Site settings

From the Site Settings section of the Admin app, you can manage site-wide settings for your Instabase deployment. Site settings are grouped into the following tabs:

Note

You must have site admin privileges to adjust most site settings.

Site permissions

Site-wide permissions can be granted to any user or service account to allow them to take certain actions on the platform that are otherwise reserved for site admins. From the Site permissions tab, site admins can assign specific non-admin users (or all non-admin users within a group) the following permissions:

Setting Description
Access beta apps Grant permission to access beta apps (apps in private or public preview). App access controls set by custom roles in subspaces still apply.
Create groups Grant permission to create new user groups and add themselves to the group.
Execute UDFs Grant permission to run user-defined functions.
Manage encryption Grant permission to set up and configure encryption from the Encryption tab of the Admin app.
Manage file storage Grant permission to manage global drives and file retention policies on the File Storage tab of the Admin app.
Manage flow pipelines Grant permission to set up and configure flow pipelines from the Flow pipelines tab tab of the Admin app.
Manage groups Grant permission to add new groups, and edit, delete, and manage membership of any existing group, even if not an admin of the group. This does not mean that the user is a member of all groups. The user would not receive the permissions associated with all groups; however, they could add themselves as a member to any group.
Manage organization spaces Grant permission to create new organization spaces, and edit, delete, and manage membership of any organization space. Users granted this permission will have access to all data in all organization spaces, acting as a space manager of each.
Manage site configuration Grant permission to configure site-wide settings from the Configuration tab of the Admin app.
Manage users Grant permission to create accounts for new users on the platform from the Users tab of the Admin app, as well as manage authentication for users, including resetting passwords or two-factor authentication.
Use OAuth tokens Grant permission to use OAuth tokens. This setting is visible only if the Restrict OAuth token usage setting is enabled; otherwise, all users can use OAuth tokens by default.
Query all flow jobs Grant permission to query all flow jobs, regardless of who started the job.

Granting and revoking site permissions

To grant site permissions:

  1. From the Admin app, select Site permissions.

  2. Select the Users or Groups tab, based on if you’re granting the permission to a specific user or all users in a group.

  3. Select the search input field for the site permission.

  4. Type the username, service account name, or group name, and select it from the search results.

  5. Click Save.

To revoke site permissions:

  1. From the Admin app, select Site permissions.

  2. Select the Users or Groups tab, based on if you’re revoking the permission from a specific user or all users in a group.

  3. In the site permission field, click the X button next to the name of the user, service account, or group.

  4. Click Save.

App permissions

App permissions can be granted to any user or service account to allow them to take certain actions on the platform that are otherwise reserved for site admins. Some app permissions are categorized by Web or API access, as well as by Read, Write, or Execute permissions. From the App permissions tab, site admins can assign specific non-admin users (or all non-admin users within a group) the following app permissions:

Setting Description
Admin diagnostics Control access and permissions for the Admin Diagnostics app, a toolkit to diagnose system health and performance.
Audit logs Control access and permissions for audit logs, including viewing and exporting audit logs of users’ activity.
Deployment Manager Control access and permissions for Deployment Manager.
Jaeger Tracing Control access and permissions for viewing traces in Jaeger.
Marketplace Admin Control access and permissions for managing Marketplace content.
Metrics Control access and permissions for viewing and exporting metrics about Instabase usage.

Granting and revoking app permissions

To grant app permissions:

  1. From the Admin app, select App permissions.

  2. Select the Users or Groups tab, based on if you’re granting the permission to a specific user or all users in a group.

  3. Select the search input field for the app permission (pay attention to if you’re editing Web-based or API-based access, and Read, Write, or Execute permissions).

  4. Type the username, service account name, or group name, and select it from the search results.

  5. Click Save.

To revoke app permissions:

  1. From the Admin app, select App permissions.

  2. Select the Users or Groups tab, based on if you’re revoking the permission from a specific user or all users in a group.

  3. In the app permission field, click the X button next to the name of the user, service account, or group.

  4. Click Save.

Configuration

Site-wide configuration options are equivalent to environment variables and affect the experience of all users on the Instabase platform. For a typical Instabase setup, the default is to keep these site-wide options disabled.

Tip

To set site-wide configuration options programmatically, use the Site API.

Options

The following configuration options are available:

Setting Description Toggle behavior
Allow all users to execute UDFs Allow all users to run UDFs (standalone or as part of solutions) without restrictions. - Disabled (turned off, default): Only users or groups that are granted site permissions for UDF execution can run flows with UDFs.

