Concept
Organizations
An organization is the top-level workspace boundary in Tanjiren. Every workstation, task, member, and audit event belongs to exactly one organization. All access control, billing, and governance flow from this boundary.
Isolation boundary
Data never leaks between organizations. Workstations, tasks, and audit trails are fully scoped to one org.
Role-based access
Four roles (owner, admin, member, viewer) control what each person can see, create, and approve.
Governance layer
Security policies and doctrine rules let admins enforce MFA, trusted controllers, approval gates, and command restrictions.
Organization types
Tanjiren creates a personal organization automatically when you sign up. It is yours alone and cannot have additional members.
A shared organization is created manually and supports multiple members with different roles. Shared orgs unlock governance features like approval escalation, security policies, and audit visibility for the entire team.
| Personal | Shared | |
|---|---|---|
| Members | 1 (you) | Unlimited |
| Roles | Owner only | Owner, admin, member, viewer |
| Governance | Not available | Security policy, doctrine, audit events |
| MCP governance scope | Not granted | Admin and owner |
Roles and permissions
Every member has exactly one role in an organization. Roles are hierarchical: each level inherits all permissions from the levels below it.
Full control. Transfers ownership, manages SSO connections, deletes the org. One owner per org.
Everything below + ownership transfer, SSO management, org deletion
Manages members, security policies, billing, and governance features.
Everything below + invite/remove members, edit security policy, edit doctrine, view audit events
Operational user. Creates and executes tasks, investigations, runbooks, and prompts.
Everything below + create tasks, approve/reject, create investigations, create runbooks
Read-only access to all org state. Cannot create or mutate anything.
Read workstations, tasks, investigations, runbooks, workers
Membership lifecycle
Members join a shared organization through an email invitation. The invite includes a role and expires after a configurable period.
Members can leave at any time. Admins and owners can revoke memberships. Revoking a member does not delete their previously created tasks or investigations.
Security policy
Admins can configure organization-wide security requirements that gate sensitive operations. These policies apply to all members regardless of role.
| Policy | Effect |
|---|---|
| requireMfa | All members must enroll in TOTP MFA before accessing the org |
| requireTrustedControllerForRelay | Only trusted browser sessions can open relay connections to workstations |
| requireTrustedControllerForTaskExecution | Only trusted browser sessions can create or approve tasks |
Doctrine
Doctrine is a set of operational guardrails that apply to every task created in the organization. Unlike security policies (which gate who can act), doctrine gates what can be done.
When a task is created, the current doctrine is evaluated and a snapshot is stored with the task. This ensures consistency even if doctrine changes mid-execution.
MCP tools and resources
| Tool | Scope | Description |
|---|---|---|
| list_org_members | mcp:governance | List organization members with roles |
| list_audit_events | mcp:governance | Query the audit log (shared orgs only) |
Resources
tanjiren://org/currentOrganization summary, plan, capabilitiestanjiren://limits/currentPlan limits and feature availabilitytanjiren://org/current/security-policyTrusted-controller requirementstanjiren://org/current/doctrineTask operational guardrailstanjiren://session/whoamiCurrent user identity, role, and scopes