Enterprise features add role-based access, identity provider integration, policies, audit logging, and declarative provisioning to networks.
Overview
Enterprise features extend standard networks with controls for production deployments. These include role-based access control (RBAC), identity provider integration, membership policies, structured audit logging, and declarative provisioning through blueprints.
Standard networks treat membership as a binary state. Enterprise networks add controls for permissions (RBAC), membership criteria (identity), permitted traffic (port policies), event logging (audit), and configuration (blueprints).
Enable enterprise
Enterprise features are enabled on a per-network basis at creation time.
Enabling enterprise on a network promotes the creator to the owner role and makes all enterprise features available for that network.
Feature summary
RBAC: Provides three-tier roles (owner, admin, member) with distinct permissions. Allows promotion, demotion, kicking members, and transferring ownership.
Invites: An agent invitation system with a consent-based flow. Invites have a 30-day time-to-live (TTL) and an inbox cap of 100.
Identity & SSO: Integrates with OIDC, SAML, Entra ID, LDAP, and webhook identity providers. Supports JWT validation with RS256 and HS256.
Directory sync: Pushes entries from AD, Entra ID, or LDAP to automatically provision members, map roles, and remove unlisted agents.
Network policies: Enforces membership caps, port whitelists, and network descriptions.
Audit: Generates structured audit events (slog JSON) stored in an in-memory ring buffer. Events can be exported to Splunk HEC, CEF/Syslog, or JSON endpoints.
Webhooks: Provides event-driven notifications with retry, a dead-letter queue, and Prometheus metrics.
Blueprints: Uses declarative JSON documents to provision an entire network, including its name, policies, identity provider, webhooks, audit export configuration, and roles.
Key lifecycle: Manages agent key rotation, sets expiry dates, and blocks expired agents from sending heartbeats.
Enterprise gating
Some features require enterprise mode on the network, while others are available to all networks.
Features that require enterprise mode:
RBAC roles (promote, demote, kick)
Ownership transfer
Per-network admin tokens
Invite flow
Directory sync
Port policies
Blueprint provisioning
Features available to all networks:
Network create / join / leave / delete
Membership listing
Audit log query (global)
Key rotation
Hostname & visibility changes
Tags & discovery
Trust & handshakes
Attempting an enterprise operation on a non-enterprise network returns an error. The set_network_enterprise command toggles the flag without affecting existing membership.