Team Rollout
This guide covers everything an engineering manager needs to plan team adoption of TameFlare: multi-environment setup, RBAC, user management, and onboarding.
Multi-environment setup
Create separate gateways in the dashboard for each environment. Each gateway has its own connectors, credentials, and permissions.
| Gateway | Environment | Connectors | Enforcement |
|---|---|---|---|
dev-bot | Development | GitHub (allow all), OpenAI (allow all) | Monitor |
staging-agent | Staging | GitHub (read only), OpenAI (allow) | Soft enforce |
prod-agent | Production | GitHub (require approval for writes), Stripe (deny deletes) | Full enforce |
Why separate gateways
- Isolation - a misconfigured permission in dev cannot affect production
- Independent kill switches - you can kill-switch one gateway without touching others
- Different credentials - each gateway uses its own API tokens
- Gradual rollout - start with monitor mode in dev, enforce in production
Each developer initializes with the appropriate gateway, then runs their agent:
tf init --list # Pick dev-bot, staging-agent, or prod-agent
tf run -- python my_agent.pyRBAC (Role-Based Access Control)
TameFlare has 4 fixed roles in a strict hierarchy:
| Role | Level | Description |
|---|---|---|
| Owner | 4 | Full access. Can manage users, toggle kill switch, manage org settings. |
| Admin | 3 | Create/edit gateways, manage policies. Cannot manage users or toggle kill switch. |
| Member | 2 | View everything. Can approve/deny pending actions. Cannot create or modify gateways or policies. |
| Viewer | 1 | Read-only access to dashboard. Cannot approve actions or modify anything. |
Permissions matrix
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View dashboard, traffic, audit | Yes | Yes | Yes | Yes |
| Approve/deny actions | Yes | Yes | Yes | No |
| Create/edit gateways | Yes | Yes | No | No |
| Create/edit policies | Yes | Yes | No | No |
| Toggle kill switch | Yes | No | No | No |
| Manage users | Yes | No | No | No |
| Change org settings | Yes | Yes | No | No |
User management
First user
The first user to register at tameflare.com/register becomes the owner of the organization. This happens automatically.
Inviting team members
Invite team members from the Users page in the dashboard. New users default to the viewer role. Promote them as needed.
Recommended role assignments
| Team member | Recommended role |
|---|---|
| Engineering lead / security | Owner |
| DevOps / platform engineers | Admin |
| Developers using agents | Member (can approve their own actions) |
| Managers / auditors | Viewer (read-only) |
New member onboarding
What new members see
When a non-admin user logs in for the first time:
- Dashboard overview - current stats (actions today, active gateways, pending approvals)
- Traffic log - full visibility into all proxied requests
- Audit log - every action, decision, and approval event
- Approvals - members can approve/deny pending actions (viewers cannot)
Recommended onboarding steps
- Share the dashboard URL - tameflare.com/dashboard
- Have them register or send an invite from the Users page
- Assign the appropriate role - promote from the Users page
- Point them to the traffic log - best way to understand what TameFlare is doing
- Share the
tf initcommand for their gateway so they can start running agents
Multi-team setup
For platform teams managing multiple teams or tenants:
- Create one gateway per team in the dashboard
- Each gateway has its own connectors, credentials, and permissions
- Run each team's agents with their own gateway:
# Team A directory
cd ~/team-a && tf init --list && tf run -- python agent.py
# Team B directory
cd ~/team-b && tf init --list && tf run -- python agent.pyAll gateways share the same org dashboard, so admins have full visibility across teams.
SSO (Single Sign-On)
SSO via SAML and OIDC is planned for the Team tier. This will support Google Workspace, Okta, Azure AD / Entra ID, and generic SAML 2.0 / OIDC providers.
Currently, authentication uses email/password. Use strong, unique passwords for each user.
Data export
Export your data from the dashboard at any time:
- Audit log - go to Audit Log and click Export CSV
- Configuration - go to Settings > Export Configuration to download policies and gateway configs as JSON
Exports do not include API keys, credentials, or user accounts (for security).
Next steps
- Architecture - how TameFlare works
- Deployment Topology - multiple gateways and config sync
- Security - authentication and authorization details
- Plans & Pricing - tier comparison and limits