Access Control
How WiserReview manages access to systems, infrastructure, and customer data. Least privilege and need-to-know are the foundation of every access decision.
Version
1.0
Effective Date
March 2026
Owner
Security Team
1. User Access Management
Provisioning (On Joining)
| System | Access Level | Provisioned By |
|---|---|---|
| GitHub organization | Repository access based on role | Engineering Lead |
| Azure portal | Read-only or scoped; Engineering Lead gets full access | Security Officer / Engineering Lead |
| MongoDB Atlas | No direct production access for developers; Engineering Lead only | Security Officer |
| Cloudflare | Read-only by default; admin access for Engineering Lead only | Security Officer |
| Slack | Standard workspace access | Engineering Lead |
| Internal tools | Role-appropriate access | Engineering Lead |
De-provisioning (On Departure)
All access is revoked within 24 hours. The Security Officer is responsible for ensuring this window is met for all departing team members.
- GitHub organization membership revoked
- Azure portal access removed
- MongoDB Atlas access removed
- Cloudflare access removed
- Slack workspace access removed
- All shared credentials rotated if the individual had access
- Active sessions invalidated where possible
2. Role-Based Access Control
Merchant Workspace Roles
Each merchant workspace supports three roles. Role assignments are stored in the user's JWT token context and enforced server-side on every API request. Authorization is independently enforced in the backend regardless of UI state.
| Role | Permissions |
|---|---|
| Admin | Full access to the workspace: review management, widget configuration, email sequences, branding, integrations, billing, team member invitations, account deletion |
| Editor | Review management, widget configuration, email sequences, branding. Cannot access billing, integrations, or invite/remove team members |
| Viewer | Read-only access to reviews and analytics. Cannot modify any settings or data |
Internal Team Access
| Role | Access Scope |
|---|---|
| Security Officer | Full access to all systems: Azure portal, MongoDB Atlas, GitHub, Cloudflare, all production environments |
| Engineering Lead | Full access to production infrastructure, CI/CD pipeline, Azure, MongoDB Atlas (read and operations), Cloudflare configuration |
| Developer | GitHub repository access (code and staging environments). No direct production database access. No direct production container access. |
| Support | Dashboard read-only access scoped to specific workspace(s) for support purposes only |
3. Principle of Least Privilege
All access is granted at the minimum level required to perform the intended function.
Internal Access
- Developers have no direct access to production databases or containers
- All production changes go through the CI/CD pipeline only
- MongoDB Atlas access restricted to Engineering Lead and Security Officer
- No SSH access to production servers
Platform Integration Scopes
When merchants connect e-commerce platforms, WiserReview requests only the minimum OAuth scopes required for review requests, product matching, and widget injection. Platform passwords are never stored. Only OAuth tokens are stored, and they are encrypted.
4. Authentication Mechanisms
| Mechanism | Application | Details |
|---|---|---|
| JWT Token Authentication | All API requests | Signed with server-side secret; defined expiration; claims include user identity, workspace context, and platform provider; requests with missing or invalid tokens rejected with HTTP 401 |
| OAuth 2.0 | Platform integrations | Authorization code flow; access token stored encrypted; merchant platform password never accessed; HMAC validation on incoming platform events |
| bcrypt | Password storage | One-way hashing; plaintext passwords never stored, logged, or transmitted; password recovery via time-limited single-use tokens |
| Cloudflare Turnstile CAPTCHA | Registration and public forms | Applied to registration and public-facing review submission to prevent bot abuse and credential stuffing |
MFA Requirements
Multi-factor authentication is required for:
- GitHub organization access
- Azure portal access
- MongoDB Atlas access
5. Session Management
- •API sessions are managed via JWT tokens, scoped per user and per workspace
- •A session authenticated to one workspace cannot access data from another workspace
- •Token expiration enforces automatic session termination. Sessions do not persist indefinitely.
- •Cross-tab session state is synchronized in the dashboard to reflect role and workspace changes promptly
- •On logout, the client discards the token; token revocation is handled via expiration
6. API Key and Token Management
| Token Type | Storage | Rotation |
|---|---|---|
| JWT tokens | Client-side (in memory or local storage) | On re-authentication |
| OAuth access tokens (platform integrations) | MongoDB Atlas (encrypted at rest) | On re-authorization |
| Service credentials (DB passwords, API keys) | GitHub encrypted secrets vault; injected as environment variables | On suspected compromise or team member departure |
| Cloudflare API tokens | GitHub encrypted secrets vault | Periodic |
7. Production Access Controls
WiserReview's production environment is designed to minimize direct human access.
| Control | Implementation |
|---|---|
| No SSH access to containers | Azure App Services is a managed platform: no direct SSH access to production containers is possible |
| No direct production database access for developers | MongoDB Atlas access restricted to Engineering Lead and Security Officer only |
| Deployments via CI/CD only | All production changes go through GitHub Actions: no manual file uploads or hotfixes applied directly to servers |
| MongoDB Atlas IP whitelisting | Database clusters accept connections only from authorized Azure App Service IP ranges |
| Redis password authentication | Redis instances require password authentication; no public endpoint exposed |
| Azure Container Registry | Docker images stored with authenticated access only: no public image pulls |
| GitHub encrypted secrets vault | All production credentials stored as encrypted secrets; accessible to GitHub Actions at runtime only |
| Azure portal MFA | Multi-factor authentication required for Azure portal access |
8. Periodic Access Reviews
Trigger-based reviews
Immediately upon any role change, departure, or contractor engagement ending
Periodic reviews
Access levels reviewed as part of ongoing security practice (being formalized into a scheduled cadence)
Review scope
GitHub organization access, Azure portal roles, MongoDB Atlas users, Cloudflare team members
Reviews are documented in internal records. The Engineering Lead conducts reviews; the Security Officer approves any access changes affecting production infrastructure.
9. Third-Party Access
- •Third-party integrations connect exclusively via OAuth 2.0: no shared credentials
- •External contractors or security consultants may be granted time-limited, scoped access to specific systems only, approved by the Security Officer
- •All third-party access is de-provisioned immediately upon engagement completion
- •No third party is granted unrestricted access to production customer data
10. Logging and Monitoring
| Monitoring Layer | Implementation |
|---|---|
| API request logging | All API requests logged with timestamp, endpoint, response time, and outcome |
| Error tracking | Sentry captures all application errors with full context: timestamps, stack traces, user context |
| Latency monitoring | Response times monitored; requests exceeding 5s threshold trigger Slack alerts |
| Health checks | Dedicated health-check endpoints monitor database and cache connectivity continuously |
| Real-time alerts | Critical errors and service anomalies trigger immediate Slack notifications |
| Cloudflare analytics | Traffic analytics, bot detection events, WAF rule triggers logged at the edge |
| Event tracking | 16+ event types tracked for usage patterns and anomaly detection |
Logs are retained for 90 days. Access to log data is restricted to the Engineering Lead and Security Officer.