Tutorial: Platform Administration

In this tutorial, you will use the MATIH Control Plane UI to perform core administration tasks: managing tenants, creating users, assigning roles, monitoring platform health, and configuring system settings.

What You Will Learn

How to navigate the Control Plane UI and understand its sections
How to create and manage tenant organizations
How to create users and assign roles with appropriate permissions
How to monitor platform health and resource usage
How to configure system-wide settings and feature flags
How to review audit logs for security and compliance

Prerequisites

Requirement	How to Verify
MATIH platform running	`./scripts/tools/platform-status.sh` returns healthy
Control Plane services operational	IAM, tenant, and config services healthy
Platform administrator account	Super admin credentials available

Step 1: Open the Control Plane UI

Navigate to the Control Plane UI:

Local development: http://localhost:3004
Cloud deployment: https://admin.matih.ai

Log in with your platform administrator credentials. The Control Plane dashboard shows a high-level overview of the platform.

Step 2: Explore the Dashboard

The admin dashboard provides a platform-wide overview:

Platform Health

Indicator	Description
Service Status	Green/yellow/red status for each service
Active Tenants	Number of provisioned and active tenants
Total Users	Platform-wide user count
API Request Volume	Requests per minute across all services
Error Rate	Percentage of failed requests

Quick Stats

Metric	Example Value
Active tenants	3
Total users	47
Active sessions	12
Services healthy	24/24
Uptime (30 days)	99.97%

Step 3: Manage Tenants

Viewing Tenants

Click Tenants in the sidebar navigation.
The tenant list shows all provisioned tenants:

Tenant	Slug	Plan	Status	Users	Created
ACME Corporation	acme-corp	Enterprise	Active	25	Jan 15, 2026
Globex Inc	globex	Professional	Active	15	Jan 22, 2026
Initech	initech	Starter	Suspended	7	Feb 1, 2026

Creating a New Tenant

Click Create Tenant.
Fill in the tenant details:

Field	Value	Description
Name	Wayne Enterprises	Display name of the organization
Slug	wayne-ent	URL-safe identifier (auto-generated, editable)
Plan	Enterprise	Determines feature limits and quotas
Admin Email	admin@wayne.com	First admin user for this tenant
Admin First Name	Bruce
Admin Last Name	Wayne

Configure tenant features:

Feature	Enabled	Description
AI Service	Yes	Natural language queries, agent orchestration
BI Service	Yes	Dashboard creation and sharing
ML Service	Yes	Model training and registry
Data Quality	Yes	Data profiling and quality monitoring
Data Catalog	Yes	Schema metadata and data dictionary
Pipelines	No	Data pipeline orchestration

Set resource quotas:

Resource	Limit
Max users	50
Max data sources	10
Storage (GB)	100
API rate limit (req/min)	1000
Concurrent queries	20

Click Create Tenant.

The provisioning process runs asynchronously. Monitor progress in the tenant detail view:

Phase	Status	Duration
Create namespace	Completed	2s
Deploy secrets	Completed	5s
Deploy services	In Progress	~60s
Configure ingress	Pending	--
DNS setup	Pending	--
Health verification	Pending	--

Tenant Actions

Action	Description	When to Use
Suspend	Disable tenant access without deleting data	Non-payment, policy violation
Resume	Re-enable a suspended tenant	Issue resolved
Scale	Adjust resource quotas	Growing usage
Delete	Permanently remove tenant and all data	Offboarding (irreversible)

Step 4: Manage Users

Viewing Users

Click Users in the sidebar.
Use filters to narrow the list:

Filter	Options
Tenant	All tenants, or select specific tenant
Role	super_admin, tenant_admin, operator, analyst, viewer
Status	Active, Suspended, Pending Verification
MFA Status	Enabled, Disabled

Creating a User

Click Create User.
Fill in user details:

Field	Value
Email	analyst@acme.com
First Name	Jane
Last Name	Smith
Tenant	ACME Corporation
Role	analyst
Send welcome email	Yes

Click Create User.

The user receives a welcome email with instructions to set their password and (optionally) configure MFA.

