TATER People, Users & Organizations
TATER uses three distinct concepts to manage access and accountability: People (compliance contacts who can be assigned controls), Users (authenticated accounts that log into the platform), and Organizations (multi-tenant isolation boundaries). Understanding how these relate to each other is essential for setting up TATER correctly.
A Person is a compliance stakeholder who can be assigned controls and responsibilities — they do not need to log into TATER. A User is an account that authenticates to the platform. Many team members will be both a Person (assigned controls) and a User (able to log in and view results), but they are managed separately.
People (Compliance Contacts)
The People page (navigate to Manage > People) is a directory of your organization's compliance stakeholders — the specific individuals who own, are accountable for, or are involved in compliance activities. This might include your CISO, your security engineers, your IT administrators, your data privacy officer, or key business unit contacts.
Person Record Fields
| Field | Description |
|---|---|
| Name | Full display name of the person |
| Work email address. Used for notification delivery and to link a Person to a User account when emails match. | |
| Department | Organizational department (e.g., Information Security, IT Operations, Legal) |
| Title / Role | Job title or compliance role (e.g., CISO, Security Analyst, Data Privacy Officer) |
| Organization | Which TATER organization this person belongs to. In multi-org environments, a person is scoped to one org. |
| Notes | Optional free-text notes (availability, escalation path, area of expertise) |
Adding a Person
Navigate to People
Open Manage > People from the sidebar. Click Add Person.
Search Entra ID (optional)
If your organization has connected a tenant with Graph API access, click Search Directory to find users from your Entra ID. Select a user and their name, email, and department are pre-populated from directory data.
Fill in details
Enter the name, email, department, and title. Select the organization this person belongs to if you manage multiple organizations.
Save
Click Save. The person is now available in the Assignments workflow and the People directory.
Assigning Controls to a Person
Control assignments create accountability — they record that a specific person is responsible for addressing a specific compliance finding by a specific date.
Assigning a single control:
- Open any failing control's detail panel (from the Controls page or Dashboard failing list).
- Click Assign in the control detail panel.
- Select a person from the People directory.
- Set a due date and add any relevant notes or remediation guidance.
- Click Save Assignment. An entry is created in the Assignments container and appears in the assignee's workload view.
Bulk assignment:
- On the Scans page, use the checkboxes to select multiple failing controls.
- Click Assign Selected in the action bar that appears.
- Choose a person and due date that apply to all selected controls.
- Click Assign. Individual assignment records are created for each selected control.
Workload View
Each person has a Workload view accessible by clicking their name on the People page. The workload view shows all controls currently assigned to that person across all frameworks and scan types, sorted by due date (most urgent first). This is a useful view for one-on-one meetings with team members to review their open compliance tasks.
People in Multi-Organization Environments
In environments where you manage multiple organizations (common for MSPs), people are scoped to a single organization. A consultant who works across multiple client organizations must be added as a separate Person record in each organization. This ensures that workload views and assignment reports are properly scoped and do not leak information between organizations.
Users (Authenticated Accounts)
Users are accounts that can sign in to the TATER platform. The Registered Users page (navigate to Admin > Registered Users — SuperAdmin only) provides a view of every account that has authenticated to the platform, along with their roles and activity.
Automatic User Registration
TATER registers users automatically on first sign-in. When a user authenticates via Microsoft Entra ID SSO or local password login for the first time, a User record is created in the database containing:
- The user's Entra Object ID (OID) — the stable identifier used internally
- User Principal Name (UPN) / email address
- Display name from Entra ID or the username from local auth
- Tenant ID from the JWT token
- First seen and last seen timestamps
No manual user provisioning is required. However, you must add the user to an organization (see Organization Members below) before they can access any data beyond the sign-in screen.
Role Hierarchy
TATER uses a five-level role hierarchy. Roles can be granted at two scopes:
- Global role: Stored in the Users container, applies across all organizations.
- Organization role: Stored in OrgMemberships, applies only within a specific organization.
| Role | Level | Scope | What they can do |
|---|---|---|---|
| SuperAdmin | 5 | Global | Full access to all organizations, all settings, all admin functions. Can create/delete organizations, promote users to SuperAdmin, and manage the platform globally. Required for initial setup. |
| ServiceProvider | 4 | Global | Cross-organization access for assigned client organizations. Primarily used by MSPs to manage multiple client tenants. Can see MSP billing columns in Compliance Roadmaps. |
| OrgAdmin | 3 | Org | Full access within their organization. Can manage settings, add/remove members, create and delete all records (scans, overrides, frameworks, API keys, etc.). Formerly referred to as "Admin." |
| Auditor | 2 | Org | Read access plus the ability to create evidence comments, add assignments, and generate reports. Cannot modify organizational settings, create API keys, or delete records. Suitable for external auditors or compliance staff who review but do not administer. |
| Viewer | 1 | Org | Read-only access to dashboards, scan results, controls, and reports. Cannot create, modify, or delete any records. Suitable for executive stakeholders or board members who need visibility without editing capability. |
In older TATER deployments and documentation, you may see the role name "Admin" — this is the same as OrgAdmin (level 3). The platform accepts both role names for backward compatibility.
