Admin Guide

Organisation-level settings are accessible to users with the Admin role via Settings → Organisation. Here you configure the organisation name, primary domain, default timezone, and security policies.

The primary domain controls which email domains are allowed to sign up for agent accounts. If set to @acmestudios.com, only users with that domain can accept workspace invitations — protecting against external access.

Organisation settings changes are logged in the Audit Log with the acting admin's identity and timestamp. Critical changes (domain, SSO configuration, billing) trigger an email notification to all other admins.

The Users page (Settings → Organisation → Users) lists all members of your organisation across all workspaces. Filter by role, workspace, or last active date. Use the search bar to find a specific user by name or email.

Bulk actions are available: change role, remove from all workspaces, deactivate, and export to CSV. Deactivated users lose access immediately and their open tickets are unassigned to the workspace queue.

If a user leaves your organisation, deactivate rather than delete. Deletion is permanent and removes the user from all historical ticket records, which may create audit gaps. Deactivated accounts are recoverable for 90 days.

Keme has three built-in roles: Agent (can view and respond to tickets in assigned workspaces), Manager (can manage workspace settings, automations, and agents), and Admin (full organisation access including billing and SSO).

Enterprise plans support custom roles with granular permissions. Navigate to Settings → Organisation → Roles → New Role. Toggle individual permissions: view tickets, create tickets, export data, manage automations, manage agents, and more.

Role changes take effect immediately on the next page load or API request. If you demote a Manager to Agent, they lose access to Settings pages immediately.

Keme supports SAML 2.0 SSO with providers including Okta, Azure AD, Google Workspace, and OneLogin. SSO is available on Enterprise plans. Navigate to Settings → Organisation → Security → SSO.

When SSO is enabled, users are redirected to your identity provider for authentication. Passwords are disabled for SSO-managed accounts. Machine-to-machine API access still uses API tokens — SSO does not apply to the API.

The Audit Log (Settings → Organisation → Audit Log) records every administrative action: user invited, user deactivated, role changed, SSO configured, API token created, workspace created, billing plan changed.

Each log entry shows: actor (email + role), action, target resource, IP address, user agent, and timestamp (UTC). Logs are immutable — they cannot be edited or deleted, even by Admins.

Billing is managed under Settings → Organisation → Billing. The page shows your current plan, next renewal date, seat count, and payment method. Invoices are available to download as PDF.

To upgrade or downgrade your plan, click Change Plan. Upgrades take effect immediately with pro-rata charges. Downgrades take effect at the start of the next billing cycle.

If payment fails, Keme retries three times over 7 days. During this period the workspace remains fully functional. After the third failure, the account is suspended — tickets are still stored but agents cannot log in until payment is resolved.