Settings, Users & RBAC
This page is the map of the Settings area in the Tenant Plane (TP). For step-by-step user and role procedures, see Users, roles & access. For two workflow systems (ITSM approval vs automation), see Workflows (ITSM vs automation).
Where to find settings
Open Settings from the sidebar. Everything below is tenant-scoped.
| Section (jump link in UI) | Purpose |
|---|---|
| Users & access | List users, invite, activate/deactivate |
| Roles & permissions (RBAC) | Your effective permissions, can I?, scoped permission editor (by role ID) |
| Approval gates | High-level runbook / automation gating concepts (manual approval, time window, change freeze) |
| Integration tokens | API / connector auth pointers |
| SSO / other cards | Per deployment (branding, quotas, notifications, etc.) |
Users & access (summary)
- List users —
GET /api/users(requiresusers:readorrbac:manage). - Invite —
POST /api/auth/invite; invitee completessignup-exchange. Today the exchange path typically grants admin; for least privilege use SSO group mapping or SCIM (documented in the full access guide). - Deactivate —
PATCH /api/users/[id]withactive: false.
There is no role dropdown for every user in Settings yet — role changes at scale go through IdP groups → roles or SCIM.
Roles & permissions (summary)
- Roles (
admin,operator,fulfiller,requester, …) bundle permissions. - APIs enforce flat permissions (
requirePermission) and scoped resource checks (requireScopedPermission,requireTenantScopedPermission). - Portal behavior (requester vs fulfiller shortcuts) is described in Self-service portal.
Approval gates (runbook / automation)
These gates control when automation may run (policy / autonomy / trust stack), distinct from ITSM approval workflows on service requests:
- Per runbook or step — Some executions require human approval before continuing.
- Autonomy level — Higher autonomy can reduce manual approval when policy allows (see AI trust & autonomy).
- Who can approve — Users with rights to approve automation jobs / runbook execution (see Automation and Runbooks).
ITSM human approval chains use /api/workflows/definitions + workflow instances — not the same as the Automation → Workflows canvas. Details: Workflows (ITSM vs automation).
Integration tokens
Create and revoke tokens for scripts and integrations; store secrets outside the repo. See your deployment’s Settings → Integration tokens or connector docs.
TP vs Control Plane
| Area | Tenant Plane | Control Plane |
|---|---|---|
| Users | Customer org (operators, requesters) | Platform operator |
| Login | TP host | CP host |
Summary
| Topic | Detailed guide |
|---|---|
| Step-by-step users, invite, SSO, SCIM | Users, roles & access |
| Portal, catalog, requester vs fulfiller | Self-service portal |
| ITSM approval vs automation workflows | Workflows (ITSM vs automation) |
| Login, forgot password | Authentication & user management |
| Runbook submit/approve | Runbooks |