PumaMesh Security & Compliance FAQ
Answers to common questions about how PumaMesh secures your data, enforces access, and supports compliance.
PumaMesh is a zero-trust data mesh, so security and access control are built into every layer. This FAQ answers the questions we hear most often about how your data is protected and who can see it.
How does PumaMesh control who can see my data?
Access is governed by ABAC keyword policies. After you authenticate, your effective tags are resolved from your LDAP attributes plus any local assignments. Every file has its own required tags, and you can only see a file when the file's tags are a subset of your tags. The same rules apply in the console, the API, and the CLI.
How do I sign in, and is multi-factor authentication supported?
PumaMesh supports secure authentication with LDAP, OIDC, and 2FA. Interactive users typically sign in with their LDAP or OIDC identity and a second factor, while scripts and services use API tokens for automated access.
Where does my data live: cloud or on-premises?
Both. You can run PumaMesh on-premises so data stays inside your own boundary, or deploy it in the cloud for elastic scaling and faster provisioning. The access model is identical in either case, so your ABAC policies behave the same wherever you run it.
Can an API token see more than the person who created it?
No. A token always inherits the tags and permissions of the identity that created it, so it can never access more than that user. Treat tokens like passwords: store them in a secret manager, keep them out of source control, rotate them regularly, and revoke any token immediately if it may have been exposed.
How can I verify that a policy is working as intended?
Use the Test Tool on the ABAC page. It lets you simulate a set of tags against a policy and confirm whether access would be granted before you roll changes out, so you can validate policy behavior without exposing real data.