A control plane for identity and authorization in operational technology
BASIS is an open-source identity and authorization layer for building automation and operational technology systems. It adds OIDC-based authentication, role-based authorization, and structured audit logging to OT environments — without replacing existing infrastructure.
What BASIS is — and is not
BASIS is
An OT identity and authorization control plane
BASIS mediates access between cloud consumers and building systems, enforcing identity and role-based permissions on every request.
An authorization mediation layer
Every command and data request passes through BASIS. Direct access to underlying systems is not a supported configuration.
An operational auditability layer
All access events, commands, and authorization decisions are recorded as structured JSON in an append-only SQLite audit log — queryable via API.
A local-first reference architecture
The full stack runs on Docker Compose with no cloud dependencies. It is designed to be evaluable in air-gapped and restricted-network OT environments.
BASIS is not
- A building management system (BMS)
- A SIEM or security analytics platform
- A Kubernetes or container orchestration tool
- A fleet management platform
- An analytics or data pipeline engine
- A commercial product or SaaS platform
The problem
Why OT identity and authorization matters
Building automation protocols — BACnet, Modbus, MQTT — were designed for isolated, trusted internal networks. Authentication was not a design requirement. Cloud connectivity has dissolved that perimeter. Systems that were never designed to be externally accessible now interact with remote dashboards, analytics pipelines, and third-party integrations.
The result is a structural gap: no identity at the device or protocol layer, no role-based access control, and no verifiable audit trail. BASIS addresses this gap at the integration layer — without requiring changes to existing infrastructure.
Core principles
These constrain the architecture. The full set is on the platform page.
Local-first by design
The full stack runs on Docker Compose. No cloud account, no external services, no network egress required. Cloud connectivity is additive — not a dependency.
Authorization as a first principle
Every request is evaluated against a policy before any action is taken. The authorization model — Subject, Action, Resource, Event — is normalized and transport-agnostic.
Intentional architectural restraint
BASIS does not try to be a BMS, a SIEM, or a data platform. It does one thing: mediate identity and authorization between OT systems and the services that need to access them.
The architecture is the product
The /platform page is the primary technical reference for BASIS. It covers the authorization model, trust boundaries, authentication flow, telemetry and command dispatch flows, audit persistence, and all architectural decision records.
Read the platform documentation→Review the proof of concept
The BASIS PoC is open source. It includes the full Docker Compose environment, Keycloak configuration, FastAPI backend with JWT middleware, Mosquitto broker, React dashboard, SQLite audit persistence, and a simulated building device environment.
View on GitHub