Admin quickstart
Welcome — you’ve been made an administrator for your organization’s SUPERWISE Chat workspace. This guide is the ordered checklist for your first week. Work through it top to bottom and you’ll have your team signing in securely, in the right roles, with the right safety controls and a workspace that looks like yours.
Each step is self-contained and links to a detailed page if you want to go deeper. You don’t have to finish everything in one sitting — but the steps are sequenced for a reason, so prefer to do them in order.
What you’ll have at the end
Section titled “What you’ll have at the end”- People sign in with your company’s existing accounts (single sign-on).
- Everyone holds the right role, with the least access they need to do their job.
- Your safety guardrails, consent defaults, and retention are set the way your organization requires.
- The workspace carries your branding.
- You’ve verified the whole thing works — by signing in as a real user and watching one message go through end to end.
Before you start
Section titled “Before you start”- An admin role. You need a Tenant Admin (or higher) role. If Settings shows only your personal preferences and no organization-wide sections, you don’t have admin access yet — ask whoever invited you.
- Access to your identity provider. For single sign-on you’ll need someone who can configure your OIDC identity provider (for example, your Okta, Entra ID, Google Workspace, or Auth0 administrator). It can be you, or you can hand them the values from Step 1.
- Your plan details. Some limits — how many people, how much monthly usage, how many knowledge collections — are set by your subscription plan. Know which plan you’re on before you tune quotas. See Model access & tiers.
- 15–30 minutes for the first pass, plus a short follow-up once SSO is live.
Step 1 — Connect single sign-on (SSO)
Section titled “Step 1 — Connect single sign-on (SSO)”Set this up first. Once SSO is in place, everything else — who can sign in, what organization they land in, what role they start with — flows from your identity provider, so you’re not managing separate Chat passwords.
- Open Settings → Identity & SSO.
- Choose your identity provider and enter its connection details (issuer URL, the keys endpoint, and the audience value for your Chat workspace).
- Map the claims so Chat knows, for each sign-in, who the person is, which organization (tenant) they belong to, and — optionally — what role they start with.
- Register the redirect URL Chat gives you back in your identity provider.
- Save, then use the Test connection flow before you roll it out to anyone else.
Full walkthrough, including provider-specific notes and claim mapping: Connect your identity provider (SSO).
Keep new-organization creation closed. For a production workspace, leave automatic tenant creation off so only the organizations you intend to onboard can sign in. Unknown organizations are turned away rather than silently created. This is the default, and it’s the safe setting — don’t change it unless you specifically need self-service onboarding.
Step 2 — Invite your people and set their roles
Section titled “Step 2 — Invite your people and set their roles”With SSO connected, your team can sign in with their existing accounts. Now decide what each person can do.
Roles in SUPERWISE Chat are layered — each higher role builds on the one beneath it, so you grant exactly the reach a person needs and nothing more. The roles you’ll use most:
| Role | Give it to | What it can do |
|---|---|---|
| Member | Everyday users | Chat, create and share conversations, use knowledge and memory |
| Project Owner | Team or workspace leads | Everything a member can do, plus manage a project’s people and knowledge |
| Governance Manager | Compliance, security, audit reviewers | Read-only oversight — view activity traces and safety alerts, export audit data; cannot change anything |
| Tenant Admin | Workspace administrators (you) | Manage members, roles, integrations, settings, and audit for the whole organization |
Two rules worth knowing up front:
- You can only assign roles below your own. This is a built-in guardrail against accidental privilege escalation.
- Governance Manager is deliberately read-only. It’s the right role for an auditor or security reviewer who must see what happened without being able to change it.
Open Settings → Users & Roles to invite people and assign roles. Details and the full role list: Users & roles.
Step 3 — Set your safety, consent, and retention controls
Section titled “Step 3 — Set your safety, consent, and retention controls”This is where you make the workspace match your organization’s policy. Three things to set:
- Guardrails. Chat reviews messages for safety at several points before, during, and after the AI answers. Confirm the guardrail configuration your organization expects is in place, and check your coverage — the share of your assistants that are protected by at least one guardrail. Aim for full coverage.
- Consent defaults. Some processing (like the AI generating an answer, and the safety review itself) is essential and always on. Optional activities — such as extracting memories from conversations or indexing documents — have tenant-level defaults you set, and individual users can adjust their own choices from there.
- Retention. Decide how long conversations stay before they’re cleaned up. Activity traces and request logs are cleaned up automatically on a fixed schedule; conversation retention is yours to configure.
Set these under Settings → Governance (and the consent and retention sections within it). Full guide, including how to read your coverage and what each control means: Governance and policy.
Audit is always on. You don’t need to switch it on. Role changes, settings changes, and safety decisions are recorded automatically, and those records can’t be edited or deleted from inside Chat — including by you. That’s by design: an audit trail you could alter wouldn’t be worth much.
