Control access before a request becomes a fire drill.

Control Plane

One canonical source for identity, policy, and access truth.

Zoth unifies users, groups, resources, policies, and approval chains into a single control plane. Access decisions happen against real org context, not fragmented spreadsheets.

  • Unified model for users, groups, policies, resources, approvals, and audit log
  • Policy CRUD with priorities, match conditions, and approval chain derivation
  • Manager relationships flow from org graph into approval routing
  • Hash-chained audit trail for cryptographically verifiable access history
  • Zero standing privileges by design—every grant is bounded and reviewed
1source of truth
0standing privileges
100%auditable decisions

FIG. 1.1

Zoth policy configuration interface showing priority lanes and match conditions

Define access rules with priorities, match conditions, and escalation paths. Each policy composes cleanly with others—priority ordering resolves overlaps deterministically. No hidden inheritance, no surprise denials.

Identity Graph

Org structure drives approval routing.

Users, groups, and manager chains form a queryable graph. Approval routing derives from real org structure, not hardcoded lists.

Platform Capabilities

Everything access control needs, unified.

The control plane handles policy, identity, approval routing, audit, and resource management. No external dependencies for core IGA operations.

Policy Engine

Define access rules with match conditions, priorities, and escalation paths. Policies compose without conflict.

Identity Graph

Users, groups, and manager chains form a queryable graph. Approval routing derives from real org structure.

Approval Chains

Routes derive from policy and org context. Low-risk requests auto-approve; sensitive access escalates.

Audit Trail

Every grant, revoke, and decision is recorded with hash chaining. Evidence is immutable and exportable.

Resource Registry

Every system, role, and permission is catalogued. Policies reference resources, not opaque strings.

Tenant Isolation

Multi-tenant by default. Each organization's policies, users, and audit data remain completely isolated.

Audit & Compliance

Every decision is recorded and verifiable.

The audit log captures every access request, policy evaluation, approval action, grant, and revoke. Hash chaining makes tampering detectable. Export to any SIEM or compliance tool.

FIG. 1.2

REQUESTPOLICYAPPROVEGRANTREVOKEt₀t₀ + 8h