Skip to content
Argy
Book a demo

Administrator Guide

Complete guide for Argy administrators: user management, SSO, quotas, audit, and security.

This guide walks you through the day-to-day administration of your Argy tenant.

Accessing the Admin Console

  1. Log in to portal.argy.cloud
  2. Click on your avatar in the top right corner
  3. Select Administration

Note: Only users with the Admin or Platform Engineer role have access to the admin console.

User Management

Inviting a User

  1. Go to AdministrationUsers
  2. Click Invite a user
  3. Fill in the form:
    • Email: user's email address
    • Role: select the appropriate role
    • Teams: assign to one or more teams (optional)
  4. Click Send invitation

The user will receive an email with a link to activate their account.

Available Roles

RoleDescriptionPermissions
AdminTenant administratorFull access, user and settings management
Platform EngineerPlatform engineerModule management, Golden Paths, agents
Product ManagerProduct managerProduct management, roadmaps, approvals
UserStandard userModule usage, Argy Code
ApproverApproverApproval workflow validation
ViewerRead-onlyView only, no modifications

Modifying a User

  1. Go to AdministrationUsers
  2. Click on the user to modify
  3. Edit the information:
    • Role
    • Teams
    • Status (active/disabled)
  4. Click Save

Disabling a User

  1. Go to AdministrationUsers
  2. Click on the user
  3. Click Disable user
  4. Confirm the action

Important: Disabling immediately revokes all access. Active tokens are invalidated.

SSO Configuration

Argy supports SSO authentication via SAML 2.0 and OpenID Connect (OIDC).

Azure AD Configuration (OIDC)

Step 1: Create an application in Azure AD

  1. Log in to the Azure portal
  2. Go to Azure Active DirectoryApp registrations
  3. Click New registration
  4. Configure:
    • Name: Argy
    • Redirect URI: https://api.argy.cloud/auth/callback/azure
  5. Note the Application (client) ID and Directory (tenant) ID

Step 2: Create a client secret

  1. In the application, go to Certificates & secrets
  2. Click New client secret
  3. Note the secret value (it won't be visible again)

Step 3: Configure in Argy

  1. Go to AdministrationAuthenticationSSO
  2. Click Configure Azure AD
  3. Fill in:
    • Client ID: the Application ID noted earlier
    • Client Secret: the created secret
    • Tenant ID: the Directory ID
  4. Click Test connection
  5. If the test succeeds, click Enable

Okta Configuration (OIDC)

Step 1: Create an application in Okta

  1. Log in to your Okta console
  2. Go to ApplicationsCreate App Integration
  3. Select OIDC - OpenID Connect and Web Application
  4. Configure:
    • App integration name: Argy
    • Sign-in redirect URIs: https://api.argy.cloud/auth/callback/okta
    • Sign-out redirect URIs: https://portal.argy.cloud
  5. Note the Client ID and Client Secret

Step 2: Configure in Argy

  1. Go to AdministrationAuthenticationSSO
  2. Click Configure Okta
  3. Fill in:
    • Okta Domain: your-domain.okta.com
    • Client ID: the noted Client ID
    • Client Secret: the secret
  4. Click Test connection
  5. If the test succeeds, click Enable

SAML 2.0 Configuration (Generic)

  1. Go to AdministrationAuthenticationSSO
  2. Click Configure SAML
  3. Download the Argy metadata (SP Metadata)
  4. Import them into your IdP
  5. Retrieve your IdP metadata
  6. Upload them to Argy
  7. Configure attribute mapping:
    • email → your IdP's email attribute
    • firstName → first name attribute
    • lastName → last name attribute
    • groups → groups attribute (optional)
  8. Click Enable

Enforcing SSO Authentication

Once SSO is configured, you can force all users to use it:

  1. Go to AdministrationAuthentication
  2. Enable Enforce SSO authentication
  3. Users will no longer be able to log in with email/password

Warning: Keep at least one admin account with email/password access in case of SSO issues.

Branding & Custom Domain (Growth+)

Give your tenant a dedicated brand and portal URL.

Configure a custom portal domain

  1. Create a DNS CNAME record for your portal subdomain (example: portal.your-company.com).
  2. Point the CNAME target to portal.argy.cloud.
  3. In AdministrationSettingsBranding, enter your custom domain.
  4. Save and wait for DNS propagation (up to 24h).
  1. In AdministrationSettingsBranding, set:
    • Brand name
    • Logo URL (HTTPS, square PNG or SVG recommended)
  2. Save to apply across the portal and outbound communications.

LLM Gateway Filters (RGPD)

Admins can tune data filters directly in the portal:

  1. Go to AdministrationSettingsLLM Gateway.
  2. Choose PII filtering mode: Mask, Block, or Off.
  3. Choose secret filtering mode: Mask, Block, or Off.
  4. Select the output policy: Mask output or Block output.
  5. Save to apply the policy across LLM Gateway requests.

Quota Management

LLM Quotas (Credits)

Credits control LLM Gateway usage. 1 credit = 1 million tokens.

