Each workforce, including in-house engineer, third-party engineer, and freelancer, has a dedicated account registered with their real identity, which MFA can authenticate. The account can also be created for a contingently invited engineer. Each account is assigned a role and managed under an organization, and the role and the organization define its least privilege and the session control policy for each IT operation involved