Skip to main content

Configuring admin users

This article walks through the admin user creation and modification process

Updated over 2 weeks ago

Overview

Administrative users are the foundation of a SurePath AI tenant configuration and provide the access control framework for platform management. Unlike end users who are imported through Directory Synchronization, administrative users must be added manually and are assigned specific roles that control their level of access to the platform. This separation ensures that administrative capabilities are explicitly granted rather than inherited from directory membership, providing clear control over who can configure policies, review user activity, and manage platform settings.

SurePath AI uses a role-based access control model with three distinct administrative roles, each designed for different operational responsibilities. The Owner role provides unrestricted access to all platform capabilities including user management, the Admin role enables full configuration access without the ability to manage other administrators, and the Auditor role provides read-only visibility for compliance and oversight purposes. This tiered approach allows organizations to implement least-privilege principles while ensuring that stakeholders across security, compliance, and operations teams have appropriate access to the platform.

In addition to role-based permissions, SurePath AI provides granular permission controls that can be enabled or disabled for individual administrative users. These permissions allow administrators to fine-tune access to sensitive capabilities such as viewing user prompts and conversation history, ensuring that even users within the same administrative role can have different levels of access based on organizational requirements and privacy considerations.

Understanding administrative roles

SurePath AI has three different types of administrative roles that determine what actions an administrative user can perform within the platform:

  • Owner - The Owner role can configure the entire SurePath AI platform without limitations. This includes all policy configuration, network integration, user and group management, administrative user management, and access to all audit logs and analytics. Owners have full control over the platform and are the only role that can assign administrative roles to other users or modify existing administrative permissions.

  • Admin - The Admin role can configure the entire SurePath AI platform with the exception of not being able to view, add, modify, or delete administrative users. This role is designed for trusted IT administrators who need to manage policies, review user activity, configure integrations, and handle day-to-day platform operations without having access to change the administrative user structure itself.

  • Auditor - The Auditor role is a read-only role that can view the configuration of the entire SurePath AI platform without the ability to make any changes. Auditors cannot view the administrative users page or see who has administrative access to the platform. This role is ideal for compliance teams, security oversight personnel, and stakeholders who need visibility into platform configuration and usage without the ability to modify settings.

The Owner role is the only role that can assign or modify administrative roles for other users. A user can only be assigned one administrative role at a time, and role changes take effect immediately upon saving. When a SurePath AI tenant is first provisioned, the initial administrator will log in as an Owner using Magic Link authentication, and the first task should be to add any additional administrative users the organization requires.

Understanding administrative permissions

In addition to role-based access control, SurePath AI provides granular permissions that can be enabled or disabled for individual administrative users. These permissions provide fine-grained control over access to sensitive capabilities, allowing administrators to customize what each administrative user can see or do beyond their base role.

View User Event Conversation History

The "View User Event Conversation History" permission controls whether an administrative user can see the full content of user prompts and model responses when reviewing User Activity logs and event details. When this permission is enabled, the administrative user can click on any user activity event and view the complete conversation history including what the user asked and what response they received from the GenAI service. When this permission is disabled, the administrative user can still see that an event occurred, view metadata such as user identity, timestamp, service accessed, and risk classification, but cannot view the actual prompt content or conversation details.

This permission is particularly important for organizations with strict privacy requirements or regulatory obligations that limit who can access user-generated content. For example, organizations might grant this permission to security investigators who need to review potential policy violations in detail, while disabling it for operational administrators who only need to monitor platform health and configuration. The permission applies to all administrative roles—Owners, Admins, and Auditors can all have this permission enabled or disabled independently based on their responsibilities.

By default, new administrative users are created with this permission enabled, but it can be toggled on or off at any time by a user with the Owner role.

Creating an admin user

Administrative users are added manually in the SurePath AI admin interface at https://admin.surepath.ai and cannot be assigned by group membership or imported through directory synchronization. This ensures explicit control over who has administrative access to the platform. To create a new administrative user, the administrator must log in as a user with the Owner role.

  • Browse to https://admin.surepath.ai and authenticate using the appropriate credentials

  • Under the CONFIGURE section in the left menu bar, expand Users and Groups, and select Admin Users

    • All existing administrative users will be listed on this page in a table showing their name, email address, and assigned role

  • Click the ADD ADMIN USER button in the upper right corner of the page

    • A new fly-out panel will appear on the right side of the screen

  • Enter the full name of the user in the Name field

    • This is typically the user's first and last name as they appear in the organization's directory

  • Enter the email address of the user in the Email field

    • This email address will be used for authentication and must be a valid email that the user can access

  • Select the administrative role for the user from the Role drop-down menu

    • Choose Owner, Admin, or Auditor based on the user's responsibilities and access requirements

  • Configure the Permissions section based on the user's role and the organization's privacy requirements

    • Enable or disable the "View User Event Conversation History" permission by clicking the toggle

    • When enabled, this permission allows the administrative user to see the full content of user prompts and model responses when reviewing User Activity

    • When disabled, the administrative user can still see event metadata but cannot view conversation content

  • Click SAVE to create the administrative user

Once saved, the new administrative user will receive an email notification with instructions to log in to the SurePath AI admin interface. The user will authenticate using the email address that was provided and will have access to platform capabilities based on their assigned role and permissions. Administrators can modify the user's role or permissions at any time by clicking on the arrow (>) on the right side of the user line in the Admin Users table and making changes in the fly-out panel that appears.

Modifying or deleting an admin user

To modify an existing administrative user's role or permissions, or to remove their administrative access entirely, the administrator must log in as a user with the Owner role. Changes to administrative users take effect immediately upon saving.

  • Browse to https://admin.surepath.ai and authenticate using the appropriate credentials

  • Under the CONFIGURE section in the left menu bar, expand Users and Groups, and select Admin Users

  • Click on the arrow (>) on the right side of the user line for the administrative user to be modified

    • A fly-out panel will appear on the right side of the screen showing the user's current name, email, role, and permissions

  • To modify the user's role, select a different option from the Role drop-down menu

  • To modify the user's permissions, toggle the "View User Event Conversation History" permission on or off as needed

  • Click SAVE to apply the changes

  • To delete the administrative user entirely, click the Delete button at the top of the fly-out panel

    • This will permanently remove the user's administrative access to the platform

    • The user will no longer be able to log in to the SurePath AI admin interface

    • This action cannot be undone, but the user can always be re-added later if needed

When deleting an administrative user, ensure that the organization maintains at least one user with the Owner role to prevent being locked out of administrative user management capabilities. If there is only one Owner who needs to be removed, another user should first be created or promoted to the Owner role before deleting the existing Owner.

Related Articles
Zscaler - Proxy chaining
Configure SSO for Microsoft Entra
Initial configuration steps
Rippling - Distributing Configuration for Windows
Reading User Activity events
Did this answer your question?