- Enabled (turned on): All users on the platform can run UDFs, without restrictions.
Disallow public subspaces When enabled, public users (users who are not logged in) are not allowed access to any public subspaces on the platform. Users must be logged in to view content in public subspaces. This setting does not prevent subspaces from being set as public, but does restrict access.
Note
SaaS deployments do not support public subspaces.
- Disabled (turned off): Access to public subspaces is not restricted; they can be viewed by anyone, even if they are not logged in to Instabase.

- Enabled (turned on): Access to public subspaces is restricted, and users who are not logged in cannot view them even if the subspace is configured as public.
Disallow user spaces Restrict access to user spaces. Only organization spaces can own subspaces, so all subspaces must be created in the context of an organization space. - Disabled (turned off, default): Access to user spaces is not restricted.

- Enabled (turned on): Access to user spaces is restricted. Access is allowed only to organization spaces, and subspaces can be created only in organization spaces.
Require multifactor authentication Require all users to authenticate through multi-factor authentication (MFA) when logging in using a username and password.

The following MFA options are available:

- SMS: Authentication codes are sent by SMS message (text) using Twilio. Some countries restrict receiving SMS messages from Twilio.
Note
SaaS deployments do not support the use of SMS-based MFA. All users logging in through password-based login must use an authenticator app.
- Authenticator app: Authentication is through a two-factor authentication app such as Authy, Duo Mobile, Okta Verify, Google Authenticator, or Microsoft Authenticator.		 - Disabled (turned off): MFA is not required. MFA is disabled by default in non-SaaS deployments.

- Enabled (turned on): MFA is required. MFA is enabled by default in SaaS deployments.
Require Time-based One-time Password (TOTP) Require the use of an authenticator app, such as Authy, Duo Mobile, Okta Verify, Google Authenticator, or Microsoft Authenticator, for MFA. SMS-based MFA is disabled and users see only the option to use an authenticator app providing time-limited one-time passwords (TOTP) or other two-factor authentication. - Disabled (turned off): Users have the option to use an authenticator app or SMS-based MFA. This is the default setting in non-SaaS deployments.

- Enabled (turned on): Only an authenticator app can be used for MFA; SMS-based MFA is not available. This is the default setting in SaaS deployments.
Restrict OAuth token usage Restrict users from creating and using OAuth2 tokens to make API requests. - Disabled (turned off, default): All users are allowed to create tokens and make API requests.

- Enabled (turned on): Users can create tokens or use tokens only when they are explicitly added to an allow list by the site admin. OAuth permissions are assigned through site permissions.
Restrict mounting drives and databases Restrict the ability to mount new drives and databases. - Disabled (turned off, default): All users can mount, unmount, and rename filesystem drives and databases into subspaces they manage.

- Enabled (turned on): Restrict the mounting, unmounting, and renaming of new drives and databases only to site admins.
Restricted file upload extensions Restrict the types of files that can be uploaded, by file extension. - Disabled (turned off, default): All file extensions can be uploaded.

- Enabled (turned on): Specific file extensions can be restricted, by entering the file extension in the input field.

The following configuration options are also available:

  • Model training scripts: Provide the default training scripts for training a model in ML Studio. Editing these settings might be required during .ibformers version or Marketplace upgrades. For details, see the ML Studio dependencies documentation.

  • Active Directory Federation Services configuration: Instabase supports Active Directory Federation Services (AD FS) as an authentication backend to manage access to Instabase. AD FS can be used to authenticate inbound API calls to the Instabase platform for existing users – if the user does not already exist on Instabase, the API call will be denied. For details, see the AD FS section of the authentication documentation.

  • Custom desktop background: Set a custom background for the Instabase desktop.

Service setup

The Service setup section is where you can manage certain site-wide services.

Database table setup is available after some platform version upgrades, as a way to manually migrate database tables. The release notes for the version to which you are upgrading indicate if a database migration is required.

Signup tokens

You can generate signup tokens to allow users to create their own account, rather than being added by a site admin.

Note

SaaS deployments do not support the use of signup tokens. All users must be added manually by a site admin.

