Administrator Track
Audience: IT administrators, platform leads, AI governance owners
Goal: Configure and maintain VeriProof for your organization so every team member operates effectively within their role
Estimated time: ~3 hours across 7 modules
Track overview
What makes the Administrator role distinct. You are the only role with full access to every section of the portal — including billing, user management, SSO configuration, production approvals, and emergency controls. Your actions leave audit trails that other roles rely on as evidence.
| Module | Title | Time |
|---|---|---|
| 1 | Organization setup and initial configuration | 30 min |
| 2 | User provisioning and role assignment | 25 min |
| 3 | Application registration and production controls | 25 min |
| 4 | SSO, security, and API key governance | 25 min |
| 5 | Production write-lock and approval workflows | 20 min |
| 6 | Evidence infrastructure and audit readiness | 20 min |
| 7 | Emergency controls and incident response | 15 min |
Module 1 — Organization setup and initial configuration
Goal: Complete your organization’s initial VeriProof configuration so teams can start registering applications and assigning roles.
What you’ll do:
- Complete the setup wizard (if running for the first time)
- Configure tenant controls under Settings → Account → Tenant Controls
- Connect your preferred identity provider (or use VeriProof’s built-in email auth)
- Set default data retention and redaction policies
Key concepts:
- Tenant — your isolated organizational unit in VeriProof; data from other tenants never crosses this boundary
- Sandbox vs. production — sandbox environments use sample data and do not create blockchain anchors; production environments are fully governed
- Deployment context — the setup wizard is gated by a signed
deployment-config.json; if the API is unreachable it fails securely
Self-assessment:
- Setup wizard completed and organization name confirmed
- Tenant controls reviewed and configured for your compliance requirements
- Default retention policy understood and adjusted if required
Module 2 — User provisioning and role assignment
Goal: Invite your team and assign the right role to each person so they only see the work that is relevant to them.
Read:
The six roles:
| Role | Assign to | Key capability |
|---|---|---|
| Administrator | Platform leads, IT administrators | Full access including billing and user management |
| Developer | ML engineers, backend engineers | SDK integration, API keys, session inspection |
| Governance Engineer | AI policy leads, risk engineers | Rego authoring, rule management, eval datasets |
| Compliance Officer | GRC analysts, risk officers | Evidence exports, audit engagements, framework mapping |
| Business Owner | Executives, product owners | Portfolio ROI, cost analytics, board reporting |
| Auditor | Internal/external auditors | Read-only engagement-scoped evidence review |
Principle of least privilege. Assign each person the lowest-privilege role that lets them do their job. Developers do not need compliance access. Governance Engineers do not need PII reveal or cost data. Keep the Administrator role to those who genuinely need production approval authority.
Self-assessment:
- All team members invited with the correct role
- No unnecessary Administrator assignments (check Settings → Team → Members)
- Custom role labels configured if your organization uses different terminology
Module 3 — Application registration and production controls
Goal: Register every AI application your organization runs so it can be governed, monitored, and included in evidence exports.
What you’ll do:
- Navigate to Applications → New Application for each application
- Set the environment (Production, Staging, Development)
- Assign a risk classification based on your initial impact assessment
- Share the API key with the Developer responsible for instrumentation
- Confirm the first session appears in the application workspace
Production controls: Once an application is in production, the production write-lock applies. Developers become read-only on production apps. Governance Engineers can author rules but activation requires your approval. This is a defence-in-depth layer on top of role permissions.
Self-assessment:
- All production AI applications registered
- Risk classifications set and documented
- At least one Developer confirmed receiving and storing the API key securely
Module 4 — SSO, security, and API key governance
Goal: Configure SSO for your identity provider and establish ongoing key hygiene.
SSO configuration: Navigate to Settings → Account → SSO Configuration. VeriProof supports OIDC-based SSO with:
- Google Workspace (OpenID Connect)
- Microsoft Entra ID (formerly Azure AD)
- Okta (OpenID Connect)
After enabling SSO, users who attempt to log in with email/password receive an error directing them to the SSO path. Test with a non-administrator account first before enforcing SSO for the whole organization.
API key governance:
- API keys are application-scoped. Each application has its own keys.
- Rotate keys on a schedule or immediately after a suspected exposure.
- Use Settings → Access Log to audit when keys were used and from which IP ranges.
Self-assessment:
- SSO configured and tested with a non-administrator test account
- Key rotation schedule documented and communicated to developers
- Access log reviewed and unusual activity confirmed as expected
Module 5 — Production write-lock and approval workflows
Goal: Understand the production write-lock model and process approvals correctly so governance changes reach production safely.
What the write-lock does:
- Developer → read-only on production (can view sessions and traces; cannot change application config, keys, or rules)
- Governance Engineer → draft-only on production (can author rules, but activation requires Admin or Compliance Officer approval)
- Admin / Compliance Officer → full access on all environments (the approval authority)
Processing an approval request:
- Navigate to Applications → [Application] → Settings → Pending Approvals
- Review the change details (what rule or configuration is being activated)
- Add an approval note explaining your review rationale
- Approve or reject the request
Approval notes become part of the audit trail. Write them as if an auditor will read them — because they will. Explain why you approved or rejected, not just that you did.
Self-assessment:
- I understand which changes require my approval vs. are self-service
- At least one approval reviewed and processed with a documented rationale
- Developers and Governance Engineers understand the approval workflow
Module 6 — Evidence infrastructure and audit readiness
Goal: Verify that VeriProof’s evidence infrastructure is configured so that compliance officers and auditors can work effectively.
What to check:
- Blockchain anchoring — confirm anchor coverage is above 99% on production applications (check Analytics → Trends → Anchor coverage)
- Retention policy — verify the configured retention period meets your regulatory requirements
- Evidence packs — open the Compliance workspace and export a test evidence pack to confirm the format is acceptable for your audit process
- Audit engagements — brief your Compliance Officers on how to create and manage audit engagement records
Self-assessment:
- Blockchain anchor coverage confirmed above 99% on all production applications
- Retention policy documented and aligned to regulatory requirements
- Test evidence pack exported and reviewed
Module 7 — Emergency controls and incident response
Goal: Know how to respond immediately if a production AI application needs to be stopped, if access credentials are compromised, or if an audit requires immediate evidence preservation.
Emergency stop: Navigate to Applications → [Application] → Monitor → Emergency Stop. This suspends all session processing and creates a timestamped record that appears in every subsequent evidence export.
Emergency stop is irreversible without deliberate restart. It is designed to prevent further session ingestion while an incident is investigated. Do not use it for routine maintenance — use the Staging environment for that.
Key compromise response:
- Revoke the compromised key immediately from Applications → [Application] → Settings → API Keys
- Issue a new key and provide it to the Developer
- Review the Access Log for activity on the compromised key
- Create an incident record in your preferred ticketing system and link the VeriProof access log export
Self-assessment:
- I know where the Emergency Stop control is and when to use it
- Key revocation and reissuance process tested at least once
- Incident response plan updated to reference VeriProof evidence export
What’s next?
Once you complete this track, share the right track with each team member:
For ML engineers and backend developers who instrument AI applications.
Developer TrackFor policy leads and risk engineers who author and manage rules.
Governance Engineer TrackFor GRC analysts and risk officers who manage evidence and audit engagements.
Compliance Officer TrackFor executives and product owners who need portfolio-level visibility.
Business Owner TrackFor internal and external auditors who independently verify evidence.
Auditor Track