Aller au contenu principal

Administration

This reference page documents organization-level administration capabilities for IT administrators and health system admins. For step-by-step how-to guides on user and connector management, see Set Up Your Organization.

User management

Users are managed under Settings → Users. See Set Up Your Organization for invitation and role assignment steps.

User accounts are always associated with exactly one organization. A person who needs access to multiple organizations requires a separate account in each.

Role-based access control

TietAI uses a role-based access model with four core roles. Permissions are enforced at both the UI layer and the API layer — a Viewer cannot perform write operations via the API even with a valid API key.

  • Platform Manager — Globally-scoped role for managing TietAI platform-level resources such as base agent templates and Hydra Studio settings. Sits above Admin for platform-level operations.
  • Admin — Organization administrator with full control over users, connectors, workflows, and settings within their organization.
  • Clinician — Clinical user who can view patient data, build and run workflows, and create reports.
  • Viewer — Read-only access to dashboards, patient records, workflows, and reports.

Permission matrix

PermissionPlatform ManagerAdminClinicianViewer
Manage base agent templates
Manage Hydra Studio settings
Access Medical Inference space
View dashboard
View patient list
View patient detail record
Export patient data
Add / edit patient notes
Trigger manual patient sync
View workflows
Create and edit workflows
Run workflows
Delete workflows
Schedule workflows
View execution history
View reports
Create custom reports
View connectors
Create / edit / delete connectors
Test connectors
Invite users
Change user roles
Deactivate users
Configure SSO
View audit logs
Export audit logs
Manage API keys
Configure data retention
Configure IP allowlist

Authentication options

TietAI supports three authentication methods. Only one method can be active at a time, but SSO and local auth can coexist (SSO-only mode can be enforced).

Local authentication

Default method. Users authenticate with an email address and a password that meets TietAI's password policy (minimum 12 characters, mixed case, numbers, and special characters). Passwords are hashed using bcrypt.

Password reset: Users can reset their own password using the Forgot password link on the login page. Admins can force a password reset from Settings → Users → [user] → Force Password Reset.

SAML 2.0

Configure under Settings → Authentication → SAML 2.0.

Required from your identity provider:

  • SSO URL (the IdP's SAML endpoint)
  • Entity ID
  • X.509 signing certificate

Required from TietAI (to configure in your IdP):

  • Service Provider Entity ID: https://api.tiet.ai/auth/saml/metadata
  • ACS URL: https://api.tiet.ai/auth/saml/acs
  • Download the SP metadata XML from Settings → Authentication → Download SP Metadata

Attribute mapping: TietAI reads email, given_name, and family_name from the SAML assertion. Configure your IdP to include these attributes.

OIDC

Configure under Settings → Authentication → OIDC.

Required:

  • Discovery URL (/.well-known/openid-configuration endpoint of your IdP)
  • Client ID
  • Client secret

TietAI's redirect URI (register this in your IdP application):

https://<your-org>.tiet.ai/auth/oidc/callback

Scopes required: openid email profile

Session management

Session timeout: By default, user sessions expire after 8 hours of inactivity. Admins can change this under Settings → Security → Session timeout. Available options: 1 hour, 4 hours, 8 hours, 24 hours, No timeout (not recommended for shared workstations).

Active sessions: Go to Settings → Security → Active Sessions to view all current login sessions for your organization. Admins can terminate any session immediately — useful if a device is lost or a user should be locked out immediately.

Session token rotation: Tokens are rotated on every request that changes application state (write operations). This limits the window of exposure if a token is intercepted.

Data retention

By default, data in TietAI is retained as follows:

Data typeDefault retention
FHIR patient recordsIndefinite
Workflow execution history90 days
Audit logs12 months (minimum)
Patient notesIndefinite
Device readings (Observations)2 years
Generated reports1 year

To configure custom retention periods, go to Settings → Data → Retention Policy and set per-data-type retention rules. Retention changes apply prospectively — existing data within the old retention window is not immediately deleted.

To request deletion of specific records or a full organization data purge, contact TietAI support.

Audit logs

Audit logs record every significant action in TietAI at the API level. They cannot be edited or deleted.

