Administration

Administration is where you control who can do what in your Ema tenant, how the tenant is configured, how personally identifiable information (PII) is handled, and how every action is recorded. These pages cover the admin surfaces under the /admin routes of the AI Employee builder — governance and permissions, user management, tenant settings and single sign-on (SSO), PII and data governance, and the audit log.

Cloud-hosted. Ema runs as a managed, multi-tenant cloud service. These pages cover tenant administration only — there is no self-hosting, infrastructure, or deployment configuration to manage.

Who can administer a tenant

Access to every admin surface is governed by role-based access control (RBAC). Each user holds one role per tenant — system_admin, builder_admin, user_admin, builder, user, or no_access — and each role grants a fixed set of capabilities (for example user.invite, sso.manage_config, audit.view). The admin surfaces in this section require admin-tier roles:

  • System Admin has full administrative control: tenant settings, SSO, email domains, model providers, API keys, child tenants, PII governance, and the full audit log.
  • Builder Admin can manage model providers and API keys, and can see audit events for build resources.
  • User Admin can invite users, change roles, and revoke memberships, and can see the full audit log.

See Governance and permissions for the complete role and capability reference.

What you can administer

PageWhat it covers
Governance and permissionsThe six assignable roles, the capability taxonomy, how capabilities map to roles, and how access is enforced.
User managementInvite users by email, assign and change roles, and revoke memberships across your tenant and its child tenants.
Tenant management and SSOTenant settings and branding, SSO (OIDC and SAML), email domain claims, model providers, and API keys.
PII and data governancePII detection, per-entity display levels (original, partial, tokenized, masked), and integration egress policy.
Audit logThe tenant-wide event log, contextual activity feeds, the PII access log, and CSV export.
Security & ComplianceEncryption at rest, tenant isolation, PII detection and masking, the audit trail, and data retention with legal holds.
AI Employee export and importSave an AI Employee as a template, grant it to another tenant, import it, and the version and permission rules that govern the flow.

Where to find these screens

All admin screens live under the /admin path in the AI Employee builder:

  • /admin/roles — Governance and permissions (roles and capabilities reference)
  • /admin/members — User management (memberships)
  • /admin/tenant-management — Tenant settings, SSO, email domains, providers, and API keys (one tabbed page)
  • /admin/governance — Audit log and PII governance (one tabbed page)

What's next

Last updated: Jul 3, 2026