Authentication and Access Control
This article introduces authentication and access control in Devin.
Sign in to Devin Enterprise
Devin Enterprise recommends configuring single sign-on (SSO) and unified login for greater security and improved usability. SSO enables your users to sign into Devin Enterprise with your organization’s identity provider. See Configure SSO in Devin
If you don’t configure SSO, users can login to Devin Enterprise using a selected external account such as Google. Github is not recommended, as often personal Github emails and work emails do not match.
Technical Overview of Devin’s RBAC Architecture
Devin Enterprise implements a comprehensive Role-Based Access Control (RBAC) system that integrates with your existing identity infrastructure. This section explains how to configure and leverage RBAC for your organization.
Identity Provider Integration
When configuring Devin Enterprise with your Identity Provider (IdP), observe the following group information flow:
- During authentication, Devin Enterprise receives group information from your IdP
- Your IdP sends group information as claims in the JWT token
- Devin Enterprise uses these groups to determine access permissions
Configuring Group-Based Access
You can configure which IdP groups have access to specific organizations:
- Map your existing IdP groups to Devin Enterprise organizations
- Assign appropriate roles (member or admin) to each group
- Users will automatically inherit permissions based on their IdP group membership
Access Control Implementation
Devin Enterprise determines user access through multiple pathways:
- Direct membership: Individual users assigned to organizations
- Group membership: Users inherit access from their IdP group memberships
- Enterprise admin: Administrators have access to all organizations within their enterprise
Repository Access Control
For Git repository access, Devin Enterprise:
- Inherits permissions from the organization-level access control
- Supports fine-grained access control at the repository level
- Maintains consistent authorization across all components
This approach allows you to leverage your existing identity management system while providing secure, role-based access to Devin Enterprise resources.
Sync users and groups from your identity provider
You can sync users and groups from your IdP to Devin Enterprise, ensuring they have the right access. Groups can have member or admin roles and may belong to multiple organizations.
To enable automatic user matching, provide a mapping of groups to roles and organizations. After authentication, Devin Enterprise extracts group information from the JWT token your IdP sends and matches users accordingly.
Contact us if you require SCIM.
When a user is removed from your identity provider, that user is deactivated in Devin Enterprise. In order to configure IdP group permissions please reach out to us directly.
Enterprise Access Control
Devin Enterprises can have unlimited organizations.
| Access Condition | Description |
|---|---|
| Member of the organization | You can access the organization if you’re a member. |
| Enterprise admin (owns the enterprise) | You can access and edit the enterprise and sub-organizations. |
| Organization admin (owns the org) | You can access and edit the organization. |
| Part of an IdP group that’s a member | You can access the enterprise or organization if you’re part of an IdP group that’s a member/admin. |
IdP groups are fetched upon user-login, so changes in group membership will require reauthentication.