Step 4 — Set usage limits to fit your plan
Section titled “Step 4 — Set usage limits to fit your plan”Your plan sets ceilings on how much your organization can use each month, and how many people, agents, and knowledge collections you can have. Within those ceilings, you can set finer limits so no single user or project consumes everything.
- Open Settings → Usage.
- Review your plan’s monthly allowance and current consumption.
- Optionally set per-user or per-project limits to spread capacity fairly.
If someone reaches their limit, their new AI requests pause until the limit resets or you raise it — their existing conversations are untouched. To raise the ceilings themselves, move up a plan yourself from Settings → Plan (Solo through Business Plus are self-serve; Enterprise is arranged with your account team). See Model access & tiers for what each plan includes.
Step 5 — Apply your branding
Section titled “Step 5 — Apply your branding”Make the workspace feel like yours so your team recognizes it as a trusted internal tool.
- Open Settings → Branding.
- Upload your logo and set your accent color and workspace name.
- Save and reload to confirm it appears in the header.
See Branding & domain for the full set of options, including a custom domain.
Step 6 — Verify it all works (do this before you announce it)
Section titled “Step 6 — Verify it all works (do this before you announce it)”Don’t take the settings on faith — watch one real message go through, end to end.
- Sign in as a normal user. Use a test account (or ask a teammate) that comes in through your new SSO connection — not your admin account. Confirm they land in the correct organization with the role you assigned.
- Send a message. Ask the AI something ordinary and confirm you get an answer, with the speed and depth you’d expect from the selected mode.
- Open the trace on that answer. Click into the response’s trust details and confirm the safety review ran. Seeing the review on a real answer is your confirmation that the guardrails you configured are reaching live traffic — for an assistant that’s fully covered.
- Check the record. Back in your admin account, open Settings → Audit and confirm the role assignment and the activity you just generated show up.
If all four pass, you’re ready to invite the rest of your team.
Worked example: onboarding a 12-person team in one afternoon
Section titled “Worked example: onboarding a 12-person team in one afternoon”You’ve been asked to stand up SUPERWISE Chat for a 12-person analytics team. Here’s the path:
- SSO (Step 1). You hand your Okta admin the issuer, keys URL, and audience from Settings → Identity & SSO, and they register the redirect URL. You map claims so each sign-in carries the person’s email, the analytics organization, and a default Member role. You run Test connection and it succeeds.
- Roles (Step 2). Eleven people come in as Member by default. You promote the team lead to Project Owner so she can manage the team’s shared knowledge, and you give your compliance reviewer Governance Manager so he can audit without touching anything.
- Controls (Step 3). You confirm guardrail coverage is full, leave memory extraction on as a tenant default (the team wants it), and set conversation retention to your firm’s 18-month standard.
- Limits (Step 4). Your plan’s monthly allowance comfortably covers 12 people, so you set a modest per-user limit just to catch runaway usage, and leave the rest headroom-shared.
- Branding (Step 5). You upload the company logo and set the accent color.
- Verify (Step 6). You ask the team lead to sign in via Okta on her own laptop. She lands in the analytics org as Project Owner, sends a question, gets a cited answer, and the trace shows the safety review ran. The role change shows in your audit log. Done — you announce it to the team.
Elapsed time: under an hour, most of it waiting on the Okta change.
Troubleshooting
Section titled “Troubleshooting”| Symptom | Likely cause | What to do |
|---|---|---|
| A user signs in but is turned away (“organization not provisioned”) | Their organization isn’t onboarded, and automatic creation is off (the safe default) | Onboard their organization deliberately, or confirm they’re meant to be in an organization you’ve already set up |
| A user lands in the wrong organization | The tenant/organization claim isn’t mapped correctly | Revisit claim mapping in Identity & SSO, Step 3 |
| New users have too much or too little access | The default-role claim isn’t set, or is set wrong | Set or correct the role claim mapping; you can always adjust a person’s role manually under Users & Roles |
| You can’t assign a role you want to give | You can only assign roles below your own | Have someone with a higher role make the assignment, or confirm the target role is correct |
| A user can’t send messages (“limit reached”) | They’ve hit a usage limit | Raise their limit under Settings → Usage, or wait for the monthly reset; to lift the ceiling itself, change your plan |
| The safety trace doesn’t appear on a test answer | You may be viewing as an account without oversight access | Verify with a Governance Manager or Tenant Admin account; see Governance and policy |
Still stuck? See Admin troubleshooting for deeper diagnostics.
Where to go next
Section titled “Where to go next”- Connect your identity provider (SSO) — the full SSO setup.
- Users & roles — the complete role model and how to assign it.
- Governance and policy — guardrails, consent, and oversight in depth.
- Model access & tiers — what your plan includes and how to change it.