Administration
Administration is where you control who can do what in your Ema tenant, how the tenant is configured, how personally identifiable information (PII) is handled, and how every action is recorded. These pages cover the admin surfaces under the /admin routes of the AI Employee builder — governance and permissions, user management, tenant settings and single sign-on (SSO), PII and data governance, and the audit log.
Cloud-hosted. Ema runs as a managed, multi-tenant cloud service. These pages cover tenant administration only — there is no self-hosting, infrastructure, or deployment configuration to manage.
Who can administer a tenant
Access to every admin surface is governed by role-based access control (RBAC). Each user holds one role per tenant — system_admin, builder_admin, user_admin, builder, user, or no_access — and each role grants a fixed set of capabilities (for example user.invite, sso.manage_config, audit.view). The admin surfaces in this section require admin-tier roles:
- System Admin has full administrative control: tenant settings, SSO, email domains, model providers, API keys, child tenants, PII governance, and the full audit log.
- Builder Admin can manage model providers and API keys, and can see audit events for build resources.
- User Admin can invite users, change roles, and revoke memberships, and can see the full audit log.
See Governance and permissions for the complete role and capability reference.
What you can administer
| Page | What it covers |
|---|---|
| Governance and permissions | The six assignable roles, the capability taxonomy, how capabilities map to roles, and how access is enforced. |
| User management | Invite users by email, assign and change roles, and revoke memberships across your tenant and its child tenants. |
| Tenant management and SSO | Tenant settings and branding, SSO (OIDC and SAML), email domain claims, model providers, and API keys. |
| PII and data governance | PII detection, per-entity display levels (original, partial, tokenized, masked), and integration egress policy. |
| Audit log | The tenant-wide event log, contextual activity feeds, the PII access log, and CSV export. |
| Security & Compliance | Encryption at rest, tenant isolation, PII detection and masking, the audit trail, and data retention with legal holds. |
| AI Employee export and import | Save an AI Employee as a template, grant it to another tenant, import it, and the version and permission rules that govern the flow. |
Where to find these screens
All admin screens live under the /admin path in the AI Employee builder:
/admin/roles— Governance and permissions (roles and capabilities reference)/admin/members— User management (memberships)/admin/tenant-management— Tenant settings, SSO, email domains, providers, and API keys (one tabbed page)/admin/governance— Audit log and PII governance (one tabbed page)
What's next
- Governance and permissions — start here to understand roles and capabilities.
- User management — invite teammates and assign roles.
- Tenant management and SSO — configure how people sign in.
- PII and data governance — control how sensitive data is shown and shared.
- Audit log — review and export the record of every action.
- Security & Compliance — the platform's encryption, isolation, audit, and retention posture.
- AI Employee export and import — move an AI Employee between tenants and environments.