Identity, SSO & 2FA
Local accounts with password policy and lockout, TOTP two-factor authentication, and single sign-on via OIDC with just-in-time provisioning. Admins can list and revoke active sessions.
The UniSentinel platform
License modules one at a time or all at once — they all stand on the same core: one login, one permission model, one audit trail, and one place for dashboards, reports, notifications and integrations.
Platform services
Every capability here is available to every module automatically — no duplicated settings, no parallel systems, no seams.
Local accounts with password policy and lockout, TOTP two-factor authentication, and single sign-on via OIDC with just-in-time provisioning. Admins can list and revoke active sessions.
An M365-style app drawer puts every licensed module a click away inside a single session. Unlicensed modules stay visible but greyed — you always see what the platform can grow into.
Modules request approval for sensitive actions — risk acceptance, policy publication, audit report issuance. You set the rule per action: roles or named users, including N-of-M, with the full decision chain recorded.
Domain events drive an in-app inbox and email via your SMTP server, with per-user preferences, per-event templates and an optional digest — deliveries are retried until they land.
Upload your company logo once and it appears in the app shell, the login page and every report header and cover — alongside your brand colors. Each module plugs its settings panels into one settings tree.
Cloud entitlements, or an Ed25519-signed license file verified fully offline for self-hosted installs. Expiry means a grace period and then read-only mode — never a data lock-in.
Access control
Permissions aren't four CRUD checkboxes. Every module declares a catalog of per-action permissions — named module.resource.action — and the platform enforces them the same way everywhere.
Accountability
Every change in every module lands in one append-only audit log — who did what, to which entity, with the exact difference.
Insight
Modules register their widgets and report types; the platform turns them into one insight layer.
Each module's manifest registers its dashboard widgets, and every widget carries its own configuration form — filters, scope, chart type — so a new module brings new insight without any platform changes.
Drag-and-resize grids give every user a personal home dashboard, alongside shared dashboards published to specific roles. Every module ships a sensible default dashboard on its landing page.
Every widget's data runs under the permissions of the person viewing it — a shared dashboard can never leak a record the viewer couldn't open directly.
Parameterized report templates carry your logo, cover and headers, run on demand or on a schedule, and export to PDF, XLSX and CSV.
Open by design
One connector framework, one documented API, one webhook pipeline — all governed by the same permission model as everything else.
Scheduled connectors map external data into the right modules, with deduplication and per-connector sync logs. CSV import ships first — a day-one integration path for every customer — followed by vulnerability scanners and asset sources.
A versioned, OpenAPI-documented REST API with workspace-scoped tokens that carry permission scopes from the RBAC catalog — rate-limited and audit-logged like any other actor.
Subscribe to domain events and receive signed deliveries with automatic retries, so downstream systems can verify authenticity and never miss an event.
Single sign-on via OIDC and outbound email through your own SMTP server — the platform plugs into the identity and mail infrastructure you already operate.
Yes. Each module declares its permissions, widgets, report types, settings panels and events in a manifest, and the platform assembles the permission catalog, app drawer, dashboards and settings tree from those declarations — so every module, present or future, inherits the same foundation.
Yes. The role builder lists the entire permission catalog grouped by module, resource and action. Clone a preset role, adjust it down to the individual action, and assign it — with guardrails: system roles can't be edited, and you can never remove the last user who can manage roles.
Yes. A read-only Auditor role ships built in as a system role, and because every request is permission-checked fresh on the server, read-only means read-only — across the UI, reports and the API.
Yes. API tokens carry permission scopes drawn from the same catalog that governs users, every call is checked on the server, and API activity is written to the same audit trail as any human actor.
Get started
Book a 30-minute walkthrough. We'll map your program to the modules you need — cloud, on-prem Linux or Windows Server.
Every module works standalone. License only what you need — grow when you're ready.