Tosi Control supports four user roles, each with specific permissions and management capabilities: OWNER, ADMIN, VIEWER, and USER.
Roles define what users can see, manage, or configure within the organization’s Tosi Control environment.
The OWNER is the highest‑privileged user in Tosi Control.
A user can become an OWNER in Tosi Control in two ways:
Through Tosi Sales:
The Tosi Sales team can create the Tosi Control OWNER when a customer purchases a subscription.
Through Key Registration to a New Organization:
A user can become the OWNER by creating an account while registering a Master Key to a new Tosi Control Organization.
First user invited to access Tosi Control.
Only one OWNER per organization.
Has unrestricted access to all networks and all features.
Cannot be deactivated or removed by other users.
Network Management
View Home page
Access all networks (cannot be restricted)
Onboard new networks using a Master Key
View Networks page & network topology (if enabled)
Change network names
Remove networks
View Map page (if enabled)
Set/edit gateway positions
User & Key Management
View Users page
Invite users with roles: ADMIN, VIEWER, USER
Modify any user’s role
View Keys page
Attach/detach keys from users
Enforce password reset
Force end-user session
Deactivate users (except OWNER)
Remove users (requires re-invitation)
Gateway & Asset Management
View Gateways page
Request gateway firmware update
Enable Tosi Insight (if enabled)
View Assets and Events views (if enabled)
Organization & Settings
View Settings page
Configure SSO for the organization
Create custom attributes + edit values
View sensitive and non-sensitive custom attribute values
Create/edit custom API integrations
Export gateways, keys, assets (.csv)
Notifications
Receive:
Global product updates
MFA reset notifications
Firmware update notifications
Inbound events
Tosi Insight events
Service Connectivity Monitoring events
Enable/disable notifications
Edit email-forwarding address
SSO Restriction
If SSO is enabled, the OWNER can only access Tosi Client [Key Software, minimum version 4.4.0] if a key is attached to them.
ADMINs have nearly identical permissions to the OWNER except they cannot manage the OWNER.
Same as OWNER except:
Cannot change OWNER’s role
Cannot deactivate, remove, or force password reset for the OWNER
All other capabilities (networks, gateways, keys, users, notifications, exports, SSO setup, custom attributes, integrations) are fully available.
SSO Restriction
If SSO is enabled, the ADMIN can only access Tosi Client [Key Software, minimum version 4.4.0] if a key is attached to them.
The OPERATOR role (previously called USER) sits between ADMIN and VIEWER in terms of permissions.
Access is key‑based, not network‑based.
An OPERATOR’s visibility and edit rights are determined solely by the Keys type attached to their user account.
General
In Tosi Control, the OPERATOR can view or edit only gateways paired (serialized) with their attached Keys.
Manual network selection is not supported for the Operator role.
Editing Capabilities
The OPERATOR can edit paired gateways only when the attached key is a “Master Key” or “Backup Key”. Allowed Editing Actions are:
Edit custom attribute values of gateways
Update gateway firmware
Enable Service Connectivity Monitoring
Enable Insights for gateways
Pause or resume automated data polling
Viewing Capabilities
The OPERATOR can view the following pages.
All content is limited to attached keys and their paired gateways:
Home
Networks
Map
Gateways
Keys
Assets
Events
Restricted Capabilities
The Operator cannot:
Invite users
Deactivate users
Remove users
Reset user MFA
Change users’ network access
Attach or detach keys to any user (including themselves)
Configure SSO
Enforce MFA
Change organization‑level notification settings
Create integrations
Edit integrations
Modify integration settings
Create custom attributes
Edit custom attribute definitions
Remove custom attributes
(Note: The Operator can edit custom attribute values on authorized gateways.)
Network Access Limitation
Network access is automatically enforced based on the attached keys.
There is no manual network access configuration for Operators.
SSO Restriction
Must have a key attached to access Tosi Client [Key Software, minimum version 4.4.0] (when SSO is enabled)
VIEWERs have read-only access to selected networks.
General
View Home page
Access only selected networks
Read-Only Visibility
Networks page & topology (if enabled)
Map page (if enabled)
Keys page (for networks they can access)
Gateways page (limited to accessible networks)
Assets view (if enabled)
Events view (if enabled)
View non-sensitive custom attribute values
Exports
Export gateways, keys, assets list (.csv)
Notifications
Can receive Global and Gateway/Event‑related notifications
Network Access Limitation
Users with the VIEWER role can be restricted to view only specific networks.
(Each Master Key represents a network in Tosi Control.)
To limit network access for a VIEWER, the OWNER or an ADMIN can follow these steps:
Go to Users
Select the user with the VIEWER role
Click the Can view picker
Select the networks the user should have access to
The user will then only be able to view the networks associated with the selected keys.
SSO Restriction
If SSO is enabled, they can only access Tosi Client [Key Software, minimum version 4.4.0] if a key is attached to them.
