Identity
Enterprise IAM
OSuite separates personal identity from workspace authority. Account identity lives once; role authority is scoped per workspace and exposed through a capability catalog.
Identity boundary
The account is durable even if email changes, provider links change, or the user moves across workspaces. Workspace authority is delegated separately through role and capability bundles. This is the core enterprise boundary: one account identity, many workspace memberships, explicit authority per boundary.
A durable account object that survives email changes and linked-provider changes.
Role capability bundles define what the user can do inside each workspace.
Identity methods, trust graph, and wallet posture can all contribute to enterprise assurance.
Billing, security, support, and ownership paths can diverge without cloning the identity model.
Role catalog
OSuite now publishes a role catalog and capability map instead of burying privileges in implicit UI assumptions. Owners, admins, security admins, billing admins, members, and support-readonly operators can all experience different control surfaces from the same product shell.
Identity providers
GitHub, Google, and enterprise OIDC can all be configured as sign-in methods. The deployment now exposes an IAM capability surface so operators can inspect configured providers, partial configuration, and future lifecycle posture without reading raw environment variables.
Lifecycle posture
Enterprise customers usually want both SSO and provisioning lifecycle hooks. OSuite is ready to surface SSO status now and to expose SCIM lifecycle posture separately as that lane becomes deployment-ready.
The IAM surface now also publishes just-in-time provisioning posture, group-sync readiness, custom-role lifecycle, and separation-of-duties guarantees so security teams can assess whether the deployment is ready for regulated tenancy instead of reverse-engineering environment variables.