End-users can be assigned very granular permissions, ex. "Can view & edit vendors but can only view contracts".
Managing permissions for hundreds of users may get old quickly, so you can create permissions at a "user role" level and all users assigned to that role will automatically inherit those permissions.
We support the SAML authentication protocol, and currently have customers accessing their site via Azure, Okta, PingOne, etc. All SSO access is logged and available for viewing.
Users looking to add additional security can opt-in to using Google Authenticator and will need to provide their MFA code after each login.
All users can be subject to password criteria that you establish — # of characters, # of symbols, can't reuse old passwords, etc. Passwords can also be required to be reset every X # of days.
Every addition, update and deletion is stored in an audit log and available to site admins.