Application Access
Registering an application tells Kanshin the app exists and how it connects. Application access decides who is allowed to sign in to it. Kanshin follows a zero-trust model: no one can sign in to an application until they have been explicitly assigned to it. You manage this on the App Assignments page under Applications.
How assignment works
Each application has a list of assignments — the subjects allowed to use it. A subject can be:
- A user — grants that one person access
- A role — grants access to everyone who holds that role
- A group — grants access to every member of that group
When someone tries to sign in to an application, Kanshin checks whether they are covered by any of its assignments — directly, through a role they hold, or through a group they belong to. If they are, sign-in proceeds; if not, access is denied.
Why zero-trust by default
Because access is denied until granted, a newly registered application starts locked down: nobody can use it until you assign someone. This is deliberate — it means access is always something you granted on purpose, never something that was open because it was overlooked. To open an application to everyone in a department, assign the group or role that represents them rather than each person individually.
Managing assignments
From the App Assignments page you add and remove assignments for each application. Because you can assign roles and groups, access tends to look after itself as your organization changes: add a person to the group that represents their team, and they gain access to every application that team’s group is assigned to — with no per-application change.
Related pages
- Applications — registering the apps people sign in to
- Roles & Permissions — assigning access by role
- Groups — assigning access by group