📘 Administrator Guide

This guide covers day-to-day administration of Control Core. DevOps admins: For a full deploy + first-time config in under 30 minutes, follow the Deployment Guide – 30-minute runbook first; the First steps after deployment checklist below is Phases 4–6 of that runbook (configure + verify).

🚀 First steps after deployment (~10–15 min)

Do these steps immediately after deploying Control Plane and Sandbox Bouncer so the platform is ready for policy authoring and enforcement. This is the configure and verify part of the 30-minute DevOps runbook. Works for any deployment model (Kickstart, Pro, or Enterprise) on AWS, Azure, GCP, or on-premises.

Runbook total: Deploy (Phases 1–3 in Deployment Guide) + these steps = under 30 minutes end-to-end.

Configuration reference: For full lists of environment variables and options, see the Configuration Guide and your deployment guide (Kickstart, Pro, Enterprise).

📌 Overview

Control Core administrators are responsible for:

• System Configuration: Setting up and maintaining the Control Core platform
• User Management: Managing user accounts, roles, and permissions
• Policy Administration: Creating, managing, and deploying access control policies
• Security Management: Ensuring system security and compliance
• Monitoring: Monitoring system performance and security events
• Integration Management: Configuring external system integrations

📌 System Administration

Dashboard Overview

The Control Core admin dashboard provides a comprehensive view of system status:

• System Health: Service status, resource usage, and performance metrics
• User Activity: Active users, login history, and session management
• Policy Status: Policy deployments, validation status, and performance
• Security Events: Audit logs, security alerts, and compliance status
• Integration Status: External service connections and health

Homepage Widgets: Meaning, Data Source, and Actions

Use this table when triaging dashboard drift or runtime incidents.

Telemetry path requirement:

• Runtime bouncer telemetry used by security widgets is expected through Policy Bridge/Control Bridge managed flow into Control Plane Audit Logs.
• If bridge-managed configuration is missing, restore Policy Bridge/Bridge wiring first; do not trust dashboard security counts until this is healthy.

System Configuration

Configuration Overview

Control Core configuration is managed through:

• UI Settings: Settings pages in the admin console
• Environment Variables: For deployment-specific configuration
• Configuration Files: YAML/JSON files for advanced settings

See: Configuration Guide for comprehensive configuration details.

Global Settings

1. Navigate to Settings → General
2. Configure System Parameters:
   • Timezone: Configure timezone for audit logs and timestamps
   • Session Timeout: Default 60 minutes (configurable 15-480 minutes)
   • Password Policy: Minimum complexity requirements (configured in User Management)
   • Rate Limiting: API request limits (configured per tier)
   • Log Retention: Audit log retention period (default 90 days)

Database Management

1. Database Configuration

   -- Check database status
   SELECT * FROM pg_stat_activity WHERE datname = 'control_core_db';
   
   -- Monitor database size
   SELECT pg_size_pretty(pg_database_size('control_core_db'));
   
   -- Check table sizes
   SELECT schemaname,tablename,pg_size_pretty(size) as size
   FROM (
     SELECT schemaname,tablename,pg_relation_size(schemaname||'.'||tablename) as size
     FROM pg_tables WHERE schemaname = 'public'
   ) t ORDER BY size DESC;
   

2. Backup Configuration

   # Create database backup
   pg_dump -h localhost -U postgres control_core_db > backup_$(date +%Y%m%d).sql
   
   # Restore from backup
   psql -h localhost -U postgres control_core_db < backup_20250125.sql
   

Redis Management

1. Redis Monitoring

   # Check Redis status
   redis-cli ping
   
   # Monitor Redis memory usage
   redis-cli info memory
   
   # Check connected clients
   redis-cli client list
   

2. Cache Management

   # Clear all cache
   redis-cli flushall
   
   # Clear specific cache pattern
   redis-cli --scan --pattern "policy:*" | xargs redis-cli del
   

📌 Environment Management

Control Core provides dual-environment architecture with complete isolation between Sandbox and Production environments.

Understanding Environments

Sandbox Environment

The Sandbox environment is where you:

• Create and test all new policies before deploying to production
• Experiment with policy changes safely without affecting live systems
• Validate policies with test users and simulated scenarios
• Run development and QA workflows

All policies must start in Sandbox. Only validated Sandbox policies can be promoted to Production.

