Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.teeem-ai.com/llms.txt

Use this file to discover all available pages before exploring further.

“Inside permissions only” is one of Teeem AI’s core promises. This page explains how the permission model actually combines on every request.

Four layers, in order

1

1. User identity

Establish who sent the request.
  • Slackusers:read on the bot token resolves the sender → mapped to your tenant
  • Web chat — JWT token verification (HMAC-SHA256, 8-hour expiry)
  • KakaoTalk — sender identified via the bridge
  • Teams — Microsoft auth token
  • REST webhookAuthorization: Bearer <webhook-token>
With SSO enabled, SAML/OIDC pulls user groups and departments from your IdP automatically.
2

2. RBAC — six tiers

Roles define which tools and which data the user can reach.
platform_admin  ▶  enterprise_admin  ▶  team_admin
                                    ▶  power_user
                                    ▶  user
                                    ▶  viewer
RoleHighlights
platform_adminAll-tenant management (FlowOS ops only)
enterprise_adminAll settings, users, compliance for the org
team_adminTeam-level user / channel / app management
power_userAll tools, partial settings view
userChat, manage own OAuth
viewerRead-only (dashboard)
Change roles in Users → Role. With SSO on, IdP group mapping assigns roles automatically.
3

3. ABAC — data classification matching

Data carries a class. The user’s role determines whether the class is reachable.
public  →  internal  →  confidential  →  secret
Sample policy:
ClassWho can read
publicEveryone
internaluser and above
confidentialteam_admin and above
secretenterprise_admin only
KB document sensitivity (public/private), App Pack models, and ERP-connector revenue/HR data all flow through this same hierarchy.
4

4. Channel ACL + tool approval gates

Even with data access, what you do with it is checked again.
  • Channel ACL — Is the sender a member of the destination channel?
  • External-send gate — Mail, SMS, external messages may need approval
  • Payment gate — Tools like Toss payments are role-gated separately
  • Bulk-download gate — Above N records, an approval is required
  • IP allowlist — Block requests from outside the corporate network (when enabled)

What permission denial looks like

When access is denied, the user gets an actionable explanation. 
User: "@Teeem show me executive bonus data"
Teeem AI: "That data is `secret`. Your current role (`team_admin`)
          cannot access it. Please contact your enterprise_admin."

Per-tool policy (example)

In Operations → Tool Policy, enable, disable, or gate each tool. 
tools:
  send_email:           require_approval     # manager OK needed
  exec:                 disabled              # shell off
  app_create:           allow                 # auto-execute
  manage_website:       team_admin_only       # role-restricted
  douzone_create_voucher: enterprise_admin_only  # finance-tool restriction
Settings apply immediately, no code change required. Tools that touch the employee’s own Gmail / OneDrive / Calendar need a separate OAuth link.
  • First use prompts an OAuthLinkCard in the chat
  • Tokens are stored encrypted, scoped to that user (no other employee can use them)
  • Auto-refresh near expiry; on failure, a re-link prompt
  • Disconnecting calls Google / Microsoft revoke endpoints — instant invalidation
Org-level shared Drive folders (e.g. company announcements) are accessed via a service account so every employee can reach them within their permissions.

Audit trail

All permission decisions land in the audit log. 
{"action":"rbac.check","actor":"kim@co.com","resource":"sales.q1","required":"team_admin","actual":"power_user","result":"deny"}
{"action":"abac.check","actor":"lee@co.com","data_class":"confidential","resource_id":"doc-123","result":"allow"}
{"action":"approval.requested","actor":"park@co.com","tool":"send_email","approver":"manager@co.com"}
{"action":"approval.granted","approver":"manager@co.com","ts":"..."}
Regulatory audits and internal reviews can trace which requests were denied and why, without gaps.

SSO and auto-provisioning

Larger organisations map IdP group membership directly to roles.
IdP groupTeeem AI roleData class reachable
Engineering-Leadsteam_adminconfidential
Sales-Allpower_userinternal
Contractorsuserpublic
Finance-Adminenterprise_adminsecret
When an employee is disabled in the IdP, Teeem AI access is revoked immediately (SCIM auto-sync).

Next

Full security overview

PII, encryption, audit, compliance on a single page.

Manage roles in the admin console

Assign roles, change data classes, edit tool policy.