Accessing audit logs: Go to Settings → Audit Logs

Logged events:

CategoryExamples
AuthenticationLogin success, login failure, logout, SSO login, password reset
Data accessPatient record viewed, FHIR resource fetched via API
Data modificationFHIR resource created/updated via workflow, patient record exported
Workflow actionsPipeline created, edited, deleted, executed, scheduled
Admin actionsUser invited, role changed, user deactivated, connector created/revoked, SSO configured
API accessAPI key generated, API key revoked, API request with key

Log format: Each entry contains:

  • Timestamp (UTC, ISO 8601)
  • User ID and display name
  • IP address and user agent
  • Action type
  • Resource type and ID
  • Outcome (success / failure)
  • Additional context (e.g., which fields were changed)

Exporting: Click Export → choose CSV or PDF. Large exports (>10,000 rows) are generated asynchronously and emailed to the requesting admin when ready.

Security

Encryption

  • At rest: AES-256 encryption for all data in the database and object storage
  • In transit: TLS 1.3 for all connections between clients and TietAI servers
  • Key management: Encryption keys are managed using Google Cloud KMS with automatic rotation every 90 days

HIPAA compliance

TietAI is designed to support HIPAA-compliant deployments:

  • Business Associate Agreement (BAA): Required before using TietAI with Protected Health Information (PHI). Contact your TietAI account manager to execute a BAA.
  • PHI handling: All PHI is isolated per organization. TietAI staff access to customer data requires multi-person authorization and is fully logged.
  • Audit requirements: TietAI's audit log covers the access and activity logging required by the HIPAA Security Rule.
  • Minimum necessary: Role-based access control enforces the HIPAA minimum necessary standard.

Backup and recovery

  • Backup frequency: Automated daily backups of all databases and object storage
  • Backup retention: 30 days of daily backups; 12 months of monthly backups
  • Recovery point objective (RPO): 24 hours (you may lose up to one day of data in a disaster scenario)
  • Recovery time objective (RTO): 4 hours for a full organization restore
  • To request a data restore: submit a support ticket via Help → Contact Support with the org ID, data type, and target restore date

IP allowlisting

Restrict TietAI access to specific IP address ranges — useful for organizations that want users to access TietAI only from corporate networks or VPNs.

  1. Go to Settings → Security → IP Allowlist
  2. Click Add IP Range
  3. Enter a single IP address or a CIDR range (e.g., 10.0.0.0/8 or 203.0.113.50/32)
  4. Add a label (e.g., "Corporate VPN" or "Hospital network")
  5. Click Save

After saving, requests from IP addresses not on the allowlist receive a 403 Forbidden response.

attention

Before enabling IP allowlisting, add your own current IP address to the allowlist. If you lock yourself out, contact TietAI support — they can disable the allowlist from the backend.

API access management

TietAI provides API keys for programmatic access to the FHIR API and the TietAI management API.

Generating an API key:

  1. Go to Settings → Security → API Keys → New API Key

  2. Name the key (e.g., "Integration service production")

  3. Select scopes:

    • fhir:read — Read FHIR resources
    • fhir:write — Create and update FHIR resources
    • workflows:run — Trigger workflow executions via API
    • pipelines:* — Full access to pipeline operations
    • agents:execute — Execute AI agents via API
    • agent/{uuid}:execute — Execute a specific agent by ID
    • agent/{uuid}:read — Read a specific agent's configuration
    • organization:write — Modify organization settings
    • admin:read — Read user and organization metadata
    astuce

    Scopes support resource-specific targeting using the format resource/{uuid}:permission. For example, agent/550e8400-e29b-41d4-a716-446655440000:execute grants execution access to a single agent. Use this for fine-grained access control when integrating with external systems.

  4. Set an expiry date (or leave blank for no expiry — not recommended for production)

  5. Click Generate

The key is shown once at creation time. Copy it immediately and store it in a secrets manager — TietAI does not display the key again after you close the dialog.

Revoking an API key: Go to Settings → Security → API Keys, find the key, and click Revoke. The key is invalidated immediately. Any service using it will receive 401 Unauthorized responses until updated with a new key.

All API key usage is recorded in the audit log.