Access Control & Identity
Access in Fintra follows one principle: nobody - human or AI agent - gets more access than their role requires, and every grant is reviewable and revocable. Role-based access control governs the product, SSO and MFA protect the front door, and AI agents authenticate as managed non-human identities rather than borrowed human credentials.
Role-based access control
Fintra ships with finance-shaped roles - owner, admin, accountant, approver, viewer - each mapping to the least privilege that job needs. Permissions are enforced server-side on every request, never just hidden in the UI. Sensitive boundaries (payroll data, bank connections, user management) require elevated roles, and role changes themselves are recorded in the audit log.
Authentication: SSO, MFA, and sessions
Strong access control starts before authorization - at proving who you are.
- Multi-factor authentication available for all accounts and enforceable tenant-wide by admins.
- SSO via Google Workspace and Microsoft; SAML for larger customers on the roadmap.
- Sessions use short-lived, httpOnly tokens with server-side revocation - an admin can terminate any user’s sessions immediately.
- Failed-login throttling and anomalous-login detection protect against credential stuffing.
Least privilege inside Fintra
The same rules bind us. Fintra employees get zero production access by default; engineers who need it receive scoped, time-bound grants behind SSO and MFA, reviewed on a recurring cadence and revoked automatically on role change or departure. Every production access lands in the append-only audit log, and SentriAI continuously tests that access reviews actually happened - a control that fails loudly if a review is skipped.
Non-human identities for AI agents
AI agents are principals too, and treating them as such is where most platforms fall down. In Fintra, every agent runs under its own non-human identity (NHI) managed by AgentFence: dedicated credentials (never a human’s), permissions scoped to the tools its role allows, automatic credential rotation, a named human owner, and full activity attribution in the trust ledger. When an agent is retired, its identity - and every credential attached to it - dies with it.
Frequently asked questions
Can I enforce MFA for my whole team?
Yes. Tenant admins can require MFA for all members; users without MFA are prompted to enroll at next sign-in and cannot access the tenant until they do.
What roles does Fintra support?
Built-in roles cover the finance org: owner, admin, accountant, approver, and viewer, each with least-privilege defaults. Sensitive areas like payroll and bank connections require elevated roles, and all role changes are audit-logged.
How do AI agents authenticate?
Each agent has its own non-human identity with dedicated, auto-rotated credentials and tool permissions scoped by AgentFence policy. Agents never share or borrow human credentials, so their actions are always attributable.
What happens to access when an employee leaves my company?
Admins can deactivate a user instantly, which revokes all active sessions server-side. If you use SSO, deprovisioning in your identity provider removes Fintra access as part of your normal offboarding.
Questions about access control?
Our security team answers due-diligence questions directly - documentation, DPAs, and evidence available on request.
Talk to our security team