Licensing & Feature Entitlements
Every tenant has a plan tier. The entitlement system is always on.
Plans at a glance
Behavry ships with three plan tiers:
| Plan | For | Features |
|---|---|---|
| Trial | Prospects running a POC | Core enforcement + 3 features (Community Library, Custom DLP, Behavioral Baselines) |
| Professional | Security / platform teams running Behavry in production | Trial + 7 more (Inbound Rules, Context Gate, Blast Radius, Cost Attribution, SIEM & Webhooks, Discovery Connectors, Human AI Governance) |
| Enterprise | Large orgs with multi-framework compliance needs | Professional + 7 more (Delegation Chains, Workflow Governance, Data Protection, Policy Writer AI, Compliance Modules, SAML SSO, Team Management) |
Every agent identity, proxy decision, and audit event is available on every plan. The entitlement system only gates additional capabilities beyond the core.
The 17 features
The canonical list lives in backend/behavry/admin/entitlements.py under FEATURE_CATALOG:
| Key | Name | Plan |
|---|---|---|
community_library | Community Policy Library | Trial+ |
custom_dlp_patterns | Custom DLP Patterns | Trial+ |
behavioral_baselines | Behavioral Baselines | Trial+ |
inbound_rules | Inbound Rules Engine | Pro+ |
context_gate | Context Gate | Pro+ |
blast_radius | Blast Radius Limits | Pro+ |
cost_attribution | Cost Attribution | Pro+ |
siem_webhooks | SIEM & Webhooks | Pro+ |
discovery_connectors | Discovery Connectors | Pro+ |
human_governance | Human AI Governance | Pro+ |
delegation_chains | Delegation Chains | Enterprise |
workflow_governance | Workflow Governance | Enterprise |
data_protection | Data Protection Pipeline | Enterprise |
policy_writer_ai | Policy Writer AI Assist | Enterprise |
compliance_modules | Compliance Modules (vertical frameworks) | Enterprise |
saml_sso | SAML 2.0 SSO | Enterprise |
team_management | Team Management (roles + invites) | Enterprise |
How gating works at runtime
Every backend route that exposes a gated feature decorates itself with a feature check:
from behavry.admin.entitlements import require_feature
@router.get("/context-gate/summary")
async def summary(
_: None = Depends(require_feature("context_gate")),
):
...
require_feature() reads the authenticated tenant's plan tier, intersects with any tenant-level override stored in TenantConfig, and returns 403 feature_not_included if the feature isn't entitled. The check is cached per-request.
On the dashboard, the usePlanFeatures() React hook mirrors the same logic and hides UI that the tenant isn't entitled to see. Navigating directly to a gated route shows an "Upgrade to {plan}" drawer.
Super-admin bypass
Users with is_super_admin (fleet-level operators) bypass entitlement checks entirely. This is intentional: support engineers need to be able to inspect any tenant's data regardless of plan. Bypass events are still audited.
Overrides
Enterprise customers can get specific features early (e.g. policy_writer_ai on Pro). Super-admins set these via:
POST /api/v1/tenants/{id}/features
{ "enable": ["policy_writer_ai"] }
Overrides are stored in TenantConfig.feature_overrides (JSONB) and layer over the plan-tier defaults.
API
Routes: backend/behavry/admin/license_routes.py.
| Method | Path | Purpose |
|---|---|---|
GET | /api/v1/license | Current tenant's plan tier, features, expiry |
POST | /api/v1/license/activate | Activate a license key |
GET | /api/v1/plan-features | All features grouped by plan (used by the dashboard) |
GET | /api/v1/tenants/{id}/features | Super-admin: inspect a tenant's effective features |
POST | /api/v1/tenants/{id}/features | Super-admin: add/remove feature overrides |
Related
- User Roles & Invites — the
team_managementfeature - SSO — OIDC & SAML — the
saml_ssofeature - Compliance Modules — the
compliance_modulesfeature