Set Up Your Organization
Organization settings control users, roles, connectors, SSO configuration, and data governance for your entire TietAI workspace. This guide is intended for administrators.
Most settings described here require the Admin role. If you cannot see the Settings section in the navigation, contact your organization's TietAI administrator.
Accessing admin settings
Click Settings in the main left navigation. The Settings section is organized into the following subsections:
- Users — Manage user accounts and invitations
- Roles & Permissions — Configure role definitions
- Connectors — EHR and integration connections
- Authentication — SSO and local auth configuration
- Organization — Display name, timezone, contact email
- Audit Logs — Access and export activity logs
- Security — API keys, session management, IP allowlisting
Inviting users
- Go to Settings → Users → Invite User
- Enter the user's email address
- Assign a role (see the role table below)
- Optionally assign the user to one or more teams (used for care team notifications)
- Click Send Invite
The user receives an email from noreply@tiet.ai with a one-time setup link. The email contains:
- A welcome message with your organization's display name
- A Set up my account button that links to the TietAI login page
- Instructions for creating a password (or, if SSO is configured, instructions to sign in via SSO)
Invitation expiry: Invitations expire after 7 days. If a user does not accept within 7 days, you can resend the invitation from Settings → Users by clicking ... → Resend Invite next to their name.
Pending invitations appear in the Users list with a "Pending" badge until the user accepts.
Role table
| Role | Workflows | Patient data | Connectors | Users & settings | Audit logs |
|---|---|---|---|---|---|
| Admin | Create, run, edit, delete | Full access | Create, edit, delete, test | Full access | Full access |
| Clinician | Create, run, edit (own), view all | Full access | View and use only | None | None |
| Viewer | View and run only | Read-only | None | None | None |
Admin is the most privileged role. Assign it only to staff who are responsible for TietAI administration, IT integration, or data governance. Every organization must have at least one Admin account.
Clinician is the standard role for care team members who use TietAI daily. Clinicians can build and run workflows and access patient records, but they cannot modify connectors or invite new users.
Viewer is appropriate for stakeholders who need to review reports and dashboards without the ability to modify anything.
Be conservative with Admin assignments. Admins can delete workflows, revoke connectors, and change authentication settings. Prefer giving users the least-privileged role that lets them do their job.
Removing a user or changing their role
To remove a user:
- Go to Settings → Users
- Find the user in the list
- Click ... → Deactivate account
Deactivated users cannot log in, but their account record is preserved in the audit log for compliance purposes. To permanently delete a user, contact TietAI support.
To change a user's role:
- Go to Settings → Users
- Click the user's name to open their profile
- Click the Role dropdown and select a new role
- Click Save
Role changes take effect immediately — the user's next page load will reflect the new permissions.
SSO configuration
Single Sign-On allows your users to authenticate with TietAI using your organization's identity provider (IdP) — Microsoft Entra ID, Okta, Google Workspace, and others.
Go to Settings → Authentication.
SAML 2.0
SAML is recommended for enterprise deployments using Microsoft Entra ID, Okta, or PingFederate.
You will need:
- Your IdP's SSO URL (SAML endpoint)
- Your IdP's Entity ID
- Your IdP's X.509 certificate
TietAI's Service Provider metadata (needed to configure your IdP) is available at Settings → Authentication → Download SP Metadata.
OIDC
OIDC is recommended for cloud-native identity providers like Keycloak, Auth0, or Google Workspace.
You will need:
- Discovery URL (usually
https://<your-idp>/.well-known/openid-configuration) - Client ID and Client secret from your IdP application
After saving the OIDC configuration, test it using the Test SSO button. TietAI will initiate an SSO login flow in a new window and confirm whether the configuration works before you enforce it.
When SSO is enabled, users can still log in with email/password unless you enable SSO enforced mode. In enforced mode, password login is disabled for all non-admin accounts.
Connector management
Connectors are the integrations that link TietAI to your external systems. Admins can:
- View all connectors — Go to Settings → Connectors to see every connector in your organization, its type, status, and when it was last used
- Test a connector — Click ... → Test Connection at any time to verify that credentials are still valid
- Edit a connector — Update credentials, base URL, or name without recreating the connector from scratch
- Revoke a connector — Click ... → Revoke. This immediately disables the connector. Any workflow that references it will fail until a new connector is configured. You will be warned if any active workflows use the connector before revocation completes.
For setup steps per connector type, see Connect Your EHR.
Organization settings
Go to Settings → Organization to configure:
| Setting | Description |
|---|---|
| Display name | The organization name shown in the UI, reports, and notification emails |
| Timezone | Affects scheduled workflow times and timestamp display |
| Contact email | Used for system notifications and TietAI support escalations |
| Logo | Upload your organization's logo (displayed in the top-left corner and on generated reports) |
Changes take effect immediately after saving.
Audit log access
TietAI logs every significant user action. To view audit logs:
- Go to Settings → Audit Logs
- Filter by date range, user, event type, or resource type
Logged event categories:
| Event type | What is logged |
|---|---|
| Login events | Successful logins, failed login attempts, SSO logins, logouts |
| Data access | Patient record views, FHIR API reads |
| Workflow actions | Pipeline created, edited, deleted, run, scheduled |
| Admin actions | User invited, role changed, user deactivated, connector created/revoked |
| Data modifications | FHIR resource created or updated via workflow |
Exporting audit logs: Click Export in the top-right corner of the Audit Logs view. Exports are available as:
- CSV — Full raw log suitable for importing into a SIEM or audit management system
- PDF — Formatted report for compliance review
Audit logs are retained for a minimum of 12 months. Contact TietAI support to configure a longer retention period.