Production Environment

The Production environment is where:

• Validated, tested policies are enforced on live systems
• Real users and production applications are protected
• Policies have been through complete testing and approval processes
• Changes are strictly controlled and audited

Environment Selector

The environment selector in the top header controls which environment you're viewing and managing:

1. Switching Environments

   • Click the environment badge (Sandbox/Production) in the top header
   • Select the environment you want to work in
   • All pages automatically update to show the selected environment's data

2. Environment Indicators

   • Each page displays an environment badge showing the current environment
   • Sandbox is indicated with a yellow/blue badge
   • Production is indicated with a red/orange badge

Environment-Specific Settings

Many system settings are configured separately for each environment to provide complete isolation.

Data Sources

Data sources (Policy Information Points) are environment-specific:

1. Configuring Data Sources

   • Navigate to Settings → Data Sources
   • The current environment is shown in the page header
   • Each data source is associated with either Sandbox or Production
   • Switch environments to manage data sources for that environment

2. Best Practices

   • Use test/development endpoints for Sandbox data sources
   • Use production endpoints for Production data sources
   • Credentials may differ between environments for security
   • Test data source connections in Sandbox before creating Production versions

3. Managing Connections

   • Create separate data source connections for each environment
   • Configure different endpoints, databases, or API URLs per environment
   • Monitor connection health separately for each environment

Notifications and Alerts

Alert configurations are environment-specific to prevent alert fatigue and ensure relevant notifications:

1. Alert Rules

   • Navigate to Settings → Notifications
   • Configure different alert rules for Sandbox and Production
   • Sandbox alerts typically go to development teams
   • Production alerts go to operations and on-call teams

2. Notification Channels

   • Email recipients can differ per environment
   • Slack channels are environment-specific (e.g., #alerts-sandbox vs #alerts-prod)
   • Webhook URLs can point to different systems per environment
   • ServiceNow instances can be different (dev vs production ITSM)

3. Shared Credentials

   • Authentication tokens and API keys are shared across environments
   • Only channel endpoints and recipients differ
   • Configure credentials once in the Credentials section
   • Simplifies management while maintaining environment separation

Protected Resources

Resources are managed per environment:

1. Resource Configuration

   • Navigate to Settings → Protected Resources
   • View and manage resources for the current environment
   • Each environment has its own set of protected resources
   • Resources typically have different URLs per environment

2. Environment Isolation

   • Sandbox resources point to development/staging systems
   • Production resources point to live systems
   • Bouncers are deployed separately for each environment
   • Each Bouncer protects resources in its assigned environment

Policy Repository

The policy repository uses a shared GitHub repository with environment-specific folders:

1. Repository Structure

   policies/
   ├── sandbox/
   │   ├── enabled/
   │   └── disabled/
   └── production/
       ├── enabled/
       └── disabled/
   

2. Configuration

   • Navigate to Settings → Controls Repository
   • Configure GitHub repository connection once
   • Policies are automatically organized by environment
   • Separate folders ensure complete policy isolation

3. Sync Behavior

   • Changes sync to the appropriate environment folder
   • Sandbox policies deploy from policies/sandbox/enabled/
   • Production policies deploy from policies/production/enabled/
   • Disabled policies are moved to respective disabled/ folders

Repository Structure (Detailed)

How it works:

• Each Protected Resource gets its own folder
• Each Bouncer watches its resource's folder + environment
• Example: "API Gateway" bouncer in sandbox watches policies/api-gateway/sandbox/
• Control Plane automatically creates the correct folder structure when you save controls

Structure example:

📁 your-repo-name/
  📁 policies/

    📁 api-gateway/
      ← Resource: "API Gateway"
      📁 sandbox/
        📁 enabled/
          policy_101.rego
          policy_102.rego
        📁 disabled/
          policy_103.rego
      📁 production/
        📁 enabled/
          policy_104.rego

    📁 crm-service/
      ← Resource: "CRM Service"
      📁 sandbox/
        📁 enabled/
          policy_201.rego
      📁 production/
        📁 enabled/
          policy_202.rego

    📁 ai-model-api/
      ← Resource: "AI Model API"
      📁 production/
        📁 enabled/
          policy_301.rego

Folder Path Format: policies/[resource-name]/[environment]/[enabled|disabled]/policy_[id].rego

• [resource-name]: From Protected Resource (normalized, lowercase, hyphens)
• [environment]: sandbox or production
• [enabled|disabled]: Control activation status
• [id]: Unique control ID from Control Plane database

Setup Instructions:

1. Create a GitHub repository (public or private)
2. Generate a Personal Access Token with repo permissions
3. Enter repository URL and token in Settings → Controls Repository, then click Test Connection
4. Save settings — Control Plane auto-creates folder structure when you save your first control
5. Deploy bouncers — they automatically watch their assigned resource folders

Next Step: Configure which resources each bouncer should protect in Settings → PEPs. Each bouncer automatically syncs controls from its resource folder.