Setting a Global Role
Global roles (SuperAdmin, ServiceProvider) are set on the Registered Users page (SuperAdmin only). Locate the user in the list and use the role dropdown to promote or demote them. Changes take effect on the user's next API request after their token expires (typically within 1 hour for Entra ID tokens).
Alternatively, use the Setup-SuperAdmin.ps1 PowerShell script to promote a user directly in the Cosmos DB Users container — useful if no existing SuperAdmin account is available:
.\Setup-SuperAdmin.ps1 -UserEmail "admin@yourorg.com"Cross-Tenant Authentication
In environments where an MSP user's Entra ID account lives in a different Azure AD tenant than the client organization, TATER performs a cross-tenant membership lookup. When no org membership is found for the authenticating tenant, TATER searches OrgMemberships by email address as a fallback. This allows users to authenticate from their own tenant while accessing a client organization's data in TATER.
Organizations
Organizations are the primary multi-tenancy boundary in TATER. Every piece of data — scans, overrides, controls, people, policies, and GRC records — belongs to exactly one organization. Users can have memberships in multiple organizations and switch between them using the organization selector in the topbar.
Navigate to Admin > Organizations to manage organizations. This page is only accessible to SuperAdmins.
Organization Record Fields
| Field | Description |
|---|---|
| Name | Display name for the organization (shown in the topbar and reports) |
| Org ID | Auto-generated stable identifier (e.g., org-4be9c038). Used in API calls and Cosmos DB as the partition key segment. |
| Description | Optional description (e.g., client name, engagement type) |
| Contact Email | Primary contact email for the organization |
| Remediation Enabled | Whether automated remediation is enabled for this org. Must be true before the Remediate button appears on controls. |
| Remediation Webhook URL | Azure Automation webhook URL that receives remediation trigger events |
| Predict Unknown | When enabled, Manual Review controls with a defaultCompliance value are shown as Predicted Pass or Predicted Fail on the dashboard |
Creating an Organization
Navigate to Organizations
Open Admin > Organizations. Click New Organization.
Enter organization details
Provide the organization name, an optional description, and a contact email. The Org ID is generated automatically — you can optionally specify a custom prefix.
Save the organization
Click Create. The organization is created with no members. You will be prompted to add the first member immediately.
Add members
Add the OrgAdmin user (and any initial team members) using the Members panel. See Adding Members below.
Adding Members to an Organization
Organization membership is managed from the organization's detail panel. Click the organization name on the Organizations page to open its detail panel, then use the Members section.
Members can be added in two ways:
- By OID (after first login): If the user has already logged in, search by their display name or email. TATER resolves the search against the Registered Users list and adds the membership by Object ID.
- By email (before first login): Enter the user's email address directly. TATER creates a provisional membership record keyed by email. When the user signs in for the first time, TATER automatically upgrades the provisional record to an OID-keyed membership for efficient future lookups. The user's access takes effect immediately on first sign-in — no further action is needed.
For each member, assign one of the organization-level roles:
| Org Role | Appropriate for |
|---|---|
| OrgAdmin | The person responsible for managing this organization's compliance data in TATER |
| Auditor | Internal or external auditors who review compliance evidence and generate reports |
| Viewer | Executives, board members, or stakeholders who need read-only visibility |
Organization-Level Settings
Each organization has its own configurable settings, accessible via Settings in the sidebar when an organization is selected. Key organization-scoped settings include:
- Branding: Company name, logo (dark and light variants), accent color, tagline. Displayed in reports and the application header.
- Compliance Zones: Which M365 applications are in-scope for this organization (Exchange, SharePoint, Teams, etc.).
- Scan Schedule: Configure recurring automated scan schedules (requires Azure Automation setup).
- Remediation: Enable automated remediation and configure the runbook webhook URL.
- SIEM: Configure syslog or webhook forwarding of audit events.
- Features: Enable optional features such as Predict the Unknown, AI Analyst, or beta capabilities.
Switching Between Organizations
If you have membership in multiple organizations, the organization selector appears in the topbar next to your user avatar. Click it to open a dropdown listing all your organizations. Selecting an organization switches all data views, filters, and settings to that organization's context. Your role within each organization may differ — for example, you might be OrgAdmin in your internal organization and Auditor in a client organization.
If you manage many client organizations, bookmark the TATER app URL with the ?org= query parameter set to a specific Org ID. This lets you jump directly to a client's organization without using the dropdown selector each time.
MSP Portal
The MSP Portal is an optional feature that elevates the capabilities of an organization's OrgAdmin users to behave more like a ServiceProvider — without requiring a global ServiceProvider role assignment for each individual.
Enabling the MSP Portal
Only SuperAdmins can enable the MSP Portal for an organization:
- Open Admin > Organizations.
- Click the organization you want to designate as an MSP organization.
- Scroll to the MSP Portal section in the detail panel.
- Check Enable MSP Portal and click Save.
