Administration
Where system administrators manage users, access, settings, and integrations — and which page answers which task.
This section is for the system administrator of an ObjectOS deployment: the person who onboards users, grants access, wires up sign-in, email, storage, and integrations, and keeps the system healthy. You manage people and their permissions day to day; the applications, objects, and permission sets themselves ship with the platform and the app packages you install.
Permissions are designed in Studio, assigned in Setup. Most administration never leaves Setup — you enter Studio only to author permission sets or to run the explain engine.
The Setup console
The built-in administration console lives at /apps/setup and
requires the setup.access permission. Its left-hand navigation is
contributed at runtime by the capability plugins that are loaded, so the
menu you see reflects exactly what your deployment runs — a disabled
capability contributes nothing and its group stays empty.
The stable navigation groups:
| Group | What you find there |
|---|---|
| Overview | System Overview dashboard |
| People & Organization | Users, Business Units, Teams, Organizations, Invitations |
| Access Control | Positions, Permission Sets, Sharing Rules, Record Shares, API Keys |
| Approvals | Approval processes (when the approvals plugin is loaded) |
| Configuration | All Settings, Branding, Authentication, Email, File Storage, AI & Embedder, Knowledge, Feature Flags |
| Diagnostics | Sessions, Notification Events, Audit Logs |
| Integrations | Webhooks |
| Advanced | OAuth Applications, Signing Keys (JWKS), Identity Links, User Preferences |
Task map
| I need to… | Read |
|---|---|
| Add users, build the org tree, manage teams | Users & Organization |
| Onboard, offboard, or change someone's access | Managing Access |
| Understand the whole access model | Permissions |
| Configure sign-in, OAuth, SSO, 2FA | Authentication |
| Change runtime and tenant settings | System Settings |
| Set up transactional email delivery | |
| Configure file storage (S3, local disk) | Storage |
| Connect external business databases | Data Sources |
| Use the REST API and API keys | API Access |
| Deliver outbound webhooks | Webhooks |
| Configure AI providers, embedders, RAG | AI Service |
| Connect Claude or another MCP client | Connect AI Tools (MCP) |
| Configure artifact loading, database, cache | Runtime Configuration |
| Plan backups and disaster recovery | Backup |
| Upgrade or roll back safely | Upgrade |
| Harden for production | Production Readiness |
| Read logs, metrics, and audit trails | Observability |
| Diagnose a broken deployment | Troubleshooting |
Where to go next
| Task | Page |
|---|---|
| Your first admin task: add people and structure | Users & Organization |
| Give a new hire access | Managing Access |
| Learn the layered access model | Permissions |
| Pre-production checklist | Production Readiness |