Bouncer Configuration

Bouncers (Policy Enforcement Points) are environment-aware:

1. Per-Environment Deployment

   • Each protected resource has separate Bouncers for Sandbox and Production
   • Bouncers automatically receive policies for their environment
   • Environment is set during Bouncer deployment

2. Performance Tuning

   • Navigate to Settings → Bouncers, select a Bouncer
   • View and adjust Policy Bridge (policy distribution) settings
   • Configure cache settings:
     • Cache TTL: How long to cache policy evaluations
     • Cache Size: Maximum cache size
   • Configure rate limits:
     • Requests Per Second: Maximum policy evaluation rate
     • Burst Size: Maximum burst capacity

3. Auto-Configuration

   • Bouncers are auto-configured based on their environment
   • Settings can be customized per Bouncer if needed
   • Default settings are optimized for typical usage

Environment Promotion

Moving policies from Sandbox to Production:

1. Promotion Process

   • Create and test policy in Sandbox environment
   • Run comprehensive test suite in Sandbox
   • Validate policy behaves as expected
   • Click Promote to Production from the policy detail page
   • Review and confirm promotion

2. Safety Controls

   • Policies must pass all tests before promotion
   • Promotion creates a new policy in Production environment
   • Original Sandbox policy remains unchanged
   • Production policies cannot be edited directly
   • Changes must be made in Sandbox, then re-promoted

3. Audit Trail

   • All promotions are logged
   • Track who promoted what policy and when
   • View promotion history in audit logs

Environment Best Practices

1. Development Workflow

   • Always create policies in Sandbox first
   • Test thoroughly with various scenarios
   • Use test users and data in Sandbox
   • Only promote stable, validated policies to Production

2. Data Isolation

   • Use separate data sources for each environment
   • Connect to test/dev systems in Sandbox
   • Connect to production systems in Production
   • Never mix development and production data

3. Team Structure

   • Developers work primarily in Sandbox
   • Operations team manages Production
   • Restricted access to Production environment
   • Use role-based access control

4. Monitoring

   • Monitor both environments separately
   • Set appropriate alert thresholds per environment
   • Sandbox can be more lenient with alerts
   • Production should have strict monitoring

📌 User Management

User Accounts

Creating Users

1. Navigate to Users → Add User

2. Fill in User Information:

   • Email: User's email address
   • Name: Full name
   • Role: Admin, Manager, Developer, or Viewer
   • Department: Optional department assignment

3. Set Initial Password

   • Generate secure password
   • Send password reset email to user

User Roles and Permissions

Managing User Sessions

1. View Active Sessions

   • Navigate to Users → Active Sessions
   • Monitor user activity and session duration

2. Terminate Sessions

   • Select user session
   • Click "Terminate Session"
   • User will be logged out immediately

Authentication Configuration

Auth0 Integration

1. Configure Auth0 Application

   // Auth0 configuration
   {
     "domain": "your-domain.auth0.com",
     "clientId": "your-client-id",
     "clientSecret": "your-client-secret",
     "audience": "https://api.controlcore.io",
     "scope": "openid profile email"
   }
   

2. Set up SAML SSO

   • Configure SAML identity provider
   • Upload SAML certificate
   • Map SAML attributes to user fields

Password Policy

1. Configure Password Requirements

   • Minimum length: 12 characters
   • Require uppercase, lowercase, numbers, symbols
   • Password history: 5 previous passwords
   • Expiration: 90 days

2. Multi-Factor Authentication

   • Enable MFA for admin accounts
   • Configure TOTP (Time-based One-Time Password)
   • Set up backup codes

🛡️ Policy Administration

Policy Management

Creating Policies

1. Navigate to Policies → Create Policy

2. Policy Configuration:

   • Name: Descriptive policy name
   • Description: Policy purpose and scope
   • Category: Access control, data protection, compliance
   • Environment: Sandbox, staging, production

3. Policy Content:

   package access_control
   
   import rego.v1
   
   # Allow access for admin users
   allow if {
       input.user.roles[_] == "admin"
   }
   
   # Allow access for users with specific permission
   allow if {
       input.user.permissions[_] == input.required_permission
   }
   

Policy Validation and Testing

1. Syntax Validation

   • Real-time syntax checking
   • Error highlighting and suggestions
   • Policy structure validation

