Administrator Guide

Everything administrators need to configure, secure, and manage an Operanix workspace. This guide covers initial setup through enterprise-grade governance, security, and compliance.

1. Workspace Setup

Your workspace is the top-level container for your organization’s AI workforce. Setting it up correctly ensures a smooth experience for your entire team.

Initial Configuration

Sign in to app.operanix.ai with the account that created the workspace (this account is automatically assigned the Owner role).
Navigate to Settings → General.
Set your Workspace Name (your company or team name).
Upload your Company Logo — this appears in the portal, chat widgets, and hosted chat pages.
Select your Industry from the dropdown. This optimizes agent behavior and evaluation criteria for your domain.
Configure your Timezone for scheduling pipelines and evaluations.

Your workspace name and logo are visible to end users in chat widgets and hosted chat pages. Choose something professional and recognizable.

2. User Management

Inviting Team Members

Go to Settings → Team.
Click Invite Member.
Enter the email address and select a role (see RBAC section below).
Click Send Invitation. The user receives an email with a sign-up link.

Managing Members

From the Team settings page, administrators can:

Change roles — Click the role badge next to a member’s name to reassign.
Remove members — Click the menu icon and select Remove from workspace.
Assign to departments — Assign members to specific departments for scoped access.

Viewing Invitations

The Pending Invitations tab shows all outstanding invites with their status, sent date, and expiration. You can resend or revoke invitations from this view.

3. Role-Based Access Control (RBAC)

Operanix uses a granular role system with 10 roles to ensure every team member has exactly the access they need — nothing more.

Role	Best For	Can Do
`Owner`	Account creator, CTO	Full access including billing, user management, workspace deletion, and all admin functions
`Admin`	IT leads, platform managers	Manage users, roles, departments, SSO, security settings, governance policies, and all operational functions
`Manager`	Department heads	Manage agents, knowledge, evaluations, and deployments within assigned departments. Approve agent actions.
`Operator`	Day-to-day platform users	Configure agents, manage knowledge, run evaluations, deploy to staging. Cannot modify governance or user settings.
`Agent Builder`	AI/ML specialists	Create and configure agents, customize prompts, manage agent identities. No deployment or governance access.
`Knowledge Manager`	Content teams, SMEs	Add, edit, and organize knowledge. Run crawls and uploads. Assign knowledge to agents. No deployment access.
`Compliance Officer`	Legal, risk teams	Configure governance policies, review approval queue, access audit trail, manage compliance frameworks.
`Analyst`	Business analysts, data teams	View analytics dashboards, export reports, access cost intelligence. Read-only access to agents and knowledge.
`Member`	General team members	Chat with agents, view assigned knowledge, view basic dashboards. Cannot configure or deploy.
`Viewer`	Executives, stakeholders	Read-only access to dashboards, analytics, and agent performance. Cannot modify any settings.

Follow the principle of least privilege: assign the most restrictive role that still allows a team member to do their job. You can always upgrade later.

4. Departments

Departments provide organizational boundaries within your workspace, enabling scoped access control and resource isolation.

Creating a Department

Go to Settings → Departments.
Click Create Department.
Enter a name (e.g., “Sales”, “Engineering”, “Customer Success”).
Optionally add a description and select a department head.

Assigning Agents to Departments

Navigate to the agent’s settings and select the department from the Department dropdown. Agents can belong to one department at a time. Department-scoped roles (Manager, Operator) can only see and manage agents within their assigned departments.

Assigning Members to Departments

From Settings → Team, click a member’s profile and assign them to one or more departments. Members with department-scoped roles will only see resources (agents, knowledge, evaluations) within their departments.

Scoped Access

When a user has a department-scoped role, their view of the platform is filtered to show only the agents, knowledge, deployments, and analytics for their assigned departments. This is transparent — the platform looks and works the same, but the data is scoped.

5. Single Sign-On (SSO)

SSO lets your team sign in to Operanix using your existing corporate identity provider, eliminating separate passwords and centralizing access management.

Supported Providers

Provider	Protocol	Plan Required
Google Workspace	OAuth 2.0 / OIDC	Professional+
Microsoft Entra ID (Azure AD)	SAML 2.0 / OIDC	Professional+
Okta	SAML 2.0 / OIDC	Enterprise
Auth0	OIDC	Enterprise
OneLogin	SAML 2.0	Enterprise
Custom SAML	SAML 2.0	Enterprise

Setup Steps

Go to Settings → Security → SSO.
Select your identity provider from the list.
Follow the provider-specific instructions to register Operanix as an application in your IdP.
Enter the required configuration values (Client ID, Client Secret, Issuer URL, or SAML metadata URL).
Click Test Connection to verify the integration.
Enable SSO and optionally enforce it for all users (disabling password login).

Advanced SSO Features

Just-In-Time (JIT) Provisioning — Automatically create Operanix accounts when users sign in via SSO for the first time. Assign a default role for JIT-provisioned users.
Role Mapping — Map IdP groups to Operanix roles. For example, map your “Engineering” IdP group to the Operator role, and your “Leadership” group to the Viewer role.
Domain Verification — Verify ownership of your email domain to ensure only your organization’s members can access the workspace via SSO.

