User and Group Management
Arbitex organizes access control around groups. Groups carry policy assignments, DLP configurations, and model access rules. Users belong to one or more groups, and their effective permissions are the union of all group-level settings. All user and group operations are available under Admin → Users and Admin → Groups.
Prerequisites
Section titled “Prerequisites”- Org Admin role
User Management
Section titled “User Management”Search for a user
Section titled “Search for a user”The user management panel includes a search autocomplete that queries the admin users API. Type part of a name or email address to filter the user list. Select a user to view their profile, group memberships, and recent activity.
Invite a user
Section titled “Invite a user”Users who have not yet signed up can be invited by email:
- Navigate to Admin → Users.
- Click Invite User.
- Enter the user’s email address and click Send Invite.
Arbitex sends an invitation email with a signup link. The invite is valid for 7 days. After expiry, the user must be re-invited.
Manage pending invites
Section titled “Manage pending invites”The Pending Invites list shows all outstanding invitations with:
- Recipient email address
- Date the invite was sent
- Expiry date
- Token prefix (for support reference)
To cancel a pending invite before it is accepted, click Cancel on the invite row.
API reference
Section titled “API reference”# Send an invitationPOST /api/admin/users/invite{ "email": "user@example.com" }
# List pending invitesGET /api/admin/users/invites
# Cancel a pending inviteDELETE /api/admin/users/invites/{invite_id}Group Management
Section titled “Group Management”Groups are the primary unit of access control in Arbitex. The Group Management panel uses a three-panel layout:
- Left — group list with member count and IdP-link indicator
- Center — group detail (members, DLP overrides, compliance bundles, model access)
- Right — create or edit form (shown when adding or editing a group)
Create a group
Section titled “Create a group”- Navigate to Admin → Groups.
- Click New Group.
- Fill in the fields:
| Field | Required | Description |
|---|---|---|
| Name | Yes | Display name for the group (e.g., “Engineering”, “Legal”) |
| Description | No | Free-text description of the group’s purpose |
| External Group ID | No | Links this group to an IdP-managed group. When set, SCIM provisioning controls membership and a SCIM — IdP-managed group badge is shown in the group detail. See SCIM-managed groups. |
- Click Save.
Edit a group
Section titled “Edit a group”Select a group from the list and click Edit in the detail panel to open the edit form. You can update the name, description, and External Group ID at any time.
Delete a group
Section titled “Delete a group”Select a group, open the edit form, and click Delete. Confirm the deletion prompt. Deleting a group removes all policy and DLP assignments associated with it but does not affect user accounts.
Add members to a group
Section titled “Add members to a group”- Select the group in the list.
- In the Members section of the detail panel, use the user search input to find users by name or email.
- Select a user from the autocomplete to add them.
Members can also be removed individually from the members list in the detail panel.
API reference
Section titled “API reference”# List all groupsGET /api/admin/groups
# Create a groupPOST /api/admin/groups{ "name": "Engineering", "description": "Engineering team", "external_group_id": "<entra-or-okta-group-id>"}
# Update a groupPUT /api/admin/groups/{group_id}{ ...same fields... }
# Delete a groupDELETE /api/admin/groups/{group_id}
# List group membersGET /api/admin/groups/{group_id}/members
# Add a memberPOST /api/admin/groups/{group_id}/members{ "user_id": "<user-uuid>" }
# Remove a memberDELETE /api/admin/groups/{group_id}/members/{user_id}Per-Group DLP Configuration
Section titled “Per-Group DLP Configuration”Each group can have detector-level DLP overrides that apply in addition to or instead of the org-level DLP policy. Overrides are configured per detector type and specify what action to take when that detector fires for a user in this group.
Available actions
Section titled “Available actions”| Action | Behavior |
|---|---|
| SKIP | Disable this detector for users in this group. No action taken even if the pattern matches. |
| BLOCK | Block the request entirely when the detector fires. |
| CANCEL | Cancel the in-flight model call and return an error. |
| REDACT | Replace the matched content with a redaction marker before the request is forwarded. |
Configure DLP overrides
Section titled “Configure DLP overrides”- Select a group in the Admin → Groups panel.
- In the group detail, navigate to the DLP tab.
- For each detector, select the action to apply for this group.
- Click Save DLP Config.
The DLP configuration is a full replacement — saving overwrites the entire previous configuration for the group. To remove all overrides, save an empty configuration.
Detectors available for override include:
- regex — custom regular expression patterns
- ner — named entity recognition (built-in model)
- gliner — GLiNER span-based entity detection
- dictionary — term and phrase blocklist matching
- bloom_filter — probabilistic set membership for large blocklists
API reference
Section titled “API reference”# Get DLP config for a groupGET /api/admin/groups/{group_id}/dlp
# Set DLP config for a group (full replacement)PUT /api/admin/groups/{group_id}/dlp{ "detectors": [ { "detector_type": "regex", "action": "REDACT" }, { "detector_type": "ner", "action": "BLOCK" }, { "detector_type": "dictionary", "action": "SKIP" } ]}SCIM-managed Groups
Section titled “SCIM-managed Groups”When a group’s External Group ID is set, Arbitex treats it as IdP-managed. This means:
- Group membership is controlled by the IdP via SCIM 2.0 provisioning.
- The group detail shows a SCIM — IdP-managed group badge in the center panel.
- The group list shows an Entra AD linked indicator next to the group name.
- Membership changes made manually in the Arbitex admin panel are overwritten on the next SCIM sync.
The External Group ID corresponds to the group’s object ID in your IdP (for example, the Object ID of an Entra AD security group). Set this field when creating or editing the group to link it to your directory.
For SCIM token management and sync status monitoring, see SSO Configuration → SCIM Provisioning.
Identifying IdP-managed groups
Section titled “Identifying IdP-managed groups”The Admin → SSO → SCIM Sync tab shows the sync status of all groups:
| Status | Meaning |
|---|---|
| Active — IdP-managed | External Group ID is set; SCIM is configured |
| Not configured — Local only | No External Group ID; membership is manual |
Use this view to confirm that expected groups are receiving IdP-driven membership updates.
Model Access Controls
Section titled “Model Access Controls”Groups can have explicit model access lists that restrict which AI models members may use. Model access configuration is available in the Model Access tab of the group detail panel.
# Get model access list for a groupGET /api/admin/groups/{group_id}/model-access
# Add a model to a group's access listPOST /api/admin/groups/{group_id}/model-access{ "model_id": "claude-sonnet-4-6" }
# Remove a model from a group's access listDELETE /api/admin/groups/{group_id}/model-access/{model_id}
# Get org-wide model access defaultsGET /api/admin/model-access/org-defaultsSee also
Section titled “See also”- SSO Configuration — SAML IdP setup and SCIM token rotation
- Groups and RBAC — group-level permission model reference
- Policy Engine Administration — assigning policy chains to groups
- Entra ID SCIM Setup — Entra-specific SCIM provisioning walkthrough