Organization Settings
Organization Settings is a consolidated hub for configuring account-level preferences. This page provides an overview of each section; detailed walkthroughs are linked below.
Settings Navigation
Access organization settings via Settings (top-right avatar menu) → select one of the sections below.
Client / Company Profile
Overview: Configure your organization's name, industry, and contact information.
Contains:
- Organization name
- Website / industry classification
- Team email addresses
- Audit log access (Scale plan and above)
- Invoice recipients
Details: See Organization: Client
Platform Configuration
Overview: Control how Plexicus behaves for your organization.
Contains:
- Scan Schedule — Choose automatic scan frequency (None, Weekly, Monthly)
- Autonomous Scanning — Auto-scan new repositories immediately upon creation
- Fix Verification — Enable test-driven fix validation (Scale plan and above)
- Deep AI Enrichment — Toggle high-confidence AI analysis (Enterprise only)
- Remediation Language — Set the language for AI-generated fixes and summaries
- Notifications — Quiet hours, email digest frequency, Slack notification rules
When to use:
- Enable Autonomous Scanning to stay ahead of new vulnerabilities automatically
- Toggle Fix Verification when you need confidence that generated fixes actually work
- Adjust Remediation Language if your team prefers code comments/documentation in a non-English language
Language & Localization
Overview: Set the UI language for all users in your organization (individual users can override).
Contains:
- UI language selector (English, Spanish, others)
- Timezone for audit logs and reports
- Date/time format preferences
OpenAI / BYO-AI Configuration
Overview: Connect your own AI provider (OpenAI, Azure OpenAI) for custom remediation and validation.
Contains:
- Remediator connection — AI service used to generate fixes
- OpenAI (standard API)
- Azure OpenAI (government/VPC deployments)
- OpenAI-compatible (DeepInfra, DeepSeek, etc.)
- Validation connection — Separate AI service for finding validation & false positive detection
- Connection test button to verify credentials before saving
- SSRF protection for Azure URLs
When to use:
- Use your own OpenAI keys when you want to bring API quotas or manage billing directly
- Connect Azure OpenAI if your organization requires VPC-isolated AI or government compliance
- Set separate validation + remediation providers for workload isolation
Details: Detailed setup instructions are in Organization: Client under "OpenAI Connection."
Plexalyzer Token
Overview: Generate and manage the legacy connector token used by the Plexalyzer workflow automation service.
Contains:
- Token generation (one-time reveal)
- Token revocation
- Token expiration policy
- Usage logs (which scripts/automations used this token)
When to use:
- Generate a token if you're automating findings retrieval or remediation via your own scripts
- Revoke tokens if you suspect they're compromised or no longer needed
- Rotate tokens annually as a security best practice
The Plexalyzer token is separate from personal API tokens. Use Plexalyzer tokens for automation; use personal API tokens for CLI/MCP access.
Authentication & SSO
Overview: Set up single sign-on (SAML 2.0 or OIDC) and manage passkeys.
Contains:
- SSO provider configuration (IdP metadata, entity ID, SSO/SLO URLs)
- Enforcement mode (Coexist / SSO Preferred / SSO Enforced)
- Certificate rotation and secret management
- Passkey setup (passwordless login)
- 2FA configuration (TOTP, security keys)
Details:
- SSO Setup — Complete SAML/OIDC walkthrough for Okta, Azure AD, Google Workspace, etc.
- Passkeys — Enable WebAuthn for passwordless authentication
- Two-Factor Authentication — TOTP & security key setup
Team Management
Overview: Invite team members, assign roles, and manage permissions.
Contains:
- Team member list (email, role, status)
- Invite new members (set role at invitation time)
- Revoke member access
- Change member roles (Developer ↔ Cyberoper ↔ Admin)
Roles:
- Developer — Read-only access to findings; cannot modify settings
- Cyberoper (Cyber Operator) — Can triage findings, assign to developers, modify compliance mappings
- Admin — Full access including team management, SSO configuration, payment settings
- Superadmin — Internal Plexicus use only
Details: See Organization: Client for detailed team management walkthrough.
Roles & RBAC (Scale plan and above)
Overview: Create custom roles and refine permissions beyond the built-in Developer/Cyberoper/Admin roles.
Contains:
- Built-in role list (Developer, Cyberoper, Admin)
- Custom role creation (name, permission matrix)
- Permission scopes (CREATE_REPOSITORY, UPDATE_FINDING, etc.)
