Security administration guide
This guide describes the top-level administrative roles, account lifecycle procedures, and security settings available on the Method Platform.
Administrative role definitions
The Method Platform uses Relationship Based Access Control (ReBAC) to manage permissions. You assign access at the group level, not to individual users. A user’s permissions come from the groups they belong to and the access levels those groups hold on platform resources.
For details on managing group permissions, see Managing permissions.
Platform administrator
The platform administrator is the highest level of customer-facing administrative privilege on the Method Platform. You assign this role to a group. All members of that group inherit its privileges.
Platform administrators can perform the following actions that are not available to other users:
- Create user accounts
- Create, delete, and rename groups
- Add and remove users from groups
- Assign and revoke administrative privileges for other groups
- Update tenant settings (organization name, logo, contact email, default application)
- Create and manage SCIM integrations and tokens
Method configures the initial administrative group during platform onboarding. You can grant additional groups administrative privileges through the platform API. The platform enforces that at least one administrative group exists at all times.
Environment administrator
Environment Administrator is a tenant-level relation that you assign to a group through the Permissions tab on the Groups page in the Administration app. Groups with this relation automatically receive Administrator-level access on every Environment in the tenant. This access is inherited and cannot be modified on individual Environments.
Environment access levels
You define granular access controls at the Environment level. Assign one of three access levels to each group for each Environment through the Permissions tab on the Groups page.
Administration app
The Administration app provides centralized management for platform configuration. It includes sections for Environments, Tags, Issue Types, Jackals, Alerts, Cloud integrations, SCIM integrations, AI Inference, OAuth clients, API tokens, and platform settings. The API enforces actions that require administrative privileges.
For an overview of all capabilities, see Administration.
Admin account lifecycle
Setting up an administrative account
Administrative access on the Method Platform is group-based. To grant a user administrative privileges:
- Create or identify the user account (see account creation methods below)
- Add the user to a group that holds administrative privileges
Method configures the initial administrative group during platform onboarding. To assign additional groups as administrators, use the platform API.
Account creation
The platform supports two methods for creating user accounts.
SCIM provisioning (recommended)
For organizations using SSO, user accounts are provisioned automatically through your identity provider via SCIM. The platform supports integrations with Okta and Microsoft Entra ID. When you provision a user through your identity provider, the platform creates a corresponding account and synchronizes group memberships.
Your identity provider manages credentials. The platform does not store or manage passwords for SCIM-provisioned users.
For setup instructions, see the Okta SSO guide or Entra ID SSO guide.
Manual account creation
Platform administrators can create user accounts from the Users section of the Administration app by providing a first name, last name, and email address. The platform generates a one-time temporary password that must be securely shared with the user. This password is displayed once and cannot be retrieved afterward.
On first login, the user must:
- Change their temporary password
- Configure TOTP-based multi-factor authentication
Login is blocked until both steps are complete. No role or group assignment occurs at account creation time. You grant administrative privileges separately by adding the user to an administrative group.
MFA requirements
- SCIM-provisioned accounts: MFA is enforced by your identity provider. Configure MFA policies in Okta, Entra ID, or your chosen provider.
- Manually created accounts: The platform requires TOTP-based MFA for all users. Enrollment is mandatory during first login and cannot be bypassed or disabled.
Session management
Users can view their active sessions and terminate all sessions from the platform. Session termination logs the user out across all clients and devices immediately.
Decommissioning administrative access
To remove administrative privileges from a user, remove them from the administrative group. The user retains their account but loses admin-specific permissions.
To fully decommission a user account:
- SCIM-provisioned accounts: Deactivate or unassign the user in your identity provider. The platform disables the account but does not permanently delete it, preserving the ability to reactivate if the user is re-provisioned. To permanently remove all users and groups from a SCIM integration, delete the integration data from the SCIM Integrations section of the Administration app.
- Manually created accounts: Contact your Method representative to decommission the account.
Security settings reference
The following tables describe admin-controlled security settings available in the Method Platform, organized by category.
Authentication and credentials
Access control
AI and automation
Platform operations
For SSO configuration, see SSO Overview. For permission management, see Managing permissions. For AI model configuration, see Add a model provider. To report a security concern, see Reporting security concerns.