Go to Users view
Click “Invite users”
Enter one or multiple email addresses
Select the role (ADMIN, VIEWER, or USER)
Send invitation
You can invite multiple users simultaneously.
Open Users view
Users who haven’t accepted appear as pending
Expired invites also appear here
Open Users view
Click the user whose invite expired
Open the three‑dot menu
Select “Renew invitation”
Invitation expires after 7 days
Automatically removed after 14 days
Expiration time cannot be changed
(ADMIN or OWNER only)
Go to Users view
Select the user
Open the role dropdown on the right panel
Select a new role
(ADMIN or OWNER only)
Go to Users
Select a user
Open the three‑dot menu
Select Remove user
→ User must be re-invited to regain access
Same menu
Choose Deactivate user
(ADMIN or OWNER only)
Open Users
Select a user
Three‑dot menu → Force password change
(ADMIN or OWNER only)
Open Users
Select user
Three‑dot menu → End session
Attaching a key associates it with a user, making it visible in the interface and enabling Tosi Client [Key Software, minimum version 4.4.0] access under SSO.
(ADMIN or OWNER only)
Go to Users
Select user
Click “Attach keys to user”
Select keys in the modal
Confirm
Tosi Control automatically attaches a key to a user in the following cases:
When a user signs in to Tosi Control via SSO using a Soft Key for the first time.
When a user registers a Master Key to Tosi Control.
In both scenarios, the system creates the key‑to‑user association automatically, without requiring any manual action from an OWNER or ADMIN.
Go to Users
Select user
Locate and hover the key in the Keys list
Click “Detach the Key”
Navigate to:
User Avatar → My Settings → User Profile Settings
Go to User Profile Settings
Edit the desired fields
Click Save Changes
Go to User Profile Settings
Enter old password
Enter new password
Click Save Changes
Tosi Control supports Single Sign‑On (SSO) through a SAML 2.0–based integration, allowing organizations to authenticate users using their own Identity Provider (IdP). With SSO enabled, users are no longer required to log in with Tosi Cloud credentials; instead, authentication follows the security policies defined by the organization’s IdP.
SAML enables the IdP to provide a digitally signed and secure confirmation of a user’s identity. When a user signs in through SSO, the IdP sends a cryptographically signed XML assertion to Tosi Control, which validates the information and grants access.
Once SSO has been configured, the login flow for a user is:
The user navigates to the organization’s dedicated SSO login URL.
The user selects Login with SSO.
The browser is redirected to the organization’s IdP.
The IdP authenticates the user according to the company’s policies.
After successful authentication, the browser returns to Tosi Control with a signed SAML assertion.
Tosi Control validates the assertion and issues security tokens.
The user is granted access to Tosi Control.
This guide explains how to register an organization’s IdP and configure SSO settings in Tosi Control.
To begin configuring SSO, log in to Tosi Control as the OWNER or an ADMIN.
Navigate to:
Settings → Authentication
By default, the Tosi Cloud IdP is enabled. This is Tosi Control’s built‑in identity provider, allowing users to sign in with a username and password. It may be disabled after an external IdP has been successfully registered.
Important:
The Organization OWNER always maintains a backup login path using Tosi Cloud IdP credentials. Even if the built‑in IdP is disabled, the OWNER can still log in using their Tosi Cloud password. This ensures that access to the organization is never fully blocked if the external IdP becomes unavailable.
To begin the SSO setup, click Add Identity Provider.
A configuration panel appears with the fields described below.
Enter a name that identifies your organization’s IdP (e.g., “Azure AD”, “Okta”, “Ping Identity”).
Select the protocol used by your IdP.
Tosi Control currently supports SAML2.
Each organization creates a unique SSO URL.
The customizable ending must follow these rules:
Must be unique
Maximum length: 32 characters
Allowed characters: lowercase a–z and hyphens (“-”)
This setting determines whether logout events synchronize:
Enabled: Logging out from the IdP also logs the user out of Tosi Control.
Disabled: Logging out from the IdP does not affect the Tosi Control session.
Enabled:
Tosi Control signs SAML authentication requests. The IdP can verify these signatures using a signing certificate that becomes available after registration.
Disabled:
Tosi Control does not sign SAML requests.
Signing uses the RSA‑SHA256 algorithm.
Organizations may choose to encrypt all SAML assertions sent to Tosi Control.
Enabled: Assertions are encrypted using Tosi Control’s public key.
Disabled: Assertions are transmitted unencrypted.
Tosi Control requires metadata from the IdP to complete the SAML configuration.
You may provide it in one of two ways:
Metadata URL: Enter the direct URL to the IdP’s metadata endpoint.
Metadata XML File: Upload an XML metadata file manually.
Attribute mapping connects IdP attributes to Tosi Control user fields.
Values should match the names used in the SAML assertion.
Required attributes:
Firstname
Lastname
Optional attribute:
Groups (used for role mapping)
Example SAML snippet for Email:
Group mapping allows organizations to automatically assign Tosi Control roles based on IdP group membership.
Enable Group Mapping.