To generate signup tokens:

  1. From the Admin app, select Signup tokens.

  2. Click Generate new token.

  3. Define a Token ID and an expiration period, in hours.

  4. Click Create.

  5. Click the Copy button next to the token ID to copy the generated token to your clipboard.

  6. Send the generated token to a user.

  7. The user can then navigate to {Your Instabase URL}/account/register?use_token=true and sign up with the following information:

    • Company email

    • Instabase username

    • Instabase password

    • Generated token

External group mappings

Info

The External group mappings tab is visible only in environments with SAML-based single sign-on (SSO) enabled (the AUTH_TYPE environment variable is set as saml in deployment-api-server).

External group mappings, also known as AD groups, are managed at the site level, across all groups. Only site admins have permissions to update the mappings. Only SAML group mappings are supported.

The group mapping takes the form of (ib_group) -> (saml_group) and mappings have the following behavior restrictions:

  • Each ib_group can map to at most one SAML group.

  • The inverse is not true; the same SAML group can be mapped to multiple ib_group values.

External group mappings grant users group membership, which can be be used to grant access to any assets on the site.

  1. From the Admin app, select External group mappings.

  2. Create, edit, or delete mapping rules as necessary. The interface guides you through selecting valid options. Do not leave any blanks.

  3. Click Save to write your mappings to the database.

Encryption

Encryption keys allow client-side encryption of files. Keys are hosted by key management service (KMS) providers. Only AWS Key Management Service is supported.

From the Encryption tab you can configure your AWS Key Management Service access credentials, add encryption keys, and rotate primary encryption keys. For details, see the encryption documentation.

Licenses

You can add and revoke, assign and unassign, and view usage details for all licenses in the environment from the Licenses tab. For details, see the licensing documentation.

Flow pipelines

You can view, create, and manage flow pipelines from the Flow pipelines tab. For details and to learn more about flow pipelines, see the managing flow reviews documentation.

File storage (SaaS deployments)

The File Storage tab is where you can manage global drives and file retention policies. This tab is available only in SaaS deployments. Only site admins or users with the manage file storage site permission can make changes on the File Storage tab.

Custom global drives

Info

The custom global drives feature is only available in SaaS deployments.

By default, all subspaces have access to the Instabase Drive as a global drive. You can add custom global drives, connected to an external storage provider, to use alongside or in place of the Instabase Drive. Custom global drives are also accessible across all subspaces.

Warning

Only access cloud storage resources designated for use with the Instabase platform from the Instabase platform. Manipulating content within the resource from outside of Instabase can render all file content, such as subspaces and flows, inaccessible.

From the Custom Global Drives section you can:

  • Create a custom global drive

  • Edit the mount details for a global drive

  • Disable a global drive

  • Delete a global drive

  • Disable Instabase Drive

Creating a custom global drive

Custom global drives can be connected to the following storage providers: Azure Blob Storage, Amazon S3 or Google Cloud Storage. After a custom global drive is created, a new mount point for the drive appears in every subspace. While each mount point is in an isolated workspace, all data stored to the custom global drive is stored in the same custom storage.

To create a custom global drive:

  1. From the Admin app, select File Storage.

  2. Click Add Drive.

  3. In the Drive Name field, enter a name for the drive. The drive name must be unique among all mounted drives.

  4. (Optional) In the Description field, provide any details or description about the drive.

  5. From the Client Type field, select a storage provider.

  6. Complete the drive configuration. See the mounting drives documentation for Azure Blob Storage, Amazon S3, or Google Cloud Storage for information on each setting.

  7. Click Mount.

Updating the mount details of a global drive

After creating a custom global drive, you can edit some configuration settings.

To update the mount details of a global drive:

  1. From the Admin app, select File Storage.

  2. In the Custom Global Drives list, locate the drive to update and click the Settings (gear) icon in its row.

  3. Edit settings as needed.

  4. Click Update.

Disabling a global drive

Disabling a global drive removes all user access to the global drive’s mount points, across all subspaces. You can re-enable a disabled global drive at any time and retrieve any retained data.

To disable a global drive:

  1. From the Admin app, select File Storage.

  2. In the Custom Global Drives list, locate the drive to disable and turn off the toggle in the Enabled column.

  3. In the confirmation dialog, click Confirm.

Deleting a global drive

Deleting a global drive removes user access to the global drive’s mount points, across all subspaces. You can re-mount a deleted global drive using the same mount details to retrieve any retained data. If uncertain whether you want to delete a global drive, consider instead disabling it.

