Skip to main content

Identity & access

MIMICK is built for teams, so it has a clear model for who can do what. This page covers organizations, roles, how people and appliances authenticate, and how access to hardware is granted.

Organizations

An organization is your company's tenant in MIMICK. Every appliance, user, and permission belongs to an organization, and nothing is shared across organizations.

Roles

Each user has a role that sets what they can do:

  • Org admin: full access within your organization, including adopting appliances and granting other users access.
  • Org user: access only to the appliances they've been granted.
  • System admin: platform-wide access, held by Critical Shift for support and operations.

Signing in

People and appliances authenticate in different ways:

  • People sign in through your identity provider in the browser (OIDC), the same way you'd sign in to other modern web apps. The CLI uses the same sign-in and keeps you signed in by refreshing your credentials automatically.
  • Appliances authenticate with a certificate identity issued during adoption (mTLS). This proves an appliance is genuine every time it connects, and it's managed for you.

Granting access

Within an organization, admins decide who can reach which appliances. A grant gives a specific user access to a specific appliance at one of three levels:

  • View: watch what's happening.
  • Interact: drive the hardware.
  • Admin: manage the appliance.

Org admins can reach every appliance in their organization by default. Org users start with none and get exactly the grants an admin gives them. The Cloud enforces these rules on every request.