TATER SecurityTATER Manage

TATER Manage

Platform admin + agent fleet management. SuperAdmin only. Third sister app to TATER Security and TATER Ops.

What it is

TATER Manage consolidates SuperAdmin functions and adds operational fleet capabilities that don't fit cleanly into Security or Ops: remote command execution on devices, multi-screen viewing, vulnerability inventory. The TATER acronym for this product expands as Tenant Administration, Telemetry & Endpoint Remote-control.

Signing in

Manage is reachable at manage.tatersecurity.com. Sign in with the same Microsoft account used for TATER Security and Ops. The app gates by SuperAdmin role at boot - non-SA accounts see an access-denied card with links back to Security/Ops.

Tenant Admin

  • Organizations - list of all orgs visible to your session, with role + tenant ID. Edit deep-links to TATER Security.
  • Users - registered platform users, global roles, last seen.
  • Subscriptions - per-org billing, license limits, MRR; native KPI cards + table with status pills.
  • MSP Licensing - MSP partner relationships, tier (T1/T2/T3), seat usage with over-limit warnings.

Audit & Telemetry

  • Activity Log - cross-product audit trail; filter by action, channel (via field: web / mcp / copilot / claude / agent / cron / api / ado-webhook), free-text search.
  • Usage Analytics - period selector (7/30/90 days), KPIs, Top Pages, Top Orgs.
  • MCP Feedback - all MCP feedback submissions; sentiment-coloured cards with ADO link badges.

Connections

  • API Keys - single canonical home for API key generation across the entire platform. Per-org, SHA-256 hashed in storage, shown once at creation, revoke immediately stops authentication. Replaces the per-sister-app API key surfaces.
  • Integrations - connector cards (ADO, Jira, ServiceNow, Teams, Slack, Webhook) with "Used by" tags. Configuration deep-links to TATER Security or directly to the ADO Sync page.
  • Azure DevOps Sync - full configuration form for TATER Ops ↔ ADO bi-directional sync. PAT and webhook secret encrypted at rest, redacted on display.
  • Task Notifications - fan-out alerts for new TATER Ops tasks to staff email and a Microsoft Teams channel. Per-channel triggers (agent / MCP / web / public intake). Microsoft Teams uses a Power Automate Workflow webhook (the classic Incoming Webhook connector was retired in Oct 2025). See the dedicated Task Notifications Setup guide for the Workflow steps and the Power Platform DLP workaround that some tenants need.

Workspace (Overview module)

  • Calendar - unified GRC timeline (audits, override expirations, BCP/DR test windows, training due dates) across all orgs. Consolidated from earlier per-sister-app placement.
  • TATER Tips - bite-sized tips library covering every TATER capability. The shared login popup on Ops, Manage, and My TATER pulls a random tip on every session (TATER Security has its own bespoke tip popup).
  • Release Notes (Help module) - consolidated change log for all five sister apps + the agent. Bump TATER_PLATFORM_VERSION in _app_version.js and add an entry to _release_notes.js on every release. Merges the new unified-version history with 167 legacy TATER_VERSIONS entries from before unification so the full history is visible in one place.

Knowledge

  • Policies / Documentation / TATERpedia - inline editing of the same records shared with TATER Security and TATER Ops.
  • Branded Documents - generate polished, co-branded Word deliverables (Technician Quick Start handout, training session agenda) built from the org's ACTUAL configuration: live categories, priorities, statuses, teams, and Service Catalog items, styled with the client's branding alongside TATER. Each generation also saves a markdown rendition to Business Documentation. MCP agents produce the same documents via generate_branded_document. Regenerate after config changes — content is assembled at generation time.

Tenant Administration (Clients)

  • Clients - MSP partner client roster with tier, effective role, user/seat ratio, engagement status. Consolidated from earlier TATER Security "MSP Management" placement.
  • MSP Licensing - seat allocation and tier access for MSP clients (T1 Monitor / T2 Operate / T3 Manage).

Endpoint Fleet

  • Devices - every TATER agent reporting in; filter by OS, search by hostname.
  • Agent Deployment - current version, download links for all platforms.
  • Agent Versions - per-platform binary metadata with SHA256.

