Security administration guide

This guide describes the top-level administrative roles, account lifecycle procedures, and security settings available on the Method Platform.


Administrative role definitions

The Method Platform uses Relationship Based Access Control (ReBAC) to manage permissions. You assign access at the group level, not to individual users. A user’s permissions come from the groups they belong to and the access levels those groups hold on platform resources.

For details on managing group permissions, see Managing permissions.

Platform administrator

The platform administrator is the highest level of customer-facing administrative privilege on the Method Platform. You assign this role to a group. All members of that group inherit its privileges.

Platform administrators can perform the following actions that are not available to other users:

  • Create user accounts
  • Create, delete, and rename groups
  • Add and remove users from groups
  • Assign and revoke administrative privileges for other groups
  • Update tenant settings (organization name, logo, contact email, default application)
  • Create and manage SCIM integrations and tokens

Method configures the initial administrative group during platform onboarding. You can grant additional groups administrative privileges through the platform API. The platform enforces that at least one administrative group exists at all times.

Environment administrator

Environment Administrator is a tenant-level relation that you assign to a group through the Permissions tab on the Groups page in the Administration app. Groups with this relation automatically receive Administrator-level access on every Environment in the tenant. This access is inherited and cannot be modified on individual Environments.

Environment access levels

You define granular access controls at the Environment level. Assign one of three access levels to each group for each Environment through the Permissions tab on the Groups page.

Access levelPermissions
ViewerView the Environment and its data. Cannot generate new data.
EditorGenerate new data within the Environment (execute Task runs, run Operations, launch Agent sessions, manage Issues)
AdministratorFull control over the Environment, including modifying settings, managing group access, and deleting the Environment

Administration app

The Administration app provides centralized management for platform configuration. It includes sections for Environments, Tags, Issue Types, Jackals, Alerts, Cloud integrations, SCIM integrations, AI Inference, OAuth clients, API tokens, and platform settings. The API enforces actions that require administrative privileges.

For an overview of all capabilities, see Administration.


Admin account lifecycle

Setting up an administrative account

Administrative access on the Method Platform is group-based. To grant a user administrative privileges:

  1. Create or identify the user account (see account creation methods below)
  2. Add the user to a group that holds administrative privileges

Method configures the initial administrative group during platform onboarding. To assign additional groups as administrators, use the platform API.

Account creation

The platform supports two methods for creating user accounts.

SCIM provisioning (recommended)

For organizations using SSO, user accounts are provisioned automatically through your identity provider via SCIM. The platform supports integrations with Okta and Microsoft Entra ID. When you provision a user through your identity provider, the platform creates a corresponding account and synchronizes group memberships.

Your identity provider manages credentials. The platform does not store or manage passwords for SCIM-provisioned users.

For setup instructions, see the Okta SSO guide or Entra ID SSO guide.

Manual account creation

Platform administrators can create user accounts from the Users section of the Administration app by providing a first name, last name, and email address. The platform generates a one-time temporary password that must be securely shared with the user. This password is displayed once and cannot be retrieved afterward.

On first login, the user must:

  1. Change their temporary password
  2. Configure TOTP-based multi-factor authentication

Login is blocked until both steps are complete. No role or group assignment occurs at account creation time. You grant administrative privileges separately by adding the user to an administrative group.

MFA requirements

  • SCIM-provisioned accounts: MFA is enforced by your identity provider. Configure MFA policies in Okta, Entra ID, or your chosen provider.
  • Manually created accounts: The platform requires TOTP-based MFA for all users. Enrollment is mandatory during first login and cannot be bypassed or disabled.

Session management

Users can view their active sessions and terminate all sessions from the platform. Session termination logs the user out across all clients and devices immediately.

Decommissioning administrative access

To remove administrative privileges from a user, remove them from the administrative group. The user retains their account but loses admin-specific permissions.

To fully decommission a user account:

  • SCIM-provisioned accounts: Deactivate or unassign the user in your identity provider. The platform disables the account but does not permanently delete it, preserving the ability to reactivate if the user is re-provisioned. To permanently remove all users and groups from a SCIM integration, delete the integration data from the SCIM Integrations section of the Administration app.
  • Manually created accounts: Contact your Method representative to decommission the account.

