Firms and users

Firms

A firm is the unit of tenancy in Bedrock. Each firm has its own ledger chain, its own signing key, its own users, its own API keys, its own webhooks, and its own model registry. Nothing crosses the boundary. Multiple firms within a group? Each one is independent.

A firm is also the legal entity the FCA holds accountable. That's deliberate: the thing the regulator names and the thing the database keys on must be the same thing, otherwise the records can't be used for evidence.

Users and roles

Three roles, each scoped to a single firm:

• FIRM_ADMIN — manages users, API keys, webhooks, settings, and the firm profile. Cannot review documents.
• REVIEWER — reviews jobs in the Principal app. Carries one or more professional qualifications used by the routing engine.
• LEAD_REVIEWER — everything REVIEWER can do, plus reassignment, escalation handling, and access to firm-wide review reports.

Authorisation comes from the database, not the token

Bedrock uses Cognito for sign-in but never trusts Cognito for authorisation. The role and firm membership stored on the JWT are ignored — every request looks up the user in the database by their Cognito ID and reads the canonical role from there. This is what makes role changes effective immediately and what stops a stolen token from granting privileges that have since been revoked.

Adding users

Firm admins invite users by email from the Ledger dashboard. Invited users receive a sign-in link, set their password on first sign-in (we force a password change), and then have access scoped to the firm and role they were invited under.

SSO

Larger firms can plug Bedrock into their existing identity provider through SAML 2.0 or OIDC. Group claims map to Bedrock roles. SCIM provisioning is supported for automatic deactivation when someone leaves the firm.

See also

• Authentication
• The Principal