Assigning Roles

Click on a user to open their detail view.
In the Roles section, click Edit Roles.
Select the roles to assign:

Role	Permissions Included
`viewer`	`data:read`, `reports:read`
`analyst`	`data:read`, `queries:`, `reports:`
`operator`	`data:`, `pipelines:`, `reports:read`
`tenant_admin`	`users:`, `settings:`, `reports:*`, `audit:read`
`super_admin`	`*` (all permissions)

Click Save.

Role changes take effect immediately. The user's permission cache is invalidated, and their next API request uses the updated roles.

User Actions

Action	Description
Reset password	Send a password reset email
Lock account	Temporarily disable login
Unlock account	Re-enable a locked account
Revoke sessions	Force logout from all devices
Enable MFA	Require MFA for this user (admin-enforced)
Delete user	Remove the user account

Step 5: Monitor Platform Health

Service Health Dashboard

Click Monitoring in the sidebar.
The service health view shows all running services:

Service	Namespace	Pods	CPU	Memory	Status
iam-service	matih-system	2/2	245m	512Mi	Healthy
tenant-service	matih-system	2/2	180m	384Mi	Healthy
api-gateway	matih-system	2/2	320m	640Mi	Healthy
ai-service	tenant-acme-corp	2/2	890m	1.2Gi	Healthy
query-engine	tenant-acme-corp	2/2	450m	768Mi	Healthy
postgresql	matih-shared	1/1	350m	2.0Gi	Healthy
redis	matih-shared	1/1	100m	256Mi	Healthy
kafka	matih-shared	3/3	600m	1.5Gi	Healthy

Resource Usage

View cluster-wide resource consumption:

Resource	Used	Available	Utilization
CPU	12.4 cores	24 cores	52%
Memory	28.6 Gi	64 Gi	45%
Storage	145 Gi	500 Gi	29%
Pods	67	200	34%

Per-Tenant Resource Usage

Tenant	CPU	Memory	Storage	API Calls (24h)
acme-corp	4.2 cores	8.5 Gi	52 Gi	12,450
globex	2.8 cores	5.2 Gi	31 Gi	8,320
wayne-ent	1.1 cores	2.3 Gi	8 Gi	1,240

Step 6: Review Audit Logs

Accessing Audit Logs

Click Audit in the sidebar.
The audit log shows security-relevant events across the platform.

Filtering Audit Events

Filter	Options
Time range	Last hour, Last 24h, Last 7 days, Custom range
Tenant	All tenants or specific tenant
Event type	Authentication, Authorization, Data Access, Configuration
User	Specific user or all users
Outcome	Success, Failure

Sample Audit Events

Timestamp	Event	User	Tenant	Outcome	Details
14:32:15	AUTH_LOGIN	admin@acme.com	acme-corp	Success	MFA verified (TOTP)
14:31:02	AUTH_LOGIN	user@acme.com	acme-corp	Failure	Invalid password (attempt 2/5)
14:28:45	ROLE_CHANGE	admin@matih.ai	system	Success	Added 'operator' role to user-456
14:25:10	DATA_ACCESS	analyst@acme.com	acme-corp	Success	Query executed on orders table
14:20:33	CONFIG_CHANGE	admin@acme.com	acme-corp	Success	Updated LLM provider settings
14:15:00	API_KEY_CREATE	admin@acme.com	acme-corp	Success	Created API key "CI Pipeline"

Audit Log Export

Export audit logs for compliance:

Format	Description
CSV	Flat file for spreadsheet analysis
JSON	Structured data for SIEM integration
PDF	Formatted report for compliance officers

Step 7: Configure System Settings

Platform Settings

Click Settings in the sidebar.
Configure global platform settings:

Setting	Current Value	Description
Platform name	MATIH Enterprise	Displayed in the UI and emails
Default tenant plan	Starter	Plan assigned to new tenants
MFA policy	Optional	Whether MFA is required, optional, or disabled
Session timeout	30 minutes	Idle session timeout
Password policy	Strong	Minimum requirements for passwords
API rate limit (global)	10,000 req/min	Platform-wide rate limit

