Administration

Manage users, roles, tenants, and security settings.

Tenant & Project Hierarchy

AIRGen organizes all data into a two-level hierarchy: tenants and projects.

A tenant is a workspace — typically one per organisation or team. Each tenant is fully isolated: its data, users, and configuration are separate from every other tenant in the system. This isolation applies to both the relational database and the Neo4j graph store.

Within a tenant, work is organized into projects. Each project contains its own requirements, documents, architecture diagrams, linksets, and baselines. Users are granted roles at either the tenant level (which applies to all projects in that tenant) or at the individual project level for more granular control.

Role-Based Access Control

AIRGen uses role-based access control (RBAC) to determine what each user can see and do. Five built-in roles are available, listed from most to least privileged:

1. Super Admin — Full system access. Can manage all tenants, users, and global settings. Intended for platform operators and IT administrators.
2. Tenant Admin — Manages a specific tenant. Can create and delete projects, invite and remove users, assign roles, and configure tenant-level settings.
3. Approver — Can perform all Author actions plus approve and release requirements. Approvers are typically senior engineers or project leads responsible for sign-off.
4. Author — Can create and edit requirements, documents, architecture blocks, linksets, and baselines. Authors are the primary content creators in a project.
5. User — Read-only access. Can view all project data but cannot create, edit, or delete anything. Suitable for stakeholders and reviewers who need visibility without edit rights.

Roles are assigned per-tenant or per-project. A user might be an Author in one project and a User (read-only) in another within the same tenant.

User Management

Tenant Admins manage users from the Settings > Users page within their tenant.

To invite a new user:

1. Navigate to Settings > Users and click Invite User.
2. Enter the user's email address and select the role to assign.
3. Click Send Invitation. The user receives an email with a link to accept the invitation and create their account.

To modify an existing user:

• Change role — Click the role badge next to the user's name and select a new role from the dropdown.
• Remove access — Click the remove button next to the user's entry. The user loses access immediately but their historical activity (audit log entries, authored requirements) is preserved.

Super Admins can manage users across all tenants from the global Admin > Users panel. This panel lists every user in the system and allows cross-tenant role assignment.

Two-Factor Authentication

Users can enable TOTP-based two-factor authentication (2FA) to add an additional verification step during login. When 2FA is enabled, signing in requires both a password and a time-based one-time code from an authenticator app.

To enable 2FA:

1. Go to Account Settings > Security.
2. Click Enable Two-Factor Authentication.
3. Scan the QR code with your authenticator app (Google Authenticator, Authy, 1Password, or any TOTP-compatible app).
4. Enter the six-digit code displayed by your app to confirm setup.
5. AIRGen generates a set of backup codes. Save these codes in a secure location — they are your only recovery method if you lose access to your authenticator device.

Security Features

AIRGen implements multiple layers of security to protect your data and user accounts:

• Password hashing — All passwords are hashed using Argon2id, the winner of the Password Hashing Competition. Argon2id is resistant to both GPU-based attacks and side-channel attacks.
• JWT access tokens — Short-lived access tokens expire after 15 minutes. This limits the window of exposure if a token is compromised.
• HTTP-only refresh tokens — Session continuity is handled by refresh tokens stored in HTTP-only cookies. These cookies are not accessible to client-side JavaScript, mitigating XSS-based token theft.
• Rate limiting — Authentication endpoints (login, registration, password reset) are rate-limited to prevent brute-force attacks. Repeated failed attempts trigger temporary lockouts.
• Audit logging — All authentication events — logins, failed attempts, password changes, 2FA enrollment, and role changes — are logged with timestamps and IP addresses. Access the audit log from Settings > Audit Log.

Automated Backups

AIRGen runs automated encrypted backups on a daily and weekly schedule. Backups capture the full system state: the relational database, the Neo4j graph store, uploaded files, and configuration data.

To configure backups:

1. Navigate to Admin > Backups (Super Admin access required).
2. Select your remote storage provider. Supported providers include:
   • DigitalOcean Spaces
   • AWS S3
   • Backblaze B2
   • SFTP (any server with SSH access)
3. Enter your storage credentials and bucket or path information.
4. Click Test Connection to verify that AIRGen can write to the remote storage.
5. Save the configuration. Backups begin running on the next scheduled cycle.

The default retention policy keeps:

• 7 daily backups (one per day for the last week)
• 4 weekly backups (one per week for the last month)
• 12 monthly backups (one per month for the last year)

Older backups are deleted automatically according to this policy. Verify backup health at any time from the Admin > Backups dashboard, which displays the timestamp, size, and status of each backup.