The Admin module provides platform-wide configuration, user management, security controls, and integration settings. It is split into two sidebar sections: Admin (admin-only) and Settings (available to all authenticated users).
Admin Section (Admin-Only)β
Identity and Accessβ
| Page | Path | Description |
|---|
| User Management | /admin/users | Create, edit, disable, and delete users. Role assignment from RBAC v2 roles (admin, analyst, viewer, manager, security_analyst, scanner_admin, compliance_officer, plus module-specific roles). Seat availability is enforced per license. |
| SSO Config | /admin/sso | Configure SAML/SSO integration with identity providers. Manage SSO entity IDs, assertion consumer URLs, and certificate configuration. |
| Page | Path | Description |
|---|
| System Settings | /admin/settings | Core platform settings including severity mapping, sync intervals, data retention periods, and display preferences. |
| Feature Toggles | /admin/feature-flags | Enable or disable platform features per tenant (AI, scanning, specific modules). Acts as an operator-level kill switch independent of license gating. |
Data and Storageβ
| Page | Path | Description |
|---|
| Data Retention | /admin/data-retention | Configure automatic cleanup policies for old vulnerabilities, findings, scan results, and audit logs. |
| Data Archives | /admin/archives | Browse and restore archived data snapshots. Archives are created during bulk operations and data retention cleanup. |
Integrations and APIsβ
| Page | Path | Description |
|---|
| API Config | /admin/api-config | Configure the Tenable.io API connection (access key, secret key, cloud URL). Test connectivity. |
| API Sync | /admin/sync | Trigger manual syncs, view sync history, and monitor chunk progress for asset and vulnerability imports. |
| Integrations | /admin/integrations | Configure outbound integrations: Jira, ServiceNow, Slack, Teams, PagerDuty, email (SMTP), and custom webhooks. |
Securityβ
| Page | Path | Description |
|---|
| Security Audit | /admin/security | View security audit logs, API access logs, and event audit trail. Monitor for suspicious activity. |
Additional Admin Pagesβ
| Page | Path | Description |
|---|
| Scan History | /admin/scan-history | Historical import management for Tenable scan data. |
| WeaverScan | /admin/scanner | Scanner device management and enrollment token generation. |
| Intelligence | /admin/intelligence | Threat intelligence feed configuration and sync status. |
Settings Section (All Users)β
| Page | Path | Description |
|---|
| Profile | /settings/profile | Update display name, email, and avatar. |
| Preferences | /settings/preferences | UI preferences: theme, default dashboard, notification settings. |
| Security | /settings/security | Change password, manage MFA, view active sessions. |
| Notifications | /settings/notifications | Configure notification channels and alert thresholds. |
| License | /settings/license | View current license status, modules, seat usage, and expiration. |
| Proxy and Network | /settings/proxy | Configure HTTP proxy settings for outbound API calls. |
Backend Servicesβ
The admin routes (/api/admin, 48 endpoints) integrate with these backend services:
| Service | Purpose |
|---|
settingsService | Reads and writes system settings with validation |
archiveService | Creates and manages data archives |
syncService | Orchestrates Tenable.io data synchronization |
quarantineService | Manages quarantined findings and assets |
aggregationService | Recomputes KPIs and dashboard metrics on demand |
rateLimitService | Manages API rate limiting configuration |
historicalImportService | Imports historical scan data from Tenable |
licenseService | Validates and decodes JWT license tokens |
securityAuditService | Logs and queries security audit events |
eventAuditService | Records admin actions for compliance audit trail |
Multi-Tenant Architectureβ
Admin operations are tenant-scoped. The getTenantRepository utility ensures all database queries are filtered by the current tenant. User creation enforces seat limits via checkSeatAvailability. Role assignment is restricted to the ALLOWED_ROLES list to prevent privilege escalation.
Limitationsβ
- No self-service tenant provisioning -- New tenants must be created by a platform administrator; there is no public sign-up flow
- SSO is SAML-only -- OAuth2 / OIDC federation is not currently supported for SSO; only SAML 2.0 identity providers are integrated
- No built-in backup/restore -- Data archives capture snapshots, but full database backup and restore must be managed at the infrastructure level (PostgreSQL pg_dump)
- Audit log retention -- Audit logs follow the data retention policy; once cleaned, they cannot be recovered from within ThreatWeaver
- Feature flags are tenant-global -- Feature toggles apply to all users within a tenant; per-user or per-role feature flags are not supported
- No MFA enforcement policy -- MFA can be enabled per user but there is no tenant-wide enforcement toggle to require MFA for all accounts
| Entity / Table | Description |
|---|
User | Platform user with role, email, MFA status, and tenant association |
Role | RBAC v2 role definition with permission sets |
Setting | Key-value system configuration entries |
AuditLog | Security and admin action audit trail |
License | JWT-encoded tenant license with module entitlements |
Integration | Configured outbound integration (Jira, Slack, webhooks, etc.) |
Deep Divesβ
- Integrations Guide -- How to set up Jira, Slack, webhooks, and other outbound integrations