Skip to content

Set Up Authentication, Roles & Access

Before inviting users and creating threat models, we recommend configuring authentication and access controls for your Devici environment.

For enterprise teams, this typically includes Single Sign-On (SSO), Multi-Factor Authentication (MFA), and role-based access control to ensure users have the appropriate level of access.

Recommended enterprise configuration sequence

For most enterprise organizations, we recommend completing the following steps in order:

  1. Configure Single Sign-On (SAML)
  2. Enable Multi-Factor Authentication (MFA)
  3. Define roles, teams, and permissions
  4. Create teams and assign users
  5. Invite users
  6. Create your first collection and threat model

Why Start with Security and Access Control?

Enterprise customers often begin with identity and access controls to:

  • Enforce corporate authentication policies
  • Control who can create, modify, and review threat models
  • Centralize user and permission management
  • Reduce onboarding friction
  • Meet internal security and compliance requirements

Configuring authentication and access early ensures a smooth and predictable rollout across teams.

Configure Single Sign-On (SSO)

Devici supports SAML-based Single Sign-On (SSO) with common identity providers such as:

  • Okta
  • Microsoft Entra ID (Azure AD)
  • Other SAML 2.0–compatible providers

SSO allows users to authenticate using their corporate credentials and simplifies user lifecycle management.

👉 Set up SSO
- See: SAML Setup

Enable Multi-Factor Authentication (MFA)

MFA adds an additional layer of protection by requiring a time-based verification code during sign-in.

Even when using SSO, MFA is strongly recommended for administrative and privileged roles.

👉 Learn more
- See: Multi-Factor Authentication (MFA)

Understand Roles, Teams, and Permissions

Devici uses role-based access control to manage what users can see and do within the platform.

Access is defined through a combination of:

  • Roles – determine what actions a user can perform (for example, administrative actions versus modeling activities)
  • Teams – group users for organizational and access purposes
  • Collections – control access to specific threat models and related assets

This structure allows organizations to grant broad administrative access where needed, while limiting modeling or review access to specific teams or projects.

👉 Learn more
- See: Roles & Permissions
- See: Creating & Managing Teams

Invite Users and Start Threat Modeling

Once authentication and access controls are configured:

  1. Invite users to Devici
  2. Assign users to teams and roles
  3. Grant access to relevant collections
  4. Begin threat modeling

What’s next

At this point, you’re ready to move from setup into hands-on threat modeling.

  • Continue with Getting Started
    Learn how Devici works at a conceptual level before building models.
    How Devici Works

  • Dive deeper into administration
    If you need more detail on access control and user management, explore the administration guides.
    Roles & Permissions
    Managing Users