To delete a global drive:

  1. From the Admin app, select File Storage.

  2. In the Custom Global Drives list, locate the drive to delete and click the Delete (trash can) icon in its row.

  3. In the confirmation dialog, click Confirm.

Disabling Instabase Drive

After creating a custom global drive, you can optionally disable the Instabase Drive. When the Instabase Drive is disabled, the Instabase Drive mount point is hidden in all subspaces and read and write access to any files stored in the Instabase Drive is disabled.

Note

You can disable the Instabase Drive only when another global drive is enabled.

To disable the Instabase Drive:

  1. From the Admin app, select File Storage.

  2. In the Custom Global Drives list, locate the Instabase Drive and turn off the toggle in the Enabled column.

  3. In the confirmation dialog, click Confirm.

File retention

Info

The file retention feature is available only in SaaS deployments.

By default, all files on the Instabase platform are retained indefinitely. Enabling user-defined file retention rules lets you schedule automatic purging of files stored on the S3-backed Instabase Drive.

The purging process occurs in the background with minimal additional overhead, according to benchmark testing. For example, a test processing 150,000 files took approximately four minutes, with 0.15 cores of CPU usage and no noticeable change to memory usage.

Note

If you need to confirm file deletion after a scheduled file purge, connect with your support team. When a file is deleted in accordance with file retention rules, the log for the deletion event includes the tag [file_governance], such as [file_governance] Deleting <complete file path>. Your support team can provide these logs as needed.

There are some limitations to be aware of when using the file retention feature:

  • User-defined file retention rules can be created only for Instabase-managed storage (the Instabase Drive of every subspace) backed by Amazon S3. Customer-managed storage is not and cannot be affected by these settings.

  • Solutions and flow binaries are excluded from all automatic file purges, regardless of applicable file retention rules.

  • We recommend setting user-defined file retention rules only for production deployments. If you wish to set file retention rules in a non-production deployment, first connect with Instabase support. Configuration guidance from Instabase prevents the risk of creating rules that inadvertently delete files critical to solution development.

From the File Retention section, you can enable and manage user-defined file retention rules. The retention period countdown starts from when the file was last modified.

Setting file retention rules

You can set the following types of file retention rules:

  • Default retention period: The default file retention period for all files on the Instabase Drive, for all users.

  • Custom retention period: A folder-specific file retention period that takes precedence over the default file retention period.

To set the default file retention period:

  1. From the Admin app, select File Storage.

  2. Turn on the Enable user-defined retention rules toggle.

  3. Select a Default Retention Period option.

    1. If selecting Custom, define the file retention period, in days, in the Number of days field.

  4. Click Save.

To set a folder-specific custom file retention period:

  1. From the Admin app, select File Storage.

  2. After setting a default retention period, under Custom Retention Periods, click the + button. A new row in the Custom Retention Periods table is added.

  3. In the row’s Name field, name the custom file retention rule. Rule names must be unique.

  4. Click Select Location and select a folder from the file explorer. The rule applies to all files in the folder (excluding solutions and flow binaries).

    Note

    When setting folder-specific rules, select folders only on the Instabase Drive. You can set one rule per folder.

  5. From the Retention Period field, select a retention period for files in the folder.

    1. If selecting Custom, define the file retention period, in days, in the input field.

  6. Optionally add a description for the rule. Click the caret (^) icon next to the rule’s name, to display the Description field.

  7. Click Save.

Managing file retention rules

To edit, disable, or delete a custom file retention period:

  1. From the Admin app, select File Storage.

  2. In the Custom Retention Periods table, make rule-specific edits from the rule’s row:

    • Edit the rule’s name: Select and edit the Name field.

    • Edit the rule’s description: Click the caret (^) icon to reveal and edit the Description field.

    • Edit the rule’s folder: Click the Edit (pencil) button and select a new folder in the file explorer.

    • Edit the rule’s retention period: Select the Retention Period dropdown and select a new value. Or, edit the custom retention period input field.

    • Disable the rule: Turn off the Enable column toggle.

    • Delete the rule: Select the checkbox in the rule’s row of the table, then click the Delete (trash can) button.

  3. Click Save.

Disabling user-defined file retention rules

To disable user-defined file retention rules:

Note

Disabling user-defined file retention rules also disables any custom file retention rules. Previously scheduled file purges will not occur and the Instabase Drive file retention policy resets to retaining all files. However, if you re-enable user-defined retention rules, all previously configured rules are retained.

  1. From the Admin app, select File Storage.

  2. Turn off the Enable user-defined retention rules toggle.

  3. Click Save.