6. Billing & Plans

Available Plans

Plan	Agents	Knowledge	Evaluations	Support	Price
Starter	2 agents	100 pages	10/month	Email	Free
Professional	5 agents	1,000 pages	Unlimited	Priority email	$99/mo
Business	11 agents	10,000 pages	Unlimited	Chat + email	$299/mo
Enterprise	Unlimited	Unlimited	Unlimited	Dedicated CSM	Custom

Managing Your Subscription

Go to Settings → Billing.
View your current plan, usage, and billing cycle.
Click Upgrade to move to a higher tier. Upgrades take effect immediately with prorated billing.
To downgrade, click Change Plan and select a lower tier. Downgrades take effect at the end of the current billing cycle.

Usage Monitoring

The billing dashboard shows real-time usage metrics including:

Number of active agents vs. plan limit
Knowledge pages ingested vs. plan limit
API calls made this billing period
LLM token consumption by agent and model
Estimated cost for the current billing cycle

7. Security Settings

Multi-Factor Authentication (MFA)

MFA adds an extra layer of security by requiring a second verification factor during sign-in.

Enable for your account: Go to Profile → Security and click Enable MFA. Scan the QR code with your authenticator app.
Enforce for all users: As an admin, go to Settings → Security and toggle Require MFA. All users will be prompted to set up MFA on their next sign-in.

API Key Management

API keys enable server-to-server integrations with Operanix.

Go to Settings → Integrations → API Keys.
Click Generate Key. Name the key and select its permission scope.
Copy the key immediately — it will not be shown again.
To revoke a key, click the key’s menu and select Revoke. Revocation is immediate.

Store API keys securely. Never commit keys to source control or share them in plaintext. Use environment variables or a secrets manager.

Data Security

Encryption at rest — All data is encrypted with AES-256 in Google Cloud Storage and Firestore.
Encryption in transit — All API traffic uses TLS 1.3.
Tenant isolation — Data is strictly isolated per tenant at the database level. Cross-tenant access is architecturally impossible.
Data residency — Enterprise plans can specify data residency regions for compliance with data sovereignty requirements.
Data retention — Configure retention policies for conversation logs, audit trails, and knowledge data from Settings → Security → Retention.

8. Governance Setup

Governance ensures your AI agents operate safely, compliantly, and within organizational boundaries.

Creating Policies

Navigate to Governance Center in the sidebar.
Click Create Policy.
Select a policy type: Content Safety, Compliance Rule, Topic Boundary, or Custom.
Define the policy conditions (keywords, patterns, or semantic rules).
Set the enforcement action: Warn, Require Approval, or Block.
Assign the policy to specific agents or apply it workspace-wide.

Compliance Frameworks

Operanix includes pre-built compliance templates for common regulatory frameworks:

SOC 2 Type II — Security, availability, and confidentiality controls
GDPR — Data privacy, consent management, right to erasure
HIPAA — Protected health information safeguards
Custom Frameworks — Define your own compliance requirements and map them to governance policies

Audit Trail Retention

The audit trail captures every action on the platform. Configure retention from Settings → Security → Retention:

Plan	Default Retention	Maximum Retention
Starter	30 days	90 days
Professional	1 year	3 years
Business	3 years	7 years
Enterprise	7 years	Unlimited

9. Webhooks

Webhooks let you receive real-time notifications when events occur in your Operanix workspace.

Registering a Webhook

Go to Settings → Integrations → Webhooks.
Click Add Webhook.
Enter your endpoint URL (must be HTTPS).
Select the events you want to subscribe to (e.g., agent.deployed, evaluation.completed, conversation.started).
Click Create. Operanix will send a verification request to your endpoint.

HMAC Verification

Every webhook payload includes an X-Operanix-Signature header containing an HMAC-SHA256 signature. Verify this signature in your endpoint to ensure the payload was sent by Operanix and has not been tampered with.

// Node.js verification example
const crypto = require('crypto');

function verifyWebhook(payload, signature, secret) {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

Your webhook signing secret is available in Settings → Integrations → Webhooks next to each registered endpoint. Rotate secrets periodically for security.

10. Enterprise Readiness Checklist

Use this checklist to confirm your workspace is fully configured for enterprise production use.

SSO configured and enforced for all users
MFA enabled organization-wide
RBAC roles assigned following principle of least privilege
Departments created and agents assigned by business function
Governance policies configured for content safety and compliance
Trust score thresholds set per agent (stricter for high-risk domains)
Approval workflows active for production agents
Audit trail retention set to meet compliance requirements
API keys generated with scoped permissions (no over-privileged keys)
Webhook integrations registered and verified
Data retention policies configured per regulatory requirements
Emergency rollback procedure documented and tested

Completing all 12 items means your workspace is enterprise-ready. For additional guidance, contact your Operanix Customer Success Manager or email support@operanix.ai.