Authorization & Compliance API
Darwan is the authorization and compliance engine for multi-tenant applications. Enforce least privilege, pass compliance audits, and ship access control from a single API -- with immutable audit trails, separation of duties, and periodic access reviews built in.
POST /v1/authorize
{
"tenantId": "acme-corp",
"principalId": "user-42",
"action": "read",
"resourceType": "invoice"
}
200 OK
{
"allowed": true,
"reason": "role:finance-reader"
}
Regulatory frameworks supported out of the box
Capabilities
Everything your team needs to enforce least privilege, satisfy auditors, and ship access control without building it from scratch.
Define roles, permissions, and assignments across tenants. Deny-overrides-allow evaluation with explainable decisions.
Layer fine-grained conditions on top of RBAC. Ownership rules, JSON constraints, and versioned policy sets.
Every entity is tenant-scoped. One Darwan instance serves all your products with isolated data and policies.
Set expiration dates on role assignments. Expired grants are automatically excluded from authorization and cleaned up by a background service.
Define conflicting role constraints with Block or Warn enforcement. Violations are caught at assignment time across direct and group paths.
Create certification campaigns to review all role assignments. Approve or revoke with audit trails. Overdue reviews auto-expire.
Every decision is logged with SHA-256 hash chains and per-tenant sequencing. Verify integrity on-demand. Archived, never deleted.
Paginated search with filters, summary analytics, and CSV/JSON export. Real-time audit dashboard with integrity verification.
Scoped API keys for service-to-service auth. Webhooks push role, policy, and compliance events to every downstream service.
How It Works
Create tenants, roles, and permissions in the admin console or via API. Assign roles with optional expiry dates and SoD constraints.
Call the authorize endpoint from your service. Darwan evaluates RBAC grants, ABAC policies, and time-bound assignments, then returns an explainable decision.
POST /v1/authorize
{"action": "read", ...}
200 {"allowed": true}
Every decision is hash-chained and sequenced. Run periodic access reviews, export reports, and verify audit integrity on demand.
Regulatory Readiness
Darwan provides the controls, audit trails, and review workflows required by major compliance frameworks. No bolt-on tools needed.
| Framework | Standard | Darwan Capabilities |
|---|---|---|
| SOXSarbanes-Oxley | Sarbanes-Oxley | SoD constraints, access reviews, immutable audit logs |
| SOC 2Type II | Type II | Audit trails, access reviews, time-bound access, integrity verification |
| ISO 27001Annex A.9 | Annex A.9 | RBAC, periodic reviews, audit logging, least-privilege enforcement |
| HIPAASecurity Rule | Security Rule | Access controls, audit logs, automatic session expiry, review certification |
| PCI DSSv4.0 | v4.0 | Role-based access, SoD, quarterly reviews, audit trail retention |
| GDPRArt. 5(1)(f) | Art. 5(1)(f) | Access control, audit trails, data minimization via expiry, review evidence |
| NIST 800-53AC / AU Controls | AC / AU Controls | RBAC/ABAC, SoD, continuous monitoring, audit integrity, access reviews |
Architecture
SDKs
Official SDKs for your stack. Authorize, batch-check, and explain decisions with a single function call.
Sign in to start managing roles, enforcing separation of duties, and running access reviews.