2. Test Cases

   [
     {
       "name": "Admin Access",
       "input": {
         "user": {"roles": ["admin"]},
         "resource": {"type": "api"}
       },
       "expected": true
     },
     {
       "name": "User Access",
       "input": {
         "user": {"roles": ["user"]},
         "resource": {"type": "api"}
       },
       "expected": false
     }
   ]
   

Policy Deployment

1. Deployment Process

   • Validate policy syntax and logic
   • Run comprehensive test suite
   • Deploy to sandbox environment
   • Monitor for issues
   • Promote to production

2. Rollback Procedures

   • Keep previous policy versions
   • Quick rollback capability
   • Automated rollback on errors

Resource Management

Protected Resources

1. Define Resources

   • API Endpoints: REST API routes
   • Data Objects: Database tables and records
   • Files: Documents and media files
   • Services: External service integrations

2. Resource Attributes

   {
     "id": "api-users",
     "type": "api",
     "path": "/api/v1/users",
     "method": "GET",
     "sensitivity": "confidential",
     "owner": "hr-department"
   }
   

Access Control Configuration

1. Role-Based Access Control (RBAC)

   • Define roles and permissions
   • Assign users to roles
   • Map roles to resource access

2. Attribute-Based Access Control (ABAC)

   • Define attributes for users and resources
   • Create attribute-based policies
   • Dynamic access decisions

🔒 Security Management

Security Monitoring

Audit Logging

1. Enable Comprehensive Logging

   • User authentication events
   • Policy evaluation decisions
   • Administrative actions
   • System configuration changes

2. Log Analysis

   # Search for failed login attempts
   grep "authentication failed" /var/log/controlcore/audit.log
   
   # Monitor policy evaluation performance
   grep "policy_evaluation" /var/log/controlcore/audit.log | grep "slow"
   
   # Check administrative actions
   grep "admin_action" /var/log/controlcore/audit.log
   

Security Alerts

1. Configure Alert Rules

   • Failed login attempts (5+ in 10 minutes)
   • Unusual API usage patterns
   • Policy evaluation errors
   • System resource thresholds

2. Alert Response

   • Email notifications to administrators
   • Slack/Teams integration
   • Automated incident response

Anomaly Detection

Control Core automatically detects anomalous activity patterns across your authorization system to help identify potential security threats and operational issues.

What is Detected:

1. Denial Rate Spikes

   • Unusual increases in policy denials compared to baseline
   • Detects potential attacks or misconfigured policies
   • Uses statistical analysis (median + 2 standard deviations)

2. Suspicious Source IPs

   • IP addresses with high denial rates (>50%)
   • Multiple failed access attempts from same source
   • Potential brute force or reconnaissance attacks

3. Unusual User Activity

   • Users with activity spikes >3x normal baseline
   • Sudden changes in access patterns
   • Potential account compromise or insider threat

4. Error Rate Spikes

   • Unusual increases in system errors from PEPs
   • Performance degradation indicators
   • System health issues

5. Latency Anomalies

   • Unusual latency spikes (>1000ms or >2 std dev above baseline)
   • Performance degradation
   • Potential resource exhaustion

6. Resource Access Spikes

   • Unusual access patterns to specific resources
   • Potential data exfiltration attempts
   • Resource-specific attacks

Viewing Anomalies:

1. Dashboard Overview

   • Navigate to Dashboard → Home
   • View "Anomalous Activity" metric card
   • Shows count of detected anomalies in last 24 hours
   • Status indicators: Green (0), Yellow (1-5), Red (>5)

2. Anomaly Details

   • Click on the Anomalous Activity metric
   • View detailed list of detected anomalies
   • Filter by type, severity, and time range
   • Each anomaly includes:
     • Type and severity level
     • Description of the anomaly
     • Timestamp and affected resources
     • Baseline comparison values

Responding to Anomalies:

1. High Severity Anomalies

   • Review immediately
   • Check audit logs for related events
   • Verify if legitimate activity or threat
   • Take appropriate action (block IP, suspend user, etc.)

2. Medium Severity Anomalies

   • Review within 24 hours
   • Monitor for patterns
   • Investigate root cause
   • Adjust policies or configurations if needed

3. False Positives

   • Anomaly detection uses statistical baselines
   • Legitimate traffic spikes may trigger alerts
   • Review and adjust thresholds if needed
   • System learns from normal patterns over time

Best Practices:

• Review anomalies daily
• Investigate high-severity anomalies immediately
• Use anomalies to identify policy improvements
• Monitor trends over time
• Adjust alert thresholds based on your environment

Compliance Management

GDPR Compliance

1. Data Protection Measures

   • Data encryption at rest and in transit
   • Access logging and monitoring
   • Data retention policies
   • User consent management

2. Right to be Forgotten

   • User data deletion procedures
   • Audit trail maintenance
   • Data anonymization options

SOC 2 Compliance

1. Security Controls

   • Access controls and authentication
   • Data encryption and protection
   • Monitoring and logging
   • Incident response procedures

2. Audit Trail

   • Comprehensive activity logging
   • Tamper-proof log storage
   • Regular audit reviews

🔌 Integration Management

Action Destinations

Use Settings → Action Destinations as the central registry for action routing references (destination_ref and credential_ref).