When the MSP Portal is enabled (isMsp: true on the organization record), users with OrgAdmin or Admin role in that organization gain the following additional capabilities:
- Compliance Roadmap billing columns: Estimated hours, billing rate, and cost columns become visible in roadmap phase views.
- White-labeling access: Branding customization options that are normally restricted to SuperAdmin become available, allowing the MSP to apply client-specific branding.
- Cross-org visibility: OrgAdmin users in the MSP organization can view summary data for client organizations they have been added to as members — without needing a global ServiceProvider role.
Setting Up a Client Organization
For each client you manage, create a separate organization in TATER:
Create the client organization
Navigate to Admin > Organizations and create a new organization with the client's name. Use a clear naming convention such as "Client Name - Production" or "Client Name (CIS M365)".
Add your team members as OrgAdmin or Auditor
Add your MSP staff to the client organization with appropriate roles. OrgAdmin for the consultant who manages the engagement, Auditor for analysts who run reports.
Add client users as Viewer (optional)
If the client should have read-only access to their own compliance data, add their email addresses as Viewer members. They can log in with their Entra ID credentials and see dashboards and reports scoped to their organization.
Configure branding
Set the client's company name and logo in Settings > Branding for the client organization. Reports generated from this organization will display the client's branding, not your MSP's branding.
Import the first scan
Switch to the client organization using the org selector, then import the client's first compliance scan from the Scans page. All data — controls, overrides, assignments, policies — will be scoped to this client organization.
API Keys
API Keys provide programmatic access to the TATER API without using user authentication. They are primarily used by Azure Automation runbooks (for scan upload and remediation callbacks), the TATER Agent (for endpoint scan upload), and the Claude MCP integration.
Creating an API Key
Navigate to API Keys
Open Settings > API Keys. This page requires OrgAdmin role or higher.
Create a new key
Click Create API Key. Enter a descriptive label identifying what this key will be used for (e.g., "Scan-M365Cloud Runbook", "TATER Agent - Production", "MCP Integration").
Copy the key immediately
The full API key is shown only once at creation time. Copy it to a secure location (e.g., Azure Key Vault, your password manager). After closing the dialog, only the first 8 characters (prefix) are shown.
Configure the key in the consuming system
Paste the key into the Azure Automation variable ApiKey, the agent's configuration, or the MCP server settings. The key is sent as the x-api-key request header in all API calls.
API Key Security
API keys in TATER are designed with security in mind:
- SHA-256 hashed: The full key is never stored in the database — only a SHA-256 hash is persisted. TATER computes the hash of each incoming request's key and compares it against stored hashes.
- Prefix only after creation: After the initial creation dialog is closed, only the first 8 characters (prefix) are displayed. This lets you identify which key is which without exposing the secret.
- Per-organization scope: API keys are scoped to the organization in which they were created. A key created for Organization A cannot be used to access Organization B's data.
- Activity log: All API calls authenticated via API key are recorded in the Activity Log with the key prefix as the actor identifier.
Store API keys in Azure Automation variables (with encryption enabled), Azure Key Vault, or a secrets manager. Do not include API keys in runbook scripts, configuration files committed to Git, or any other version-controlled location.
Rotating API Keys
To rotate an API key (recommended at least annually, or immediately if you suspect compromise):
- Create a new API key in Settings > API Keys.
- Update the key in every system that uses it (Azure Automation variables, agent config, MCP settings).
- Verify that each consuming system is working with the new key by checking the Activity Log for successful calls from the new key prefix.
- Delete the old key from Settings > API Keys. Deleting the key immediately invalidates it — any system still using the old key will receive 401 Unauthorized responses.
Always create and deploy the new key before deleting the old one. Deleting first will cause an immediate outage for all systems using that key.
Troubleshooting
The user has authenticated successfully but has no organization membership. A SuperAdmin must add them to an organization via Admin > Organizations > [Org] > Members. You can add them by email before they sign in for the first time, or by searching their display name if they have already authenticated.
The email address in the User record must exactly match the email used when the provisional membership was created. Check for typos or differences between the UPN and the alternate email (proxy address). If the email differs, remove the provisional membership and re-add using the user's OID after they have signed in at least once.
Billing columns are shown only to users with the ServiceProvider global role or OrgAdmin role in an organization where the MSP Portal is enabled. Verify the MSP Portal toggle is set in Admin > Organizations > [Org] > MSP Portal (SuperAdmin action). Also confirm the current user has OrgAdmin (not just Auditor) role in the MSP organization.
Confirm the key is being sent in the x-api-key header (not Authorization). Check that the key was copied completely — API keys are long and truncation is a common issue when copying from password managers or terminals. If you cannot verify the full key, create a new one and update all consumers.
Ensure that tenant credentials with Graph API access are configured in Settings > Tenant Credentials, and that the app registration has the User.Read.All permission granted. The graph user search calls GET /graph/users?search={term} — this requires the tenant credentials to be saved and valid. Test by making a manual scan first to confirm Graph API connectivity.
Was this page helpful?