- Role assignment to team members
When to use:
- Create a "Security Lead" role that can view all findings and reports but cannot delete repositories
- Create a "Scanner Admin" role limited to managing scanner configuration and testing
- Implement least-privilege access control for compliance audits (SOC 2, ISO 27001, etc.)
Details: See Organization: Roles & RBAC for complete custom role setup.
Audit Log (Scale plan and above)
Overview: Review all user and system actions for compliance and security investigations.
Contains:
- Searchable audit log (who, what, when, where)
- Filters by action type, user, timestamp, affected resource
- Integrity verification (tamper-proof hash chain)
- Log export (CSV/JSON for SIEM ingestion)
Logged events:
- Team member add/remove
- Role changes
- Finding status changes (Triage, FP, Mitigated)
- Settings changes (SSO config, API token rotation)
- Payment/subscription changes
- Scan schedule updates
Details: See Organization: Audit Log for full audit log guide and integrity verification.
API Tokens (Developer Access)
Overview: Create and manage personal API tokens for programmatic access to Plexicus.
Contains:
- Token generation (set expiry: 30 days, 90 days, or never)
- Token list (with creation date, last used)
- Token revocation
- Token scopes (read-only, write, admin)
Use cases:
- Generate a token to access the Plexicus API from a CI/CD pipeline
- Create an MCP server token for IDE integration (Claude Code, Cursor, VS Code)
- Issue expiring tokens to contractors or third-party tools
Details: Detailed walkthrough in Settings: API Tokens.
One-time reveal: After token creation, the token is shown only once. Store it securely (e.g., in your CI/CD secrets manager). You cannot retrieve it later; revoke and regenerate if needed.
Account Preferences
Overview: Manage your personal account settings (password, email, language, account deletion).
Contains:
- Change password
- Email address
- Preferred UI language (overrides organization default)
- Download personal data (GDPR data subject access)
- Delete account
Details: See Settings: Change Password.
Deleting your account removes you from the organization but does not delete your organization or findings. Only a superadmin can delete an entire organization.
Notifications & Alerts
Overview: Control how Plexicus alerts you to important events.
Contains:
- Email digest frequency (immediate, daily, weekly)
- Quiet hours (do not send emails between X and Y)
- Alert types (finding assigned, batch complete, quota warning, etc.)
- Slack integration (channel webhooks for real-time alerts)
- SMS notifications (Enterprise only, for critical security alerts)
When to use:
- Disable email for findings not assigned to you (reduce noise)
- Set Slack alerts for high-severity findings (real-time response)
- Enable quota warnings at 75% and 90% usage (to avoid surprises at 100%)
Connected Integrations
Overview: View and manage all active integrations (SCM, Jira, ServiceNow, etc.).
Contains:
- SCM connection status (GitHub/GitLab/Bitbucket authorization)
- Ticketing tool status (Jira/ServiceNow API tokens)
- Registry connections (Docker Hub, ECR, GCR, etc.)
- Cloud provider connections (AWS, Azure, GCP, OCI)
- Slack/Teams webhook status
- Refresh or revoke tokens
When to use:
- Disconnect a SCM provider to stop scanning certain repositories
- Rotate API keys or OAuth tokens for security
- Test connectivity to a newly added integration
Billing & Subscription (Admin/Superadmin only)
Overview: Manage payment methods, invoices, and subscription status.
Details: See Billing & Payments for complete payment setup and subscription management.
Summary & Quick Access
| Section | Purpose | Plan Minimum | User Role |
|---|---|---|---|
| Client | Organization profile | Free | Admin |
| Platform | Scan scheduling, autonomous mode | Free | Admin |
| Language | UI/notification language | Free | Any |
| OpenAI | BYO-AI configuration | Free | Admin |
| Plexalyzer Token | Legacy automation token | Free | Admin |
| Authentication | SSO, Passkeys, 2FA | Free | Admin |
| Team | Invite members, assign roles | Free | Admin |
| Roles & RBAC | Custom permission sets | Scale | Admin |
| Audit Log | Compliance audit trail | Scale | Admin |
| API Tokens | Programmatic access | Free | Any |
| Account | Personal settings, password | Free | Any |
| Notifications | Email/Slack alerts | Free | Any |
| Integrations | SCM, Jira, Cloud, Registry | Free | Admin |
| Billing | Payments, invoices, subscription | Free | Admin |
Related Topics
- Organization: Client — Detailed walkthrough of company profile and team setup
- Organization: Roles & RBAC — Custom permission matrix design
- Organization: Audit Log — Compliance audit trail and integrity verification
- Plans & Entitlements — Which features are available in each plan
- Billing & Payments — Payment methods, invoices, and subscription management