Kanshin Docs / Application Access

Application Access

Registering an application tells Kanshin the app exists and how it connects. Application access decides who is allowed to sign in to it. Kanshin follows a zero-trust model: no one can sign in to an application until they have been explicitly assigned to it. You manage this on the App Assignments page under Applications.

How assignment works

Each application has a list of assignments — the subjects allowed to use it. A subject can be:

  • A user — grants that one person access
  • A role — grants access to everyone who holds that role
  • A group — grants access to every member of that group

When someone tries to sign in to an application, Kanshin checks whether they are covered by any of its assignments — directly, through a role they hold, or through a group they belong to. If they are, sign-in proceeds; if not, access is denied.

Why zero-trust by default

Because access is denied until granted, a newly registered application starts locked down: nobody can use it until you assign someone. This is deliberate — it means access is always something you granted on purpose, never something that was open because it was overlooked. To open an application to everyone in a department, assign the group or role that represents them rather than each person individually.

Managing assignments

From the App Assignments page you add and remove assignments for each application. Because you can assign roles and groups, access tends to look after itself as your organization changes: add a person to the group that represents their team, and they gain access to every application that team’s group is assigned to — with no per-application change.