Access Control & Audit Transparency

Embarc couples role-based access control with deep auditing so you can enforce least-privilege and still know exactly who did what, when.

Role-Based Access Control (RBAC)

• Granular permissions: Every API command maps to a permission (e.g., CREATE_CLIENT, APPROVE_LOAN, DISBURSE_LOAN). Assign only what each role genuinely needs.
• Role management APIs: Use:
  • POST /api/v1/roles to create roles.
  • PUT /api/v1/roles/{id} to update or assign permissions.
  • GET /api/v1/roles to audit your role catalog.
• User assignment: Map users to roles via POST /api/v1/users/{id}/roles or during user creation. Keep each user’s role set lean to reduce risk.

Audit Trail

• Automatic logging: Every non-read command generates an audit entry—date, user, action, entity, and the payload.
• API access:
  • List entries via GET /api/v1/audits? offset=0&limit=50&orderBy=madeOnDate&sortOrder=DESC.
  • Filter by entity, user, date range, or status to build compliance reports (/api/v1/audits/searchtemplate shows filterable fields).
• Data captured:
  • Actor (user ID, username).
  • Timestamp (tenant locale for display, UTC stored).
  • Command payload (original JSON).
  • Outcome (approved, rejected, failed).
  • Checker info when maker-checker is active.
• Retention: Embarc stores audits in write-once tables that are retained for 7 years.

Putting It Together

1. Define least-privilege roles for every persona (loan officer, teller, collections, finance) and map them to Embarc permissions.
2. Keep user-role assignments tight and rotate credentials or tokens regularly.
3. Enable maker-checker on sensitive flows to introduce dual control without custom development.
4. Monitor the audit API with scheduled exports or dashboards so exceptions (failed approval, unauthorized command) surface quickly.

Together, RBAC and audit trails give you the confidence that only authorized people can touch customer or loan data and that every change is traceable end- to-end.