Regixo docs
Build for your organization

Roles, ownership & governance

Regixo is built for two people who are rarely the same person: the engineer who installs it and the compliance lead who pays and signs. This page covers who does what — the two users, the four per-record roles, the DORA teams, how people sign in, the machine tokens that keep a hosted record fed, and the governance practices that keep an org catalog trustworthy over time.

Two users, two jobs

The whole product is shaped around a hand-off, so the roles start there:

Installer ≠ payer Do not assume one login covers both. The engineer never needs an account to install and forward; the account is born on the claim side when the compliance lead first signs in. The two sides meet at the claim link and, for a hosted record, at a machine sync token — not at a shared password.

The four per-record roles

Every paid record has its own team. Roles are per record, and price never moves on how many people you add — there are no seat licences.

RoleCan
viewerReads the record. Reading never needs more than an invite.
preparerFills the RoPA legal fields and DORA cells — each saved as “provided by you”. Cannot confirm or sign.
approverConfirms a field, rules on DORA scope, and signs the record.
adminEverything an approver can, plus manages the team and machine tokens.

The rules that keep ownership sound:

DORA teams

About twelve of DORA's fifteen tables are vendor and contract facts that no data catalog holds — they live with the people who own the paperwork. In practice that is procurement (who the ICT third parties are and what they cost), legal (the contracts, terms and exit clauses) and ICT-risk (criticality, substitutability). Give those people preparer or approver roles so they can fill the needs-you tables directly. Two ways in:

What the map auto-starts versus what a person supplies is set out in The DORA register.

How people sign in

Two paths to a verified identity, and Regixo records which one was used — honestly, as email-verified versus sso — because the assurance travels with a signature.

Magic link
The default that births the account. The claim page emails a one-time link — it works once, for 15 minutes, and shows a confirm page first (so a link-scanner can't consume it). Clicking through creates the user and a session. Assurance is recorded as email-verified.
Company SSO (OIDC)
A generic OpenID Connect client for Okta, Microsoft Entra and Google Workspace, configured per record by an admin:
say

“Require SSO for everyone on our Regixo portal account, using our Okta tenant.”

Your agent fills in everything except the token — you put that in .env yourself.

Show the commandHide the commandShow the sentenceHide the sentence
run
$ regixo admin sso set --claim <clm_…> \
    --issuer https://your-org.okta.com \
    --client-id <id> --client-secret-env OKTA_SECRET --require
The client secret is passed by env-var name and stored sealed — never printed. --require disables magic-link sign-in for that record, so everyone comes through your IdP. Assurance is recorded as sso.
SSO is wired, not yet IdP-validated The OIDC client is built and offline-tested. The run against a real Okta / Entra / Google Workspace tenant is a launch gate, not yet done — like the hosted portal itself, which is not yet hosted. Plan for SSO; don't assume the production validation has already happened.

Machine tokens

A hosted record stays current by having a machine push refreshed metadata. That machine authenticates with a sync token, not a person's login. An admin mints one from the “Connect a machine” card (or the CLI); it is shown once, as an env var to set:

shown once — set it in the environment
REGIXO_SYNC_TOKEN=rgx_sync_9f2c…
Company-owned, not personal
It belongs to the record, not to whoever made it, so it survives staff turnover. It is not a login and not the licence key.
Ingest-only
It can push metadata-only drafts and nothing else — it can never unlock, sign or export. A leaked token can add to the map; it can't touch the legal record.
Revocable per machine
List and revoke tokens individually (regixo admin machines <token> / admin machine rm). Kill one CI runner's token without disturbing the others.
In the environment, never the file Set REGIXO_SYNC_TOKEN as an environment variable (or a CI secret) — never in regixo.yml. It's a credential; it follows the same rule as every other secret.

Governance practice

Roles decide who can act; governance is the org agreement on how they do. A few practices keep an org catalog defensible:

REGIXO — documentation · the engineer installs, the compliance lead signs · Command reference