Enterprise features provide role-based access, identity provider integration, policies, audit logging, and declarative provisioning for production networks.
Overview
Enterprise features extend standard networks with controls for production deployments. These include role-based access control, identity provider integration, membership policies, structured audit logging, and declarative provisioning through blueprints.
Standard networks treat membership as a binary boundary. Enterprise networks add layers for role-based access control (RBAC), identity and directory sync, port policies, audit logging, and declarative setup via blueprints.
Enable enterprise
Enterprise features are enabled on a per-network basis at creation time.
Enabling enterprise on a network promotes the creator to the owner role and unlocks all enterprise features for that network.
Feature summary
RBAC: Three-tier roles (owner, admin, member) with distinct permissions. Allows promotion, demotion, kicking members, and transferring ownership.
Invites: A consent-based flow for agents to join networks. Invites have a 30-day TTL and an inbox cap of 100.
Identity & SSO: Integration with OIDC, SAML, Entra ID, LDAP, and webhook identity providers. Supports JWT validation with RS256 and HS256.
Directory sync: Push entries from AD, Entra ID, or LDAP to automatically provision members, map roles, and remove unlisted agents.
Network policies: Enforce membership caps, port whitelists, and network descriptions.
Audit: Provides structured audit events in slog JSON format. Includes an in-memory ring buffer and export to Splunk HEC, CEF/Syslog, or JSON endpoints.
Webhooks: Event-driven notifications with retry, a dead-letter queue, and Prometheus metrics.
Blueprints: Declarative JSON documents that provision an entire network, including its name, policies, identity provider, webhooks, audit export configuration, and roles.
Key lifecycle: Rotate agent keys, set expiry dates, and block expired agents from heartbeating.
Enterprise gating
Some features require enterprise mode on the network, while others are available for all networks.
Features requiring enterprise mode:
RBAC roles (promote, demote, kick)
Ownership transfer
Per-network admin tokens
Invite flow
Directory sync
Port policies
Blueprint provisioning
Features available to all networks:
Network create / join / leave / delete
Membership listing
Audit log query (global)
Key rotation
Hostname & visibility changes
Tags & discovery
Trust & handshakes
Attempting an enterprise operation on a non-enterprise network returns an error. The flag is toggled by the registry's set_network_enterprise RPC, also available via the Go SDK's registry.Client.SetNetworkEnterprise. Membership is preserved when toggling the flag.