Skip to main content

What is the Admin Portal?

The Admin Portal is MagOneAI’s control plane, designed for IT teams, platform administrators, and SuperAdmins. It’s where you manage the entire deployment: organizations, users, LLM provider configurations, and security policies. If you’re responsible for governance, security, or multi-tenant management, the Admin Portal is your command center.
Access to the Admin Portal is restricted to users with the SuperAdmin role. Organization Owners can manage their own organization but cannot access platform-wide settings.

Organization management

Organizations are the top-level tenant in MagOneAI. Each organization has completely isolated data, users, agents, workflows, and resources.

Create and configure organizations

From the Admin Portal, you can:
  • Create new organizations — Set up separate tenants for different business units, customers, or teams
  • Configure organization settings — Define organization name, metadata, and configuration
  • Delete or archive organizations — Remove organizations when they’re no longer needed

Set token usage quotas

Control LLM consumption with token-based usage quotas. Quotas can be scoped to an organization, project, use case, or individual user, and applied over a daily, weekly, or monthly window. Admins can grant top-ups, and users can submit self-serve increase requests when they hit a limit. See Usage & quotas for details.

Organization-level isolation

Every organization in MagOneAI is fully isolated:
Data isolation
  • Separate databases per organization
  • No cross-org data access
  • Independent encryption keys
Resource isolation
  • Agents scoped to organization
  • Workflows cannot reference other orgs
  • Tools and knowledge bases are private

Multi-tenancy for enterprise deployments

MagOneAI’s architecture supports enterprise multi-tenancy:
  • Host multiple customers on a single deployment
  • Each customer (organization) operates independently
  • Central governance and monitoring from Admin Portal
  • Per-org billing and usage tracking

User management

The Admin Portal gives you complete control over user access, roles, and permissions across the platform.

Invite users to organizations

Add users to specific organizations:
  1. Navigate to the organization in the Admin Portal
  2. Click Invite User
  3. Enter the user’s email address
  4. Assign a role (Org Owner, Org Member, or End User)
  5. User receives an invitation email with onboarding instructions

Bulk import users

To onboard many users at once, use Bulk User Import in the Admin Portal.
1

Download the template

The portal provides an Excel (.xlsx) template with a Users sheet to fill in and a Workspaces reference sheet listing every active organization’s ID and name, so you can copy the right IDs.
2

Fill in the user rows

Each row maps a user to an organization. Columns:
  • org_id (required) — the organization to add the user to
  • email (required) — the user’s email
  • display_name — the user’s name
  • roleowner, admin, or member (defaults to member if blank)
  • password — optional; if blank, a secure temporary password is generated
Listing the same email across multiple organization rows creates one user with memberships in each — no duplicates.
3

Upload and review

Upload the filled file. You get back a result file with three sheets: Created (new users, including any generated passwords), Added (existing) (existing users given new memberships), and Errors (row number, org, email, and reason for any rows that failed). One bad row never aborts the rest of the batch.
Bulk import does not send invitation emails. Generated passwords are returned only in the result file — distribute them through a secure channel. Imports are limited to 500 rows / 5 MB per file.

Require email verification

A platform-wide Require email verification setting (Super Admin → Settings → Authentication) controls whether new users must verify their email before their account is activated.
  • Enabled (default) — new users receive a verification email and must confirm before they can log in.
  • Disabled — new users are auto-verified at signup and can log in immediately.
The setting applies to all account-creation paths: self-service signup, users created by an admin within an organization, and standalone users created in the Admin Portal.

Assign roles and permissions

MagOneAI has a hierarchical role system:
Platform-wide access. Bypasses all permission checks across every organization and project, manages platform settings and global MCP servers, and views platform-wide stats. Set only by the platform operator.
Organization administrator. Everything an Admin can do, plus delete the org, manage billing and SSO, manage OAuth credentials, and promote others to Owner. Has access to all projects in the organization.
Manages members and projects. Can invite/remove members, change member roles (not Owner), create and delete projects, and manage organization settings.
Standard organization user. Accesses org resources and works in the default project as an Operator; joins team projects when explicitly added.
Within a project, members hold one of four roles: Admin (govern the project), Builder (create/edit resources), Operator (run and chat), or Viewer (read-only). In the default project these are mapped from the org role automatically. See Roles and permissions for the full breakdown.

SSO and enterprise identity

For enterprise deployments, MagOneAI supports OpenID Connect (OIDC) single sign-on with:
  • OIDC identity providers — Connect to Microsoft Entra ID, Google Workspace, and Oracle Identity Cloud Service (IDCS)
  • Just-in-time provisioning — Automatically create users on first login
  • Group-based role assignment and auto-join — Map IdP groups to MagOneAI roles and automatically add users to the right organizations
See SSO & MFA for full setup, including multi-factor authentication.

LLM provider configuration

MagOneAI supports multiple LLM providers, giving you flexibility in model selection and cost optimization.