Remote Operations (Phase 2-4)

  • Remote Commands (per-device "▶ Run" button on Devices page) - queue PowerShell or bash scripts targeted at a specific hostname. Choose SYSTEM (default service context) or logged-in user. Live status modal polls every 2.5s, captures stdout/stderr.
  • Multi-Screen - thumbnail grid of device screenshots (when capture is enabled in agent config). Click any thumbnail to zoom.
  • Vulnerabilities - fleet exposure summary with CISA Known Exploited Vulnerabilities (KEV) correlation. Click any device row to see Known Exposures + full software inventory.

Agent communication channels

The TATER Go agent runs as a system service and talks to four API surfaces:

  • Scans - endpoint compliance posture (existing)
  • Evidence - browser/PS evidence collection (existing)
  • Commands - Phase 2: poll for queued scripts, execute, report status
  • Vulnerabilities - Phase 4: weekly software inventory upload for KEV correlation
  • Screens - Phase 3 (API live, agent capture pending) - periodic screenshot upload

All use the same X-Api-Key auth bound to a per-org API key configured during agent installation. Agent API keys are org-bound - an agent for org A cannot read or mutate commands/screens/inventory belonging to org B even within the same tenant.

Auto-Provisioning Entra users

By default, when a user authenticates via Microsoft Entra to any TATER app and has no existing OrgMembership, they hit a 403 Forbidden on every API call. That's the explicit allowlist model - safe for multi-tenant data, but high-friction for an org that just wants every employee to be able to file a self-service ticket or see their personal dashboard.

Auto-provisioning solves this: when an Entra user signs in with a token whose tid claim matches the org's configured Entra tenant, TATER silently creates an OrgMembership at a configured role - typically Viewer. The user lands as a basic-rights member with zero per-user admin work.

Configuring on an organization

TATER Manage → Tenant Administration → Organizations → pick an org → click ⚙ Features. The Org Features modal exposes two fields:

  • Default role for new sign-ins: dropdown with Off / Viewer / Auditor / OrgAdmin. New orgs created after 2026-06-05 default to Viewer. SuperAdmin can NEVER be auto-assigned - that would be a privilege escalation vector.
  • Entra tenant id: the token tid claim that must match for auto-provisioning to fire. Defaults to the org's home Cosmos partition tenantId (almost always what you want; most orgs are 1:1 with an Entra tenant).

What gets enforced

  • Only fires when memberships.length === 0 - existing users keep their explicit role.
  • Only fires when token tid matches the org's entraTenantId - outside-tenant guests and federated users still get 403.
  • Skips orgs marked suspended / cancelled / archived.
  • If multiple active orgs in the user's tenant have auto-provision configured, the match is ambiguous and the user gets 403 anyway - admin must assign explicitly.
  • Auto-provisioned memberships are tagged autoProvisioned: true for audit trail visibility.

Org listing column

The Organizations table includes an Auto-Provision column showing ● Viewer / ● Auditor / ● OrgAdmin as a green pill when configured, or ○ Off as a grey pill when disabled. Quick glance across the fleet.

When to disable

Two scenarios:

  1. Sovereign / FedRAMP / IL5 deployments where every user must be explicitly enrolled by an administrator (no implicit access).
  2. Shared MSP tenants where the same Entra tenant hosts multiple client orgs and auto-routing-by-tenant would be ambiguous.

For everyone else (the typical "one company, one tenant" setup), leave it on Viewer. That's the entry surface for My TATER, Self-Service tickets, and dashboard read access.

Security model

  • SuperAdmin gate at the app level (boot-time access-denied for non-SA)
  • Every action audit-logged with via: 'web' attribution to distinguish from MCP/agent activity
  • ADO PAT and webhook secret encrypted at rest via existing AES-256-GCM encryption.ts with ENCRYPTION_KEY env var; redacted to '[REDACTED]' on GET responses
  • Remote commands have script size cap (100KB), timeout cap (5–3600s), output cap (64KB stdout / 16KB stderr); 90-day TTL on command records
  • Screen captures: 350KB cap per upload, one document per device (overwrites prior), 24h TTL
  • Vuln inventory: 1.5MB cap per upload, 4500-package cap, 30-day TTL

Direct URL

Bookmark manage.tatersecurity.com. Also reachable at app.tatersecurity.com/manage.html.