Apiome Access
Real role-based access control — a resource-by-action permission model, member lifecycle, and enterprise identity.
Apiome Access replaces the coarse admin-or-not flag with genuine RBAC. Define built-in and custom roles against a resource by action permission matrix, run the full member lifecycle from invite to offboard, wire up SAML/OIDC SSO with SCIM provisioning, and hold it all accountable in an immutable audit log.

What ships with Access
Every Access surface is wired into the rest of the Apiome platform — no glue code, no separate identity, no bolt-on integrations.
Resource × action matrix
Grant allow, deny, or inherit per role across Project, Version, Class, Path, Primitive, and Member resources.
Built-in & custom roles
Immutable Owner, Admin, Editor, and Viewer roles that tenants clone to build their own custom roles.
Member lifecycle
Invite, assign roles, suspend, and offboard members with pending-invite tracking and last-active visibility.
SSO with group mapping
SAML/OIDC single sign-on that maps directory groups straight to Apiome roles.
SCIM provisioning
SCIM 2.0 just-in-time provisioning and deprovisioning for enterprise tenants.
Immutable access audit
A tamper-evident log of grants, role changes, sign-ins, and overrides — filterable and exportable.
A look inside Apiome Access
Live design previews from the Access mockup pack — 3 surfaces in total.

Member table with invites, role assignment, last-active visibility, and SSO/SCIM directory configuration.

Immutable who/what/when log of permission grants, role changes, sign-ins, and admin overrides, with export.
Use cases
Access is designed around the way real teams actually work — not the way a tool wants them to work.
Clone the Editor role, deny Primitive deletion, and apply it to a contractor cohort in one screen.
Connect Okta over SAML and map the Engineering group to the Editor role with SCIM auto-provisioning.
Export a filtered access log showing every permission change on a project during a compliance window.
- SAML / OIDC single sign-on with group-to-role mapping
- SCIM 2.0 just-in-time provisioning and deprovisioning
- Custom roles cloned from immutable built-ins
- Separate platform-admin plane for cross-tenant operations
- Immutable, exportable access audit with long-term retention
- Detect over-privileged roles and suggest least-privilege trims
- Explain a role's effective permissions in plain language
- Recommend a role from a described responsibility
- Flag anomalous grants and sign-ins in the audit stream
AI guardrails for least privilege
Access analyzes your roles and grants to surface over-broad permissions, recommend tighter roles, and explain exactly what any given role can do in plain language.
Every AccessAI feature is grounded in your tenant's data, runs under your data-residency policy, and respects every role and ACL the platform enforces.
Every surface in Apiome Access
A look at the 3 screens designed for this suite — covering everything from day-1 onboarding to day-100 operations.