Security settings reference

The following tables describe admin-controlled security settings available in the Method Platform, organized by category.

Authentication and credentials

SettingFunctionSecurity impactRecommended configuration
SSO identity providerOIDC or SAML authentication through an external identity provider, configured during onboarding with MethodCentralizes authentication and enables enforcement of organizational security policies, including MFAEnable SSO with MFA enforced at your identity provider. See SSO Overview.
SCIM integration tokensBearer tokens that authorize your identity provider to provision and deprovision users and groups. Managed in the Administration app.A compromised token allows unauthorized user provisioning. Token values are displayed once at creation.Set the shortest practical expiry (maximum 365 days). Rotate before expiration. Revoke unused tokens immediately.
API tokensPersonal access tokens for authenticating to the Method API. Managed in the Administration app.A compromised token grants API access with the permissions of the token owner.Set the shortest practical expiry (maximum 90 days). Revoke tokens when no longer needed.
OAuth client credentialsClient ID and secret for machine-to-machine API authentication. Managed in the Administration app.Compromised credentials grant API access to the platform.Rotate client secrets regularly. Delete unused clients. Secrets are displayed once at creation.

Access control

SettingFunctionSecurity impactRecommended configuration
Group permissionsViewer, Editor, or Administrator access assigned per group per Environment through the Groups page.Controls what actions each group can perform within each Environment.Follow least privilege. Grant Viewer access by default and elevate only as needed.
Environment AdministratorTenant-level relation granting implicit Administrator access to all Environments, assigned through the Groups page.Groups with this relation have full control over every Environment.Assign only to groups that require broad administrative access across all Environments.

AI and automation

SettingFunctionSecurity impactRecommended configuration
Model Provider authenticationAPI keys or credentials for connecting to LLM endpoints. Managed in the Administration app.Compromised credentials could be used to access your LLM provider account.Use scoped API keys with minimal permissions. Validate authentication before enabling. See Add a model provider.
Model DefaultsAssigns which LLM handles Large, Medium, and Small AI requests. Managed in the Administration app.Determines the capability and cost of AI features. Changing a default redirects all callers of that size class immediately.Select models appropriate for your workload. See AI Inference.
Agent PoliciesAllow, Deny, or Require Approval rules governing Agent actions with MCP Tools.Controls the scope of autonomous AI Agent behavior. Without a matching Policy, all Agent actions default to Require Approval.Default to Require Approval. Explicitly Allow only well-understood, low-risk actions. Scope Policies to specific Agents, Environments, or Tool risk levels.
Issue severity overridesOverride default Issue severity at the platform, tag, or Environment level. Managed in the Administration app.Affects how Issues are prioritized and triaged.Align with your organization’s risk tolerance and incident response procedures.
Agent auto-triggersEnable or disable Agents that run automatically when Issues are discovered. Configured per Issue type in the Administration app.Controls the scope of automated AI response to security findings.Enable selectively. Review Agent behavior before enabling in production Environments.

Platform operations

SettingFunctionSecurity impactRecommended configuration
Alert channelsSlack and Teams webhook URLs for platform event notifications. Managed in the Administration app.Controls where notifications for new Issues, completed Task runs, and other events are delivered.Configure alerts for all critical event types. Protect webhook URLs as sensitive credentials.
Cloud integrationsAWS IAM connections for cloud resource discovery and assessment. Managed in the Administration app.Grants the platform access to your cloud environment.Follow least privilege when configuring IAM roles. See the AWS Integration Guide.
Jackal configurationExecution mode, exfiltration parameters, workflow execution, and C2 parameters per Jackal. Managed in the Administration app.Controls the behavior and network footprint of deployed security agents.Configure per your operational requirements and Rules of Engagement.

For SSO configuration, see SSO Overview. For permission management, see Managing permissions. For AI model configuration, see Add a model provider. To report a security concern, see Reporting security concerns.