Admin Panel

RBAC · SoD · Biometric · SSO · IP Allow-list · GDPR · Multi-entity scoping · Audit trail

Users

6

2 online now

MFA Coverage

67%

⚠ 2 users without MFA

Uptime (30d)

99.98%

Last incident: 34d ago

Audit Entries

128

14 events today

SoD Violations

1

Mark O. — vendor creation

🔴 Security Alerts

Users & Roles

Multi-entity scoping · Language preferences · Timezone · Biometric login · Mobile access

Permissions Matrix

Role-based access control (RBAC) across all 22 modules

Segregation of Duties

COSO framework · ISA 315 · Enforced controls · Active violations

Authentication & MFA

TOTP · SMS OTP · WhatsApp OTP · Biometric (fingerprint / Face ID) · Hardware key (FIDO2)

MFA Status by User

⚠ 2 users not enrolled

15.2 Biometric Login

FIDO2 / WebAuthn

Fingerprint Login

Allow users to log in with fingerprint sensor on Android / iOS / laptop

Face ID Login

iOS Face ID / Android Face Unlock / Windows Hello

Hardware Key (FIDO2 / YubiKey)

Physical security key as primary or second factor

Require Biometric for Approvals >$10,000

Any payment or journal approval above threshold requires biometric re-authentication

✓ Enrolled devices: 4 of 6 users · iOS: 3 · Android: 2 · Windows Hello: 1

Session & Timezone Settings

Session Timeout

Default Timezone

Lock on Screen Inactivity

Require re-authentication after browser/app tab is hidden for 15+ minutes

Concurrent Session Alert

Alert when same user logs in from two different locations simultaneously

SSO & Identity Providers

SAML 2.0 · OAuth 2.0 / OIDC · Google Workspace · Microsoft Entra ID · Okta · LDAP / Active Directory

15.3 Configured Identity Providers

JIT Provisioning & SCIM

Just-in-Time (JIT) Provisioning

Automatically create NovaLedger accounts for new SSO users on first login

SCIM User Sync

Sync users and groups from Okta / Microsoft Entra ID in real-time

Enforce SSO (disable password login)

Require all users to sign in via SSO — disable direct password authentication

IP Allow-List

Restrict access by country, office IP range, or mobile money API server — blocks logins from unlisted addresses

15.4 Allowed IP Ranges & Countries

Country-Level Access Control

Block or allow all logins from specific countries. Useful for GDPR compliance and reducing attack surface from unrecognised geographies.

GDPR & Data Residency

15.5 · Choose where your financial data is stored · Right to erasure · Data export · Consent management

Data Storage Regions

GDPR / Privacy Controls

Data Export (GDPR Article 20)

Allow any user to export all their personal data as a JSON/CSV package within 30 days of request

Right to Erasure (GDPR Article 17)

Allow anonymisation of user data on account deletion (accounting records are retained per statutory retention periods)

Data Processing Consent Log

Record explicit consent for data processing from all team members

Cross-Border Data Transfer Controls

Restrict financial data from crossing GDPR / data sovereignty borders without SCCs (Standard Contractual Clauses)

Statutory Retention Periods

${[ {country:'🇰🇪 Kenya',period:'7 years',law:'Tax Procedures Act 2015'}, {country:'🇳🇬 Nigeria',period:'6 years',law:'Companies & Allied Matters Act'}, {country:'🇿🇦 South Africa',period:'5 years',law:'Tax Administration Act'}, {country:'🇦🇪 UAE',period:'5 years',law:'Federal Tax Law'}, {country:'🇬🇧 UK',period:'6 years',law:'Companies Act 2006'}, {country:'🇪🇺 EU',period:'10 years',law:'EU Accounting Directive'}, ].map(r=>`

${r.country} ${r.period} ${r.law}

`).join('')}

Audit Log

Immutable · SHA-256 hashed · Every user action recorded · Tamper-evident chain

All Events — YTD 2026

Engine Status

12 accounting engines · Toggle on/off per business format · Health monitoring

Company Settings

Multi-entity profile · Fiscal year · Accounting standard · Mobile money defaults

Business Profile

Company Name

Registration Number

Tax ID (TIN)

Holding Jurisdiction

Presentation Currency

Fiscal Year End

Accounting Standard

Default Mobile Money