Administration
This reference page documents organization-level administration capabilities for IT administrators and health system admins. For step-by-step how-to guides on user and connector management, see Set Up Your Organization.
User management
Users are managed under Settings → Users. See Set Up Your Organization for invitation and role assignment steps.
User accounts are always associated with exactly one organization. A person who needs access to multiple organizations requires a separate account in each.
Role-based access control
TietAI uses a role-based access model with four core roles. Permissions are enforced at both the UI layer and the API layer — a Viewer cannot perform write operations via the API even with a valid API key.
- Platform Manager — Globally-scoped role for managing TietAI platform-level resources such as base agent templates and Hydra Studio settings. Sits above Admin for platform-level operations.
- Admin — Organization administrator with full control over users, connectors, workflows, and settings within their organization.
- Clinician — Clinical user who can view patient data, build and run workflows, and create reports.
- Viewer — Read-only access to dashboards, patient records, workflows, and reports.
Permission matrix
| Permission | Platform Manager | Admin | Clinician | Viewer |
|---|---|---|---|---|
| Manage base agent templates | ✓ | — | — | — |
| Manage Hydra Studio settings | ✓ | — | — | — |
| Access Medical Inference space | ✓ | ✓ | — | — |
| View dashboard | ✓ | ✓ | ✓ | ✓ |
| View patient list | ✓ | ✓ | ✓ | ✓ |
| View patient detail record | ✓ | ✓ | ✓ | ✓ |
| Export patient data | ✓ | ✓ | ✓ | — |
| Add / edit patient notes | ✓ | ✓ | ✓ | — |
| Trigger manual patient sync | ✓ | ✓ | ✓ | — |
| View workflows | ✓ | ✓ | ✓ | ✓ |
| Create and edit workflows | ✓ | ✓ | ✓ | — |
| Run workflows | ✓ | ✓ | ✓ | — |
| Delete workflows | ✓ | ✓ | — | — |
| Schedule workflows | ✓ | ✓ | ✓ | — |
| View execution history | ✓ | ✓ | ✓ | ✓ |
| View reports | ✓ | ✓ | ✓ | ✓ |
| Create custom reports | ✓ | ✓ | ✓ | — |
| View connectors | ✓ | ✓ | ✓ | — |
| Create / edit / delete connectors | ✓ | ✓ | — | — |
| Test connectors | ✓ | ✓ | — | — |
| Invite users | ✓ | ✓ | — | — |
| Change user roles | ✓ | ✓ | — | — |
| Deactivate users | ✓ | ✓ | — | — |
| Configure SSO | ✓ | ✓ | — | — |
| View audit logs | ✓ | ✓ | — | — |
| Export audit logs | ✓ | ✓ | — | — |
| Manage API keys | ✓ | ✓ | — | — |
| Configure data retention | ✓ | ✓ | — | — |
| Configure IP allowlist | ✓ | ✓ | — | — |
Authentication options
TietAI supports three authentication methods. Only one method can be active at a time, but SSO and local auth can coexist (SSO-only mode can be enforced).
Local authentication
Default method. Users authenticate with an email address and a password that meets TietAI's password policy (minimum 12 characters, mixed case, numbers, and special characters). Passwords are hashed using bcrypt.
Password reset: Users can reset their own password using the Forgot password link on the login page. Admins can force a password reset from Settings → Users → [user] → Force Password Reset.
SAML 2.0
Configure under Settings → Authentication → SAML 2.0.
Required from your identity provider:
- SSO URL (the IdP's SAML endpoint)
- Entity ID
- X.509 signing certificate
Required from TietAI (to configure in your IdP):
- Service Provider Entity ID:
https://api.tiet.ai/auth/saml/metadata - ACS URL:
https://api.tiet.ai/auth/saml/acs - Download the SP metadata XML from Settings → Authentication → Download SP Metadata
Attribute mapping: TietAI reads email, given_name, and family_name from the SAML assertion. Configure your IdP to include these attributes.
OIDC
Configure under Settings → Authentication → OIDC.
Required:
- Discovery URL (
/.well-known/openid-configurationendpoint of your IdP) - Client ID
- Client secret
TietAI's redirect URI (register this in your IdP application):
https://<your-org>.tiet.ai/auth/oidc/callback
Scopes required: openid email profile
Session management
Session timeout: By default, user sessions expire after 8 hours of inactivity. Admins can change this under Settings → Security → Session timeout. Available options: 1 hour, 4 hours, 8 hours, 24 hours, No timeout (not recommended for shared workstations).
Active sessions: Go to Settings → Security → Active Sessions to view all current login sessions for your organization. Admins can terminate any session immediately — useful if a device is lost or a user should be locked out immediately.
Session token rotation: Tokens are rotated on every request that changes application state (write operations). This limits the window of exposure if a token is intercepted.
