Skip to main content

Security Review Package

Security and identity review path

This page bundles the parts of the operations handbook most relevant to security-minded stakeholders. Use it to review workforce identity, entitlements, privileged operations, audit coverage, and the security implications of internal hosting.

Primary review concerns

  • who can sign in and how workforce identity is trusted
  • how Builder Relations membership becomes access reality
  • how privileged access and exceptions are controlled
  • what audit and observability coverage exists for sensitive actions

Quick summary

Primary concerns

Security stakeholders should focus on access trust, entitlement defensibility, privileged actions, and audit coverage.

  • Okta SSO and trusted claims
  • Builder Relations org truth
  • break-glass and admin controls
  • audit coverage for sensitive operations
Typical decisions

Security and identity review often needs to shape these areas directly.

  • what identity path is approved
  • what groups or claims can drive access
  • how exceptions are granted and reviewed
  • what events require audit visibility
Key risks

The main failure mode is operational ambiguity around who should have access and how sensitive actions are reviewed later.

  • org membership is unclear
  • privileged actions are not auditable enough
  • hosting assumptions outrun security validation
  • exceptions become operational folklore

Security review focus areas

Identity and SSO

Review the workforce sign-in path, claims model, and how app sessions inherit enterprise identity trust.

Entitlements and org truth

Review how Builder Relations membership and reporting structure become product roles and access scopes.

Privileged operations

Review break-glass admin posture, admin-only routes, and how exceptions are governed.

Audit and telemetry

Review what access and operational events are logged, retained, and surfaced for investigation.

1. Identity And Access

Start here for Okta SSO, entitlement mapping, org truth, and governance framing.

2. Roles And Permissions

Review how product roles are expected to behave across the mobile experience and admin control plane.

3. Observability And Analytics

Review audit-event scope, telemetry posture, and operational visibility for sensitive actions.

4. Kanopy Hosting

Review hosting, ingress, callback, and runtime implications of the internal platform environment.

Security review checklist

Identity and access posture

Use this to pressure-test the access model before internal rollout expands.

  • [ ] workforce sign-in path is approved
  • [ ] trusted claims and groups are understood
  • [ ] Builder Relations source of truth is defensible
  • [ ] entitlement exceptions are explicit and reviewable
Audit and privileged operations

Use this to assess whether sensitive actions are governable after rollout.

  • [ ] role changes are logged
  • [ ] admin-only actions are identifiable
  • [ ] export or sensitive operations are included in audit scope
  • [ ] break-glass access is auditable

Risk

What security review should challenge directly

  • unclear source of truth for Builder Relations membership
  • privileged access without explicit review path
  • hosting assumptions that outrun auth and ingress clarity
  • insufficient audit visibility for sensitive access or actions