Select Add new group mapping.
Enter the IdP group name.
Choose which Tosi Control role it maps to (USER, VIEWER, ADMIN; OWNER must always be assigned manually).
Example (Okta-based):
okta-ADMINs → ADMIN
okta-support → VIEWER
okta-operators → USER
When all fields are configured, click Register IdP.
If successful, Tosi Control displays the IdP details along with:
The configured SSO domain
Download links for the signing certificate
Download links for the encryption certificate
At this point, SSO is registered but not yet active.
To enable SSO login, turn on:
Enable Federated IdP for SSO access
If desired, the Tosi Cloud IdP can now be disabled (OWNER retains backup access).
Click Edit IdP Configuration on the Authentication page to update any settings.
Click Remove IdP registration.
A confirmation dialog appears with two options:
If enabled:
All SSO-only users are removed
Their data and key bindings are deleted
Users who also have Tosi Cloud credentials (Tosi Control Username and Password) will not be removed.
If disabled:
Users remain in Tosi Control
SSO-only users cannot log in until a new IdP is registered or they are invited via Tosi Cloud
Click Remove IdP registration to finalize.
After the IdP is configured and SSO is enabled, users can log in at the organization’s SSO domain.
The login page displays the organization’s name.
Users select Login with SSO, authenticate through the organization’s IdP, and are then redirected back to Tosi Control with access granted.
Multi‑Factor Authentication (MFA) adds an additional layer of security to user accounts in Tosi Control. When MFA is enabled, users must verify their identity using a second authentication factor in addition to their username and password. This significantly enhances protection for OT environments and prevents unauthorized access.
Tosi Control supports MFA in the following ways:
User‑level MFA: Users logging in with Tosi Cloud credentials can enable MFA for their own account.
ADMIN‑initiated MFA reset: ADMINs and the OWNER can reset another user’s MFA configuration if they lose access to their device.
Organization‑level MFA enforcement: The OWNER or ADMIN can require all Tosi Cloud users to configure MFA before accessing Tosi Control.
Important:
MFA is only available for Tosi Cloud (username + password) logins.
MFA is not applied to SSO logins.
Users who sign in through an external Identity Provider authenticate solely through the IdP’s policies.
When MFA is enabled for a user, the login experience includes:
Primary authentication
The user enters their Tosi Cloud username and password.
Secondary authentication
The user enters a one‑time verification code generated by their authenticator app.
Once both steps succeed, Tosi Control grants access.
This process applies only to Tosi Cloud-based authentication.
Users who sign in using Tosi Cloud credentials can enable MFA at any time.
Log in using your Tosi Cloud username and password.
Open:
User Avatar → My Settings → User Profile Settings
Scroll to the Multi‑Factor Authentication section.
Click Enable MFA.
Follow the on-screen instructions to pair your authenticator app (e.g., Microsoft Authenticator, Google Authenticator).
Once completed, MFA becomes active and will be required during future logins.
Tosi Cloud username & password
An authenticator application installed on a mobile device
Users logging in through SSO do not use MFA inside Tosi Control and will not see MFA setup options.
ADMINs and OWNERs may reset a user’s MFA configuration if needed (e.g., lost phone, app reset).
Open Users
Find the user
Open the three-dot menu
Select Reset MFA
Open Users → select a specific user
Click the three-dot menu
Select Reset MFA
After a reset, the affected user will be required to reconfigure MFA at their next login.
Note: MFA resets apply only to users authenticated via Tosi Cloud credentials.
The OWNER or ADMIN can require all Tosi Cloud users to enable MFA before they can access Tosi Control.
Navigate to:
Settings → Authentication
Locate the section Require Multi‑Factor Authentication
Toggle the enforcement switch ON
Once enabled:
All Tosi Cloud users must configure MFA
Users without MFA will be guided through the setup process immediately after login
ADMINs may need to reset MFA for users who encounter setup issues
Toggle the same control OFF to make MFA optional again.
Enforcement does not disable or remove MFA from users who already set it up.
Tosi Control integrates MFA status updates into the Notification Center.
ADMINs and OWNERs may see:
Confirmation that an MFA reset was successful
Error messages if a reset fails
Alerts indicating that a user must configure MFA (when enforcement is active)
These notifications appear in the header and remain available until cleared.
When a user logs in via SSO:
Tosi Control does not prompt for MFA
Tosi Control cannot enforce MFA enrollment
Tosi Control cannot reset MFA for SSO users
All MFA policies are controlled exclusively by the external Identity Provider
ADMINs or the OWNER may reset MFA for users when:
A device is lost or replaced
The authenticator app is uninstalled
A user switches authentication apps
Their MFA setup becomes corrupted
Login is blocked due to missing MFA access
A quick MFA reset allows users to reconfigure MFA on the next login.
Verify they are logging in with Tosi Cloud credentials
Ensure a supported authenticator app is installed
Try resetting MFA through the ADMIN controls
ADMIN or OWNER resets MFA
User logs in and reconfigures MFA