Agent Operations Platform
Management
Configure the platform from the organization down. Tenants, workspaces, defaults, and per-scope overrides, administered consistently across every component, with the same lifecycle controls and audit trail the rest of the platform provides.
Workflow
Set up the structure.Let teams build.
The same loop applies whether you're standing up the first tenant or the fiftieth. Configure org defaults, segment by tenant and workspace, delegate within guardrails, and watch the audit stream for the outliers.
- 01
Configure
Set organization defaults: identity provider, classification, baseline policy, audit destinations.
- 02
Segment
Create tenants and workspaces. Assign owners. Inherit org defaults; override where the business unit needs to.
- 03
Delegate
Grant tenant and workspace admins the controls they need within org-scope guardrails. Self-service inside a safe perimeter.
- 04
Govern
Watch the audit stream. Tighten org-level baselines as patterns emerge. Roll forward versioned configuration.
Consistent operations
Org down to agent
Every Dome operation sits within an organization, tenant, and workspace. Management is how those structures are administered — the configuration surface that everything else is scoped against.
Top-level entity. Identity, billing, baseline policy. Configured once.
Isolated business unit. Data residency, classification rules, provider strategy.
Team-level grouping. Most agents, tools, models, and rules sit here.
Individual registered agent. Inherits everything above; layers per-agent overrides.
Organization
The top-level entity. Owns identity (OIDC, SCIM), billing, and the baseline Cedar policy every tenant inherits. Configured once; rarely touched.
Tenants
Isolated business units within an organization. Carry their own data residency, classification rules, provider strategy, and audit export targets — within the org's guardrails.
Workspaces & delegation
Team-level grouping within a tenant. The grain most platform work sits at. Scoped admins can manage agents, tools, and rules without touching the tenant or org scope.
Options
What management lets you do
Beyond a hierarchy, the management surface exposes operational controls — what you can configure via the CLI, API, or Terraform to administer the platform at scale.
Multi-tenant isolation
Tenants cannot see across each other. Identity, data, policy, and audit are partitioned by default. Cross-tenant access is an explicit delegation, never a leak.
Tenant-scoped residency
Pin a tenant's data, model traffic, and audit storage to specific regions. EU traffic stays on EU infrastructure; US workloads route to US providers.
Scoped role delegation
Grant admin roles bounded by scope. A workspace admin can manage their workspace; a tenant admin can manage their tenant. The platform enforces the boundary.
Versioned configuration
Every configuration change is versioned and audited. Roll forward, roll back, or diff against a previous version — config behaves like code.
SCIM provisioning
Provision admins, users, and groups from your IdP via SCIM. Lifecycle is automatic — deprovisioned users lose access immediately.
Terraform provider
Declarative state for orgs, tenants, workspaces, providers, tools, and rules. The full configuration surface as code, applied through CI.
In practice
From org to running workspace
Org, tenant, and workspace operations are first-class CLI commands. Anything you can do interactively is scriptable, and every change is versioned and audited.
# Set baseline organization policy
dome org settings set \
--idp okta \
--classification standard \
--audit-export splunk
# Create a tenant
dome tenant create support \
--data-residency us \
--owner alex
# Create a workspace inside it
dome workspace create support/triage \
--owner alex# Grant a tenant admin
dome iam grant tenant:support \
--role admin \
--principal bree@example.com
# Apply an org-scope baseline
dome rules apply org/baseline.cedar \
--scope org
# Audit configuration changes
dome audit query \
--event "config.*" \
--since 24h