Add cloud providers

Configure access to cloud-based LLM providers:

OpenAI

GPT-4, GPT-4 Turbo, GPT-3.5 Turbo

Anthropic

Claude Opus, Claude Sonnet, Claude Haiku

Google

Gemini 1.5 Pro, Gemini 1.5 Flash

Configure private model endpoints

For organizations with self-hosted models:
  • Custom API endpoints — Point to your own LLM deployments
  • Azure OpenAI — Use your Azure-hosted OpenAI instances
  • AWS Bedrock — Connect to models hosted on AWS
  • On-premise models — Integrate with self-hosted open-source models

Store API keys securely via HashiCorp Vault

Security is critical when managing LLM credentials:
1

Navigate to LLM Providers

From the Admin Portal, go to LLM Providers in the navigation menu.
2

Add a new provider

Click Add Provider and select the provider type (OpenAI, Anthropic, Google, or Custom).
3

Enter credentials

Provide the API key or authentication credentials. These are never stored in the database — they’re sent directly to HashiCorp Vault.
4

Assign to organizations

Choose which organizations can use this provider. You can make a provider available to all organizations or restrict it to specific tenants.
API keys are stored in HashiCorp Vault, not in MagOneAI’s database. This ensures credentials are encrypted at rest and in transit, with fine-grained access control and audit logging.

Assign providers to specific organizations

Control which organizations have access to which models:
  • Global providers — Available to all organizations (e.g., a company-wide OpenAI account)
  • Organization-specific providers — Restricted to one organization (e.g., a customer brings their own API key)
  • Model-level control — Enable specific models (e.g., only GPT-4 Turbo, not GPT-4)

Cost optimization strategies

Use the Admin Portal to implement cost controls:
  • Assign cheaper models (GPT-3.5, Claude Haiku) to specific organizations
  • Set per-organization provider defaults
  • Monitor usage and adjust provider assignments based on consumption

Whitelabeling & branding

You can whitelabel the entire deployment from Super Admin → Branding — replacing MagOneAI’s name and visual identity with your own across Studio, Hub, and the login pages. What you can customize:
  • Display name — shown in the top bar, sidebar, and login screen
  • Accent color — a single brand color applied to buttons, links, and highlights
  • Logo — for light backgrounds
  • Logo (inverse) — a white/light variant for dark panels like the login hero
  • Favicon — the browser-tab icon
  • Login headline & tagline — the copy on the login page
  • Support email
Branding is a per-deployment setting (not per-organization), with a live preview as you edit. Leave any field blank to fall back to the MagOneAI default. Logos accept PNG/JPG (favicon also .ico), up to 2 MB each. The login page is branded even before sign-in.
Branding is purely visual — it changes how the platform looks, never how it behaves. When a logo or display name is set, the “Powered by MagOneAI” badge is replaced by your branding.

Security policies and governance

The Admin Portal provides centralized security management for your entire MagOneAI deployment.

Data encryption policies

  • Encryption at rest — All data (workflows, execution logs, knowledge bases) is encrypted in the database
  • Encryption in transit — TLS/SSL for all API and web traffic
  • Key management — Integration with HashiCorp Vault for centralized key management

API key management

  • Centralized credential storage — All API keys (LLM providers, tool integrations) stored in Vault
  • Automatic rotation — Support for credential rotation without workflow downtime
  • Least-privilege access — Workflows only access credentials they need

Audit log access

The Admin Portal provides comprehensive audit logging:
  • User activity — Track who created, edited, or deleted resources
  • Workflow executions — Full execution history with input/output data
  • API calls — Log all API requests for compliance
  • Security events — Track authentication failures, role changes, and access attempts

Resource governance and quotas

Implement platform-wide governance with token usage quotas, scoped to organizations, projects, use cases, or individual users over daily, weekly, or monthly windows. Admins can issue top-ups and users can request increases. See Usage & quotas for details.

Analytics and monitoring

Superadmin platform dashboard

SuperAdmins get a deployment-wide dashboard with totals across organizations, projects, use cases, agents, executions, and active users. It also surfaces overall token usage, execution trends over time, an execution status breakdown, and the top organizations by activity.

Project and use-case analytics

Within a project or use case, analytics cover:
  • Execution counts and success rate
  • Average execution duration
  • Token usage over time
  • Activity-type breakdown
  • Trigger-source breakdown (in-app, chat, schedule, API)
  • Top workflows and top users
  • Recent errors
These analytics can be exported to Excel at the organization level.

Notifications

Admins can set org-wide notification channel defaults (such as email and in-app delivery) so members receive the right alerts out of the box. See Notifications for configuration details.

Best practices for platform administration

Start with test organizations — Create a sandbox organization for testing before rolling out to production teams. This lets you validate configurations, test integrations, and train users without risk.
Use organization-specific providers for customers — If you’re running a multi-tenant SaaS, let customers bring their own LLM API keys. This keeps their data with their provider and simplifies billing.
Monitor usage regularly — Check the superadmin and project analytics dashboards to track execution volumes, token usage, and user activity. This helps you spot issues before they become problems.

Next steps

MagOneAI Studio

Learn about the builder interface where teams create AI workflows

Organizations and projects

Understand the organizational hierarchy and multi-tenancy model