Each destination profile is configured in an accordion section with:

• Endpoint URL / Base URL
• Credential Ref
• Notes / routing guidance
• Advanced connection settings (HTTP method, auth type/header, path template, timeout, retries, SSL verification, headers, query params)

Action Type Routing Matrix

Destination Profile Readiness Checklist

To support real-world destination connections (internal + third-party), configure:

• Endpoint URL and path template
• Credential reference and auth type
• Timeout + retry policy
• TLS verification requirements
• Optional static headers and query parameters
• Operational notes and owner/escalation context

External System Integration

API Integrations

1. REST API Configuration

   integrations:
     - name: "hr-system"
       type: "rest_api"
       base_url: "https://hr.company.com/api"
       authentication:
         type: "bearer_token"
         token: "your-api-token"
       endpoints:
         - path: "/users"
           method: "GET"
           description: "Get user information"
   

2. Webhook Configuration

   webhooks:
     - name: "user-updates"
       url: "https://controlcore.company.com/webhooks/user-update"
       events: ["user.created", "user.updated", "user.deleted"]
       authentication:
         type: "hmac"
         secret: "webhook-secret"
   

Database Integrations

1. External Database Connection

   # Database integration configuration
   DATABASE_CONNECTIONS = {
       "hr_db": {
           "type": "postgresql",
           "host": "hr-db.company.com",
           "database": "hr_system",
           "username": "controlcore_user",
           "password": "secure_password"
       }
   }
   

2. Data Synchronization

   • Configure sync schedules
   • Set up data mapping
   • Monitor sync status

AI Service Integration

Control Core supports multiple LLM providers for AI-powered features like policy intelligence, code suggestions, and natural language policy generation. You can configure one or more providers based on your needs.

Supported LLM Providers

Control Core supports the following LLM providers:

• OpenAI (GPT-4, GPT-3.5, GPT-4o) - High-quality responses, widely supported
• Anthropic Claude (Claude 3 Opus, Sonnet, Haiku) - Advanced reasoning, safety-focused
• Google AI/Gemini (Gemini Pro, Gemini Pro Vision) - Multimodal capabilities
• Azure OpenAI - Enterprise OpenAI via Microsoft Azure
• AWS Bedrock - Amazon's managed LLM service
• Cohere - Enterprise language models
• Custom LLM - Connect your own LLM service with OpenAI-compatible API

Configuring AI Providers

Via UI (Recommended):

1. Navigate to Settings → Integrations → AI Integration
2. Click Add Configuration or Configure AI Provider
3. Select your provider from the dropdown
4. Enter your API key
5. Select a model from available options
6. Configure optional settings:
   • Base URL (for custom providers or Azure)
   • Max tokens
   • Temperature
   • Cost limits (daily/monthly/per-request)
7. Enable use cases:
   • Rego Editor assistance
   • Policy Intelligence
   • Natural language policy generation
   • Code suggestions
8. Test the connection
9. Save configuration

Via Environment Variables (Advanced):

# OpenAI
OPENAI_API_KEY=sk-...
OPENAI_MODEL=gpt-4
OPENAI_MAX_TOKENS=4096

# Anthropic
ANTHROPIC_API_KEY=sk-ant-...
ANTHROPIC_MODEL=claude-3-sonnet

# Google AI
GOOGLE_AI_API_KEY=your-key-here
GOOGLE_AI_MODEL=gemini-pro

# Azure OpenAI
AZURE_OPENAI_API_KEY=your-key-here
AZURE_OPENAI_ENDPOINT=https://your-resource.openai.azure.com
AZURE_OPENAI_MODEL=gpt-4

# Custom LLM
CUSTOM_LLM_BASE_URL=https://your-llm-service.com/v1
CUSTOM_LLM_API_KEY=your-key-here
CUSTOM_LLM_MODEL=your-model-name

Getting API Keys

OpenAI:

1. Visit OpenAI Platform
2. Sign up or log in
3. Go to API Keys in OpenAI Platform
4. Create a new secret key
5. Copy and configure in Control Core

Anthropic:

1. