Configuration

This section documents the decisions an administrator makes for their tenant. It is the surface you'll spend time in at onboarding, then revisit periodically as your organization's requirements evolve.

What an administrator configures

• Tenant setup — organization profile, subdomain, administrative roles, baseline retention.
• Identity — identity provider integration (OIDC or SAML), attribute mapping, role assignment, session controls.
• Tag schema — the classifications your organization recognizes, their permitted values, and review gating for sensitive combinations.
• Policy workflow — staging, review, and publication rules for policy changes.
• Encryption profiles — the KMS backends, algorithm selection per classification, rotation schedules, and post-quantum transition configuration.
• Connectors — per-integration authorization, discovery scope, classification behavior, and egress policies.
• Audit and retention — ledger retention, evidence export, event streaming destinations.

Each page covers what the setting does, what the defaults are, what to think about when deciding, and how the setting interacts with others.

Configuration layers

Think of tenant configuration in three layers:

Baseline. The settings that rarely change: subdomain, identity provider, key management backend, the core tag schema. These are set at onboarding and revisited only when something material changes in the organization.

Ongoing. The settings that evolve with business activity: policies, connector configurations, tag schema additions. These change as new workflows are added and new data sources are brought under protection.

Operational. The settings that respond to events: key rotations, emergency revocations, evidence exports. These happen in response to specific triggers — compliance windows, incident response, scheduled cycles.

Who touches what

A typical role distribution:

• The tenant owner sets baseline configuration and is consulted on any material baseline change.
• Security administrators own ongoing and operational configuration.
• Data stewards own the tag schema and classification oversight.
• Compliance officers interact primarily with audit, retention, and evidence export.
• Members consume the results — they do not configure.

This distribution is a starting point. Smaller organizations combine roles; larger ones may further decompose (for example, a dedicated key management administrator).