The Enterprise Security add-on extends Torgix with the identity, access, and audit controls that larger organizations require for rollout and security review. It is an optional, per-company add-on that layers on top of the standard Torgix platform. This page describes what the add-on includes, how each control works, and the standards it is built on, so an IT or security team can evaluate it. For Torgix's company-wide security posture (infrastructure, encryption, monitoring, and compliance), see the Security overview. For the current rate, see Pricing.
Browser-based single sign-on so users authenticate through your identity provider instead of a separate Torgix password.
| Capability | What it does |
|---|---|
| Protocols | Sign-on over SAML 2.0 and OpenID Connect (OIDC, which runs on OAuth 2.0), so Torgix works with standards-compliant identity providers. |
| Identity providers | Compatible with major providers including Okta, Microsoft Entra ID (Azure AD), and Google Workspace, plus any standards-compliant SAML or OIDC provider. |
| Per-company configuration | Each organization configures and tests its own SSO connection in admin settings before turning it on for users. |
| Just-in-time provisioning | A Torgix account is created on a user's first successful sign-on, using attributes passed from the identity provider. |
| Group-to-role mapping | Identity-provider groups map to Torgix roles, so a user's access level follows their directory group. |
| Break-glass access | A local administrator path is always preserved, so a misconfigured SSO connection cannot lock an organization out. |
Automated user lifecycle through the SCIM 2.0 standard, so directory changes flow into Torgix without manual steps.
| Capability | What it does |
|---|---|
| Provisioning | Users added in your identity provider are created in Torgix automatically, over SCIM 2.0. |
| Attribute sync | Profile changes such as name, email, group, and status sync from the identity provider to Torgix. |
| Deprovisioning | When a user is disabled or removed in the identity provider, Torgix access is revoked and that user's active sessions and tokens are invalidated. |
| Role assignment | Directory group membership drives Torgix role assignment and stays in sync as those groups change. |
Multi-factor authentication for accounts that sign in directly, with organization-wide enforcement controlled by an administrator.
| Capability | What it does |
|---|---|
| Authenticator app | Time-based one-time passcodes from standard authenticator apps, using the TOTP standard. |
| Recovery codes | One-time backup codes for sign-in when an authenticator device is unavailable. |
| Organization-wide enforcement | An administrator can require MFA for every user in the organization, not just make it optional. |
| Single sign-on accounts | For users who sign in through SSO, MFA is typically enforced by your identity provider. This policy covers accounts that sign in directly to Torgix. |
Control over who can see and do what, enforced in the data layer and applied the same way across the app and the API.
| Capability | What it does |
|---|---|
| Custom roles | Define roles beyond the standard set, each with its own permission set. |
| Per-module permissions | Grant view, create, edit, delete, and export rights per module, including assets, work orders, maintenance, inspections, parts, and rentals. |
| Record scoping | Limit access by team, location, or territory, so users see only the records for their part of the organization. |
| Server-side enforcement | Permission checks run in the data and API layer rather than only hiding items in the interface, and apply identically in the Torgix app and the REST API. |
A record of security-relevant activity that an administrator can search, export, and retain for as long as policy requires.
| Capability | What it does |
|---|---|
| Events captured | Authentication events, data changes, permission and role changes, configuration changes, exports, and administrative actions. |
| Entry detail | Each entry records the actor, the action, the affected record, before and after values where applicable, the IP address, a request ID, and a timestamp in UTC. |
| Search and filter | Administrators can search and filter the log inside Torgix. |
| Export | Log entries can be exported on demand in CSV or JSON. |
| Retention | The retention period for the audit log is configurable. |
How the add-on is licensed and administered.
| Capability | What it does |
|---|---|
| Per-company add-on | Enterprise Security is enabled per company as a single add-on. See Pricing for the current rate. |
| Multi-tenant isolation | Each organization's identity connections, roles, and audit data are isolated from other tenants. |
| Administered in-app | Owners and administrators configure SSO, SCIM, MFA policy, roles, and audit settings in the company's admin section. |
| Consistent across app and API | The same role and permission model governs both the Torgix interface and the REST API add-on. |
📩 For security teams
If you are evaluating Torgix and need documentation or have questions about the Enterprise Security add-on, contact security@torgix.ai.
For company-wide controls, encryption, and compliance, see the Security overview.