audit logs, managed identities, and 90-day access reviews.
Centralized identity
Customer and internal sign in is governed through Microsoft Entra based identity. Local password sign in is allowed only when explicitly enabled for the environment. Password reset tokens expire after 60 minutes. Email verification tokens expire after 24 hours. Local application sessions expire after 8 hours.
Multi factor authentication
MFA is required before Plaid Link or any financial account connection flow is surfaced. MFA is required for workforce access to production systems that store or process customer financial data. Local password accounts lock for 15 minutes after 5 failed sign-in attempts.
Role based access control
GlacialBooks organization roles are Owner, Admin, Accountant, Staff, and Read Only. Backend dependencies enforce the minimum role required for each protected route. Internal support roles are separate from customer organization roles and require internal identity validation.
Least privilege
Production access requires a documented business need, environment scope, product scope, resource scope, and role scope. Privileged actions such as support impersonation, integration management, role changes, exports, and account deletion are logged. Emergency access must be reviewed within 1 business day after use.
Access reviews
Privileged production access, internal support access, managed identities, service principals, and app-role assignments are reviewed every 90 days. Access for terminated workers is removed within 24 hours. Access changed by role transfer is updated within 1 business day.
Zero trust operating model
Access is deny by default. Requests must authenticate, authorize against tenant membership, and satisfy route-level role checks. Production infrastructure uses private networking for data services, explicit role assignments, managed identities, and keyless access patterns when the Azure or provider service supports them.
Non human access
Automation and Azure workloads use managed identity or OIDC federation as the default. Provider integrations use OAuth, signed webhooks, TLS-protected APIs, or provider-issued tokens stored server side. Static client secrets require an owner, Key Vault storage, and a 90-day review until the provider supports managed identity or OIDC federation.
Sensitive data safeguards
Sensitive financial data is visible only through authorized tenant-scoped routes. Raw provider payloads, payroll employee details, support actions, admin views, and export functions are restricted by role and audited. Tenant-scoped queries must filter by organization identifier server side.
See the MFA implementation page for the consumer and workforce MFA controls used before financial account connection flows.