Admin Path
Six lessons covering the permission model, SSO/provisioning, user/group management, FGAC policies, policy operations, and audit trails — the full cycle of safely operating D.Hub portal.
0/6 complete
About this Path
This Path walks a D.Hub portal administrator through the full operational cycle. From the permission model basics, through external IdP integration, user and group operations, FGAC (Fine-Grained Access Control) policy authoring, policy change operations, and audit trails — six lessons, about 45 minutes total.
Each lesson is sized for 5–10 minutes. The sequence — permissions → users → policies → audit — mirrors the real agenda order during admin onboarding.
Prerequisites
- A D.Hub portal account with Admin role
- Your organization's IdP (e.g. Keycloak · Okta · Azure AD) with OIDC support — used in Lesson 2
- The user manual's Permission model page nearby — this Path focuses on operational flow, leaving the manual for the feature reference role
If you've finished the Essentials Path, the Admin Path lands more smoothly — concepts like permission ceiling click immediately when the five portal surfaces and collection-level work feel familiar.
What you'll be able to do
- Explain the basic rule that Reader / Writer / Owner roles are granted at the collection level, and use the ceiling effect during permission grants.
- Connect an external IdP (OIDC) for SSO and set up auto-provisioning so a user is created on first login.
- Define IdP-group ↔ portal-group mappings and grant permissions in bulk at the group level.
- Author and apply your first FGAC policy combining column masking and row filtering.
- Walk through the operational pattern of change impact verification → staged rollout for policy changes.
- Use the change-history surface (Recents) to audit who · did what · when.
What comes after this Path
If you want more operational depth, two branches.
- Agent Builder Path — When you introduce AI automation, the permission and policy patterns you built here stack directly on top. Admins naturally sit at the safety gate of AI adoption.
- Workshop: refund-approval — Walk the permission · policy · reviewer separation pattern of HITL agents through a real scenario.
The 3 existing tutorials (sso-and-provisioning · permission-model-at-a-glance · column-and-row-masking) feed into Lessons 1, 2, and 4. They stay around as cheat-sheets for specific situations and you'll find yourself returning to them often even after finishing this Path.
Check off each lesson as you finish it — progress is recorded automatically.
Lessons
- 01Permission model at a glance — Role · Collection · FGACAlign D.Hub's three permission layers (Role · collection ceiling · FGAC) on one screen, and nail down the first rule — *permission grants always start from a collection*.7 min
- 02SSO + OIDC provisioningWire an external IdP (Keycloak · Okta · Azure AD) to D.Hub via OIDC and set up auto-provisioning on first login.8 min
- 03User + group management — IdP-group ↔ portal-group mappingDefine IdP-group to portal-group mappings and grant collection permissions in bulk at the group level.7 min
- 04First FGAC policy — column masking + row filteringAuthor and apply your first FGAC policy combining column masking (e.g. salary visible to HR only) and row filtering (e.g. each rep sees their own region) on the same dataset.9 min
- 05Policy operations — change · impact verification · staged rolloutThe operational flow after a FGAC policy goes live — verifying impact, staging rollout by group/collection, and rollback patterns.8 min
- 06Audit trails — resource change history + the Recents screenUse D.Hub's *Recents* screen and per-resource change history to run the *who · what · when* 4-point audit pattern.7 min