Identity, permissions, and the credential vault.

Auth0 tells your app a user has roles. AccessStudio decides what those roles mean at the database layer — and vaults the outbound credentials with delegation, encrypted at rest.

See features

Identity providers stop where your data starts.

Auth0, Okta, Cognito — they tell your application "this user has these roles." They leave it to you to decide what those roles MEAN: which tables, which columns, which records. The decision logic ends up scattered across handlers with bugs you only catch when a customer reports seeing data they shouldn't.

Worse: identity providers don't manage outbound credentials. The vendor-portal password lives in a .env file or AWS Secrets Manager, separate from the user who authored the script that uses it. Audit logs don't connect the two.

Key features

Identity, RBAC, and a credential vault in one workspace.

DataAccessResolver — per-user filtering at the platform.

Each user's profile lists allowed connections, databases, and collections. The platform's TabulatorApi and template renderer enforce them. No per-handler boilerplate. Adding a new screen — gating works automatically.

Credential vault with four-identity audit.

Each vault entry carries internal_username (runner-match), run_as_username (delegation), username (carrier login), email (MFA contact). Scripts call getCredentials(slug) — passwords filled at form-fill time. Audit logs link every dispense to the originating user.

Permissions as topics — namespaced capabilities.

Each _permission record has a topic (data_studio.export.bson, pilot_studio.test.edit). Profiles and users reference topics. Adding a capability is a _permission insert plus a template-side can(User, topic) gate.

User Activity & session auditing.

Every authenticated request stamps created_by/modified_by on writes. Every credential dispense logs to an audit collection. Every pilot run records who launched it. Full chain-of-custody.

Profiles (reusable roles).

Each profile carries chip-selected permissions, navigation links, and explicit allow lists for connections, databases, collections. Every user is assigned to one. Direct user-level permissions augment the profile (add, never subtract).

What only AccessStudio offers

What Auth0, Okta, and AWS IAM cannot do.

DataAccessResolver enforcement. Per-user connection/database/collection filtering at the platform layer. No per-handler boilerplate.

Credential vault with delegation. Internal user → run-as identity → carrier credential. Three-tier accountability.

Permissions as topics, not roles. Namespaced capability strings with declarative can(User, ...) gating.

Integrated session activity log. Per-user last-login, IP, profile-at-login. Queryable. Built-in.

Same shell as your data tools. Manage auth alongside the queries, scripts, tests it gates.

Use cases

What teams build with AccessStudio.

Multi-tenant SaaS access control

Each customer's MongoDB in its own database. User's profile lists allowed databases. Platform enforces.

Vendor automation with delegation

Pilot logs into a portal as the carrier identity. Audit log records internal user + run-as user + carrier credential.

Regulated environments

Every action attributable to a person. No shared service accounts. Activity tab is SOC 2 audit evidence.

Read-only auditors

Profile with view-only permissions + narrow allow list. Auditor sees what they need; no accidental writes possible.

Auth that's a peer to your data.

AccessStudio is included in every tier. Free includes basic users + activity; Solo and Team add the vault, full activity, and Bulk Compare promotion.

View pricing