Set hero background image Click to upload — server adds <media type="image" src="…"/> as a child of <hero>, switching this page to the full-bleed dark variant. Recommended : 1920 × 1080 px (16:9)
Formats : PNG · JPEG · WebP · SVG
Off-spec uploads are rejected — aspect ratio outside 16:9 ±2 %, dimensions outside 800 × 450 … 3840 × 2160.

Axional AC · Role & Access Control

Multi-dimensional access — role × entity × data-scope × time — versioned and auditable.

Role-based authorisation extended along the entity dimension, the data-scope dimension and the time dimension. Configuration versioned with effective dates; the user's access on any past date is reconstructable. Segregation-of-duties checks at the role assignment level.

Talk to a compliance expert Back to Axional AC

Multi-dimensional

Role × entity × data scope × time. A user can be an AP clerk in entity A and a viewer in entity B, with different scopes in each.

Segregation of duties

Role-combination conflicts detected at assignment time. The user cannot be both order-creator and order-approver without a documented compensating control.

Time-bounded access

Role assignments carry start and end dates. Temporary access (cover, project, audit) auto-expires; permanent access is the exception, not the default.

Access reconstruction

The user's access on any past date is a query against the role-assignment journal. *Did John have approval rights on 14 March?* is one click.

What the access surface covers

Role definition

Roles defined as collections of authorisations against operational objects, with read / write / approve / delete differentiated. Role versions preserved through changes.

Entity scope

Per-role entity scoping — a role active in some entities, restricted in others. Group, sub-group, entity, branch as scope levels.

Data scope

Per-role data-scope rules — by department, region, customer segment, product line. Beyond entity, the user sees only the data their role permits.

Segregation-of-duties library

Out-of-the-box SoD rule library (e.g. cannot approve payments to vendors they maintain) extended by customer policy. Detection at role-assignment time.

Time-bounded roles

Effective-from and effective-to dates on every role assignment. Override roles for cover and audit periods automatically retire.

Access audit

Every role assignment, every authorisation change, every login event journalled. Access reconstructable at any past date.

Why segregation of duties is checked at the role, not at the transaction

Some ERPs implement SoD with transaction-level checks — the system stops the user at the point they try to do something forbidden. The control works for the user but fails the auditor: the auditor's question is *who could have done this?*, not *who did this?*.

Axional checks SoD at role assignment. Before the user is granted the role combination, the engine identifies the conflict. The combination requires either a redesign (split the duties differently) or a documented compensating control (with explicit acceptance by the right authority). The audit answer is structural, not transactional.