Data retention
By default, data in TietAI is retained as follows:
| Data type | Default retention |
|---|---|
| FHIR patient records | Indefinite |
| Workflow execution history | 90 days |
| Audit logs | 12 months (minimum) |
| Patient notes | Indefinite |
| Device readings (Observations) | 2 years |
| Generated reports | 1 year |
To configure custom retention periods, go to Settings → Data → Retention Policy and set per-data-type retention rules. Retention changes apply prospectively — existing data within the old retention window is not immediately deleted.
To request deletion of specific records or a full organization data purge, contact TietAI support.
Audit logs
Audit logs record every significant action in TietAI at the API level. They cannot be edited or deleted.
Accessing audit logs: Go to Settings → Audit Logs
Logged events:
| Category | Examples |
|---|---|
| Authentication | Login success, login failure, logout, SSO login, password reset |
| Data access | Patient record viewed, FHIR resource fetched via API |
| Data modification | FHIR resource created/updated via workflow, patient record exported |
| Workflow actions | Pipeline created, edited, deleted, executed, scheduled |
| Admin actions | User invited, role changed, user deactivated, connector created/revoked, SSO configured |
| API access | API key generated, API key revoked, API request with key |
Log format: Each entry contains:
- Timestamp (UTC, ISO 8601)
- User ID and display name
- IP address and user agent
- Action type
- Resource type and ID
- Outcome (success / failure)
- Additional context (e.g., which fields were changed)
Exporting: Click Export → choose CSV or PDF. Large exports (>10,000 rows) are generated asynchronously and emailed to the requesting admin when ready.
Security
Encryption
- At rest: AES-256 encryption for all data in the database and object storage
- In transit: TLS 1.3 for all connections between clients and TietAI servers
- Key management: Encryption keys are managed using Google Cloud KMS with automatic rotation every 90 days
HIPAA compliance
TietAI is designed to support HIPAA-compliant deployments:
- Business Associate Agreement (BAA): Required before using TietAI with Protected Health Information (PHI). Contact your TietAI account manager to execute a BAA.
- PHI handling: All PHI is isolated per organization. TietAI staff access to customer data requires multi-person authorization and is fully logged.
- Audit requirements: TietAI's audit log covers the access and activity logging required by the HIPAA Security Rule.
- Minimum necessary: Role-based access control enforces the HIPAA minimum necessary standard.
Backup and recovery
- Backup frequency: Automated daily backups of all databases and object storage
- Backup retention: 30 days of daily backups; 12 months of monthly backups
- Recovery point objective (RPO): 24 hours (you may lose up to one day of data in a disaster scenario)
- Recovery time objective (RTO): 4 hours for a full organization restore
- To request a data restore: submit a support ticket via Help → Contact Support with the org ID, data type, and target restore date
IP allowlisting
Restrict TietAI access to specific IP address ranges — useful for organizations that want users to access TietAI only from corporate networks or VPNs.
- Go to Settings → Security → IP Allowlist
- Click Add IP Range
- Enter a single IP address or a CIDR range (e.g.,
10.0.0.0/8or203.0.113.50/32) - Add a label (e.g., "Corporate VPN" or "Hospital network")
- Click Save
After saving, requests from IP addresses not on the allowlist receive a 403 Forbidden response.
Before enabling IP allowlisting, add your own current IP address to the allowlist. If you lock yourself out, contact TietAI support — they can disable the allowlist from the backend.
API access management
TietAI provides API keys for programmatic access to the FHIR API and the TietAI management API.
Generating an API key:
-
Go to Settings → Security → API Keys → New API Key
-
Name the key (e.g., "Integration service production")
-
Select scopes:
fhir:read— Read FHIR resourcesfhir:write— Create and update FHIR resourcesworkflows:run— Trigger workflow executions via APIpipelines:*— Full access to pipeline operationsagents:execute— Execute AI agents via APIagent/{uuid}:execute— Execute a specific agent by IDagent/{uuid}:read— Read a specific agent's configurationorganization:write— Modify organization settingsadmin:read— Read user and organization metadata
tipScopes support resource-specific targeting using the format
resource/{uuid}:permission. For example,agent/550e8400-e29b-41d4-a716-446655440000:executegrants execution access to a single agent. Use this for fine-grained access control when integrating with external systems. -
Set an expiry date (or leave blank for no expiry — not recommended for production)
-
Click Generate
The key is shown once at creation time. Copy it immediately and store it in a secrets manager — TietAI does not display the key again after you close the dialog.
Revoking an API key: Go to Settings → Security → API Keys, find the key, and click Revoke. The key is invalidated immediately. Any service using it will receive 401 Unauthorized responses until updated with a new key.
All API key usage is recorded in the audit log.