Access Control

Manage who can access what in WizChat.

Access Control Model

WizChat uses Role-Based Access Control (RBAC) at multiple levels:

Account level - Who can access your account
Team level - Who can access team resources
Chatbot level - Who can access specific chatbots
Document level - Who can access specific documents
MCP server level - Who can use specific integrations
Metric level - Who can see specific dashboard metrics

Account Access

Single Sign-On (SSO)

Business plans can enable SSO:

SAML 2.0
Google Workspace
Microsoft Azure AD
Okta

Multi-Factor Authentication (MFA)

Enable MFA for additional security:

Go to "Profile" > "Security"
Click "Enable MFA"
Scan QR code with authenticator app
Enter verification code
Save backup codes

Team Access

See Roles & Permissions for details.

Role	Access Level
Owner	Full access, billing
Admin	Manage team, chatbots
Member	Use shared chatbots

Chatbot Access

Control who can access each chatbot:

Level	Who
Owner only	Just the chatbot owner
Team	All team members
Specific people	Invited individuals

See Sharing Chatbots for details.

Document Access

Control access to individual documents:

Level	Description
Public	All chatbot users
Authenticated	Logged-in users only
Restricted	Specific email addresses

See Document Access Control for details.

Domain Restrictions

Restrict chatbot access to users from specific email domains:

Open your chatbot
Go to the "Settings" tab
Open "Manage Access"
Add authorized email domains

Example Domain	Who Can Access
`acme.com`	Only `@acme.com` email addresses
`acme.com`, `partner.org`	Both `@acme.com` and `@partner.org`

See Access Modes - Domain Restrictions for details.

MCP Server Access

Control which chatbot users can use each MCP integration:

Level	Description
Public	All chatbot users can use the server
Restricted	Only specific users or email groups

See MCP Overview for details.

Metric Access

Control which chatbot users can see individual dashboard metrics:

Level	Description
Public (default)	All chatbot users see the metric
Restricted	Only specific users or email groups

Restricted metrics are silently hidden from unauthorized users — they simply don't appear on the dashboard.

See PostgreSQL Metrics - Access Control for details.

API Access

API Key Permissions

When creating API keys, set permissions:

Read-only
Read-write
Full access

IP Allowlisting

Restrict API access to specific IPs:

Go to "Settings" > "API"
Click "IP Restrictions"
Add allowed IP addresses
Click "Save"

Session Management

Active Sessions

View and manage active sessions:

Go to "Profile" > "Security"
Click "Active Sessions"
See all logged-in devices
Revoke sessions as needed

Session Timeout

Configure session timeout:

Default: 30 days
Configurable per account
Immediate logout option

Audit Trail

Business plans include audit logs:

Who accessed what
When access occurred
What actions were taken

Access audit logs:

Go to "Settings" > "Security"
Click "Audit Log"
Filter and search events

Best Practices

Principle of Least Privilege

Grant minimum necessary access
Review permissions regularly
Revoke unused access

Regular Reviews

Audit team members monthly
Review API key usage
Check shared chatbot access

Secure Practices

Enable MFA for all users
Use SSO where possible
Rotate API keys regularly

Access Control Model​

Account Access​

Single Sign-On (SSO)​

Multi-Factor Authentication (MFA)​

Team Access​

Chatbot Access​

Document Access​

Domain Restrictions​

MCP Server Access​

Metric Access​

API Access​

API Key Permissions​

IP Allowlisting​

Session Management​

Active Sessions​

Session Timeout​

Audit Trail​

Best Practices​

Principle of Least Privilege​

Regular Reviews​

Secure Practices​

Related​