Skip to main content

Security & RBAC

Gatwy is built with enterprise-grade security features suitable for production and compliance environments.

Role-Based Access Control (RBAC)

Gatwy has 22 fine-grained permissions across 6 categories:

  • Connections
  • Sessions
  • Audit
  • Administration
  • Protocols
  • Custom permissions

Built-in roles: Admin, User

Custom roles: Create your own roles and assign any combination of the 22 permissions.

Per-Protocol Access Control

Restrict which protocols each role can use:

  • SSH, RDP, VNC, Telnet, SMB, FTP — individually toggleable per role

Authentication

Local Authentication

  • bcrypt-hashed passwords
  • Brute-force lockout (configurable threshold)
  • Lockout events logged in the audit trail with IP, username, and lockout duration

LDAP / Active Directory

  • Authenticate users against any LDAP directory
  • Map LDAP groups to the Admin role

OpenID Connect (SSO)

  • Sign in via Azure AD, Okta, Google, Keycloak, or any OIDC-compatible provider
  • Auto-provision users on first login
  • Admin UI to enable/disable local, LDAP, and SSO independently
  • Option to enforce SSO-only login (disable local auth)

MFA (TOTP)

  • Per-user authenticator app support (Google Authenticator, Authy, etc.)
  • Trusted device cookies to skip MFA on known devices

IP Access Rules

  • Allowlist or denylist by CIDR range
  • Blocks are audit logged with source IP and matched rule

Session Security

  • Idle timeout — real idle detection (heartbeats don't reset the clock); warning dialog with countdown before auto-logout
  • Max session duration — hard JWT expiry regardless of activity
  • Encryption key — all credentials, MFA secrets, and recordings encrypted with AES-256 (see Configuration)
  • Runs as non-root — container drops to unprivileged node user at startup via gosu

Audit Trail

Every action in Gatwy is logged:

  • Logins and logouts
  • Session starts and ends
  • All configuration changes — with before/after field-level diffs
  • Notification rule and channel changes
  • RBAC changes
  • IP rule matches and blocks
  • Brute-force lockouts

TLS

  • Self-signed certificate auto-generated on first launch
  • Bring your own certificate via TLS_CERT_PATH and TLS_KEY_PATH
  • See Reverse Proxy for Let's Encrypt setup