Password Policy Settings

Policy	Value	Description
Minimum length	12 characters
Require uppercase	Yes	At least one uppercase letter
Require lowercase	Yes	At least one lowercase letter
Require digits	Yes	At least one digit
Require special characters	Yes	At least one special character
Password history	5	Cannot reuse last 5 passwords
Max failed attempts	5	Lock account after 5 failed logins
Lockout duration	30 minutes	Auto-unlock after 30 minutes

Feature Flags

Control platform-wide feature availability:

Feature Flag	Status	Description
`ai.streaming`	Enabled	WebSocket streaming for AI responses
`ml.gpu_training`	Disabled	GPU-accelerated model training
`bi.embed_sharing`	Enabled	Embed dashboards in external pages
`data.auto_profiling`	Enabled	Automatic profiling on data source connect
`auth.social_login`	Disabled	Google/GitHub social login

Step 8: Manage API Keys (Platform Level)

Platform-level API keys provide programmatic access for automation and integration:

Click API Keys in the sidebar.
View existing keys:

Name	Scopes	Created	Expires	Status
CI/CD Pipeline	deploy:*, status:read	Jan 15	Apr 15	Active
Monitoring Integration	metrics:read, health:read	Jan 20	Jul 20	Active

Create a new key:
- Name: External Integration
- Scopes: data:read, queries:execute
- Expiration: 90 days
- IP whitelist: 10.0.0.0/8

Step 9: Manage Notifications

Configure how platform notifications are delivered:

Notification Channels

Channel	Configuration	Use Case
Email	SMTP server settings	User invitations, password resets, alerts
Webhook	HTTP endpoint URL	Integration with Slack, Teams, PagerDuty
In-app	Built-in notification center	Real-time notifications in the UI

Alert Rules

Alert	Condition	Channel	Recipients
Service Down	Health check fails 3x	Webhook (PagerDuty)	Platform team
High Error Rate	Error rate > 5% for 5 min	Email	Platform team
Tenant Suspended	Tenant status changes	Email	Billing team
New User Registration	User created	In-app	Tenant admins
Security Event	Failed login > 5 in 10 min	Email + Webhook	Security team

Step 10: Billing and Usage (Enterprise)

For enterprise deployments, the billing section shows:

Tenant Usage Summary

Tenant	Plan	API Calls	Storage	Compute Hours	Monthly Cost
acme-corp	Enterprise	375,000	52 Gi	720h	$2,400
globex	Professional	249,000	31 Gi	480h	$1,200
wayne-ent	Starter	37,000	8 Gi	120h	$300

Usage Trends

The billing dashboard shows month-over-month usage trends for:

API call volume
Storage consumption
Compute hours
Active user counts

Administration Best Practices

Practice	Recommendation
Least privilege	Start users with `viewer` role, escalate as needed
MFA enforcement	Require MFA for all `tenant_admin` and above
Audit review	Review audit logs weekly for anomalies
Key rotation	Rotate API keys every 90 days
Quota monitoring	Set alerts at 80% of resource quotas
Regular backups	Verify backup schedules for all databases
Security updates	Apply platform updates within 7 days of release

Troubleshooting

Issue	Cause	Resolution
Cannot create tenant	Insufficient cluster resources	Scale the cluster or adjust quotas
User cannot log in	Account locked or wrong credentials	Check audit logs, unlock if needed
Role changes not taking effect	Permission cache stale	Wait 60 seconds or clear the cache manually
Notifications not delivered	SMTP or webhook misconfigured	Test the notification channel in settings
Audit logs not appearing	Audit service unhealthy	Check audit-service pod status

Next Steps

Congratulations -- you have completed all five quickstart tutorials. You now have hands-on experience with:

Natural language querying via the Agentic Workbench
Dashboard creation via the BI Workbench
Model training via the ML Workbench
Data quality monitoring via the Data Workbench
Platform administration via the Control Plane UI

For deeper dives into specific topics, continue to the following chapters:

Chapter 6: Identity and Access Management -- Detailed IAM service documentation
Chapter 7: Tenant Lifecycle -- Complete tenant provisioning guide
Chapter 12: AI Service -- Agent architecture deep dive
Chapter 13: ML Service and MLOps -- MLflow integration details
Chapter 15: Workbench Architecture -- Frontend component architecture

Tutorial: Data Quality Exploration Overview