Skip to main content

Access Control

Enhance your organization's security by enforcing Multi-Factor Authentication (MFA) for all members and creating user groups to manage resource access.

User Groups

User groups provide granular access control beyond basic admin and user roles. With user groups, you can:

  • Control which users can access specific models and plugins
  • Require manual confirmations by users when models use plugins
  • Create custom permission sets for different teams or departments

To create a user group:

  1. Navigate to the Access Management page by clicking Access in the sidebar
  2. Scroll to the bottom and click Create Group
  3. In the group manager, provide:
    • Group name
    • Group ID
    • Description
    • Selected models and plugins
    • Plugin confirmations
    • User memberships (Note: Admin users cannot be added to access groups since they already have full access.)
  4. Click Create to save the group

Users can belong to multiple access groups simultaneously. A user's effective permissions are determined as follows:

  • Resource Access: A user can access a resource if they belong to at least one group that has access to it
  • Plugin Confirmations: A user does not need to confirm a plugin if they belong to at least one group that does not require confirmation

This means permissions are combined in the most permissive way across all groups a user belongs to.

info

By default, when no user groups exist, all users have unrestricted access to all models and plugins without requiring confirmations.

MFA

Multi-factor Authentication (MFA) can be enforced in your organization settings:

  1. Navigate to settings
  2. Scroll to the bottom of the page to Organization Info
  3. Toggle Require Multi-factor Authentication for all Users

When MFA is enabled:

  • All active user sessions will be terminated
  • Users will be required to set up MFA during their next login attempt if they haven't already

This provides an additional layer of security by requiring users to verify their identity using two different authentication methods.

Resetting MFA for Users

If a user loses access to their MFA device or needs to reset their MFA configuration, you can disable MFA for their account by following these steps:

  1. Navigate to Access Management
  2. Search for the user and click the edit button
  3. Disable the MFA toggle
  4. Click Save Changes to confirm

The user will then be able to set up MFA again on their next login.

Resetting User Passwords

If a user forgets their password or needs a password reset:

  1. Navigate to Access Management
  2. Search for the user and click the edit button
  3. Click on "Set New Password"
  4. Enter a secure temporary password
  5. Click "Change Password" to confirm
  6. Notify the user of their temporary password through a secure channel
  7. Instruct the user to change their password upon first login
note

For security best practices:

  • Use a secure channel (like encrypted email or direct message) to share the temporary password
  • Ensure the user changes their password immediately after logging in
  • Consider enabling MFA for additional security