ARIA

Enterprise Security

Built for production. Designed for compliance. Every layer hardened for network operations at scale.

Role-Based Access Control

Four-tier role hierarchy ensures every user sees only what they need and can do only what they're authorized for. Permissions cascade from Super Admin down to Viewer.

Super Admin

L1
  • Full system access
  • User management
  • All customers & devices
  • Template management
  • Audit logs
  • System configuration

Admin

L2
  • Assigned customers
  • All device operations
  • Template deployment
  • User invitations
  • Session export
  • Audit log (own scope)

Operator

L3
  • Assigned customers
  • Diagnostics & read ops
  • Template deployment
  • Session management
  • PDF export

Viewer

L4
  • Read-only access
  • View diagnostics
  • View session history
  • No write operations
  • No template deployment

Authentication

JWT Tokens

Industry-standard JSON Web Tokens with RS256 signing. Stateless verification at every API endpoint.

15-min Access Window

Short-lived access tokens minimize exposure. Automatic refresh keeps sessions alive without re-login.

Refresh Token Hashing

Refresh tokens stored as bcrypt hashes. Even a database breach cannot yield usable tokens.

Token Rotation

Every refresh issues a new token pair. Old refresh tokens are immediately invalidated.

Access Control & Isolation

Every API request is filtered server-side based on the user's role and customer assignments. There is no way to access devices or data outside your authorized scope.

access-control

# Operator "marco" requests devices for customer "Acme Corp"

GET /api/v1/devices?customer=acme-corp


# Server-side checks:

✓ JWT valid, not expired (14:32 remaining)

✓ User "marco" has role "operator"

✓ Customer "acme-corp" in marco's assigned scope

✓ Returning 47 devices (filtered by customer)


# Operator "marco" tries to access unauthorized customer

GET /api/v1/devices?customer=other-isp

✗ 403 Forbidden — customer "other-isp" not in scope

Audit Trail

Every action is logged with full context: who did it, when, from where, and what happened. Immutable logs support compliance requirements and incident forensics.

14:32:01marco10.0.1.45run_pingRB4011-HM-01OK
14:32:18marco10.0.1.45run_tracerouteRB4011-HM-01OK
14:33:05marco10.0.1.45apply_templatefw-inter-vlanOK
14:33:12anna10.0.2.12get_devicescustomer:telecom-x403

Template Safety

The AI never generates raw RouterOS commands. It selects from a curated library of validated templates. 81 MikroTik actions are classified as read-only or write, with write operations requiring explicit authorization.

Read-Only (Safe)

  • ping
  • traceroute
  • bandwidth test
  • interface status
  • routing table
  • firewall rules (view)
  • log entries
  • system resources

Write (Authorized Only)

  • apply template
  • firewall rule change
  • interface config
  • DHCP settings
  • VPN setup
  • QoS policy
  • DNS config

Data Handling

Encryption at Rest

PostgreSQL with AES-256 encryption. All sensitive data encrypted on disk.

TLS in Transit

All API communication over TLS 1.3. No plaintext data ever leaves the server.

No LLM Data Storage

Customer network data is never stored in the LLM. Context is ephemeral per session.

Security-First by Design

Want to learn more about our security practices or need a detailed security assessment?

Contact Our Security Team