Configure default quotas:

  1. Go to AdministrationQuotasLLM
  2. Set quotas by role:
    • Admin: unlimited or specific value
    • Platform Engineer: e.g., 500 credits/month
    • User: e.g., 100 credits/month
  3. Click Save

Configure individual quota:

  1. Go to AdministrationUsers
  2. Click on the user
  3. In the Quotas section, modify the value
  4. Click Save

Configure alerts:

  1. Go to AdministrationQuotasAlerts
  2. Configure alert thresholds:
    • Warning: e.g., 80% of quota
    • Critical: e.g., 95% of quota
  3. Configure alert recipients
  4. Click Save

Deployment Quotas

Limit the number of deployments per period:

  1. Go to AdministrationQuotasDeployments
  2. Configure:
    • Deployments per day: e.g., 50
    • Deployments per hour: e.g., 10
  3. Click Save

Viewing Usage

  1. Go to AdministrationUsage
  2. View the charts:
    • LLM usage by user
    • LLM usage by model
    • Deployments by product
    • 30-day trends

Audit and Logs

Viewing Audit Logs

  1. Go to AdministrationAudit
  2. Use the filters:
    • Period: last 24h, 7 days, 30 days, custom
    • User: filter by user
    • Action: login, logout, deploy, approve, etc.
    • Resource: product, module, user, etc.

Audited Event Types

CategoryEvents
AuthenticationLogin, Logout, Failed login, MFA enabled
UsersCreation, Modification, Deactivation, Invitation
ProductsCreation, Modification, Deletion
DeploymentsStart, Success, Failure, Cancellation
ApprovalsRequest, Approval, Rejection
LLMRequest, Quota exceeded, Filter triggered
ConfigurationSSO modified, Quotas modified, Agent added

Exporting Logs

  1. Go to AdministrationAudit
  2. Apply your filters
  3. Click Export
  4. Choose the format:
    • CSV: for Excel/Google Sheets
    • JSON: for SIEM integration
  5. Download the file

SIEM Integration

To send logs in real-time to your SIEM:

  1. Go to AdministrationIntegrationsSIEM
  2. Configure the webhook:
    • URL: your SIEM endpoint
    • Format: JSON or CEF
    • Events: select the types to send
  3. Click Test
  4. If the test succeeds, click Enable

Team Management

Creating a Team

  1. Go to AdministrationTeams
  2. Click Create a team
  3. Fill in:
    • Name: e.g., "Backend Team"
    • Description: team description
    • Lead: responsible user
  4. Click Create

Assigning Members

  1. Go to AdministrationTeams
  2. Click on the team
  3. In the Members tab, click Add
  4. Select the users
  5. Click Add to team

Assigning Products

  1. Go to AdministrationTeams
  2. Click on the team
  3. In the Products tab, click Assign
  4. Select the products
  5. Set permissions:
    • Read: view only
    • Write: modification allowed
    • Admin: full management
  6. Click Assign

Agent Management

Viewing Connected Agents

  1. Go to AdministrationAgents
  2. View the agent list:
    • Name: agent identifier
    • Status: Connected, Disconnected, Error
    • Last activity: timestamp
    • Version: agent version

Creating a New Agent

  1. Go to AdministrationAgents
  2. Click Create an agent
  3. Fill in:
    • Name: e.g., agent-prod-paris
    • Description: location, usage
    • Tags: for routing (e.g., "production", "europe")
  4. Click Create
  5. Copy the token (it won't be displayed again)

Revoking an Agent

  1. Go to AdministrationAgents
  2. Click on the agent
  3. Click Revoke
  4. Confirm the action

Important: Revocation is immediate. The agent will be disconnected and won't be able to reconnect.

Security Settings

Password Policy

  1. Go to AdministrationSecurityPasswords
  2. Configure:
    • Minimum length: e.g., 12 characters
    • Complexity: uppercase, lowercase, numbers, symbols
    • Expiration: e.g., 90 days
    • History: e.g., last 5 passwords forbidden
  3. Click Save

Sessions

  1. Go to AdministrationSecuritySessions
  2. Configure:
    • Session duration: e.g., 8 hours
    • Maximum inactivity: e.g., 30 minutes
    • Simultaneous sessions: e.g., 3 maximum
  3. Click Save

IP Restrictions

  1. Go to AdministrationSecurityIP Restrictions
  2. Add authorized IP ranges:
    • CIDR: e.g., 192.168.1.0/24
    • Description: e.g., "Paris Office"
  3. Enable Block unauthorized IPs
  4. Click Save

Warning: Make sure to include your current IP before enabling restrictions.

Notifications

Configuring Email Notifications

  1. Go to AdministrationNotificationsEmail
  2. Configure events:
    • Deployment failed: ✅
    • Quota reached: ✅
    • New user: ✅
    • Pending approval: ✅
  3. Configure default recipients
  4. Click Save

Configuring Webhooks

  1. Go to AdministrationNotificationsWebhooks
  2. Click Add a webhook
  3. Configure:
    • URL: destination endpoint
    • Events: select the types
    • Secret: for HMAC signature (optional)
  4. Click Test
  5. If the test succeeds, click Enable

Backup and Restore

Exporting Configuration

  1. Go to AdministrationSettingsExport
  2. Select items to export:
    • SSO configuration
    • Quotas
    • Teams
    • Policies
  3. Click Export
  4. Download the JSON file

Importing Configuration

  1. Go to AdministrationSettingsImport
  2. Upload the JSON file
  3. Preview the changes
  4. Click Apply

Troubleshooting

A user cannot log in

  1. Verify the user is active in AdministrationUsers
  2. Check IP restrictions if enabled
  3. Review audit logs for login errors
  4. If SSO, verify the configuration on the IdP side

Quotas are not updating

  1. Check the billing period in AdministrationQuotas
  2. Quotas reset at the beginning of each month
  3. Contact support if the issue persists

An agent is not connecting

  1. Verify the token has not been revoked
  2. Check network connectivity to api.argy.cloud:443
  3. Review the agent logs
  4. Regenerate a new token if necessary