Stax Access

Learn how access to Stax is managed

Article Tags
On This Page
Managing Stax Console AccessManaging Stax API AccessAuditingWeb Application Firewall (WAF)See also

Stax gives you control over who has access to your Stax instance.

Users are managed from within your Security Account and as such, it is recommended that only a select group of users have access to this account.

If you have an external identity provider, such as Okta, Ping or Azure AD, Stax allows you to integrate your identity provider so that you can federate your own user base into Stax.

Within Stax, access to the Stax console and Stax API are managed separately. Further information about managing access is provided below.

Managing Stax Console Access

Managing Stax Console access is done through the Users section in the customer menu. All users of your Stax instance are listed on the Users page and can be created and deactivated as required.

Three roles exist for governing Stax Console access:

  • Admin: Provides unrestricted access to Stax
  • User: Provides restricted access, particularly in regard to user management
  • Read Only: Provides read access only for Stax

See Stax Permissions for more detail on these roles.

Federated Users

Federated users are users that have been granted access to Stax by your external Identity Provider. These users will show up in the Users list, however, their details cannot be edited. These must be edited in your Identity Provider. Stax only allows the below actions to be made against a Federated user:

  • Deactivate user
    • Available via the Console
    • Available via the API (PUT /20190206/idam/user/{user_id})
  • Delete user
    • Available via the API (DELETE /20190206/users/{user_id})

Managing Stax API Access

API Tokens can be utilized to access the Stax API. As per the roles provided for Stax Console access, three roles exist for API Tokens:

  • Admin
    • Provides unrestricted access to Stax
  • User
    • Provides restricted access, particularly in regard to user management
  • Read Only
    • Provides read only access for Stax

Further information about API Tokens can be found here.


Stax audits every single login action that occurs within your Stax Instance. This includes successful logins, incorrect passwords and user detail updates.

Web Application Firewall (WAF)

The Stax Identity Service is protected by AWS WAF, which is a security control that helps ensure that your access to Stax remains secure, reliable and highly available. Logs from the WAF protecting your Identity Service are sent to an S3 bucket in your Security account labelled stax-idam-waflogs-<security_account_aws_account_id>.

See also