Skip to main content
PathMon
Security

Control who can do what
across your infrastructure.

Different teams manage different servers. Junior admins should not be patching production databases. Contractors need read-only access to specific host groups. PatchMon provides granular role-based access control, SSO integration, and two-factor authentication to enforce these boundaries.

PatchMon - User Management

How it works

Everything you need to know, at a glance.

Role-Based Access Control

Define granular permissions with built-in roles or create custom ones for least-privilege access across dashboards, hosts, packages, users, reporting, settings, and notifications. Security-sensitive actions are logged for audit purposes.

  • Built-in roles for common patterns plus fully custom roles
  • Fine-grained control over hosts, packages, users, reporting, and settings
  • Separate controls for elevated operations where needed
  • Activity audit trail for security-relevant actions

OIDC Single Sign-On

Connect any OIDC-compatible identity provider -- Okta, Keycloak, Authentik, Azure AD, or any provider that supports the OpenID Connect standard. Optionally disable local authentication entirely to enforce SSO-only access across your organization.

  • Any OIDC-compatible provider (Okta, Keycloak, Authentik, Azure AD)
  • Automatic user provisioning on first login
  • Option to disable local auth entirely when OIDC is enabled
  • Discord OAuth2 as an additional authentication option with account linking

Two-Factor Authentication

TOTP-based two-factor authentication for local accounts. Users set up 2FA with a QR code, receive backup codes for recovery, and are protected by configurable lockout policies to prevent brute-force attempts.

  • TOTP with QR code setup (compatible with Google Authenticator, Authy, 1Password)
  • Backup codes for account recovery
  • Configurable maximum attempts before lockout
  • Login lockout protection for brute-force prevention

Session Management and Audit Logging

View and manage all active sessions, revoke access instantly, and configure inactivity timeouts. JWT-based authentication with configurable token expiry, refresh tokens, and server-side session tracking with automated cleanup.

  • Active session listing with device and timestamp details
  • Instant session revocation
  • Configurable inactivity timeout and token expiry
  • Automated session cleanup for expired sessions
  • Dedicated API credentials for agents, isolated from interactive accounts

Ready to see it in action?

Deploy the Community edition in minutes, or talk to us about PRO and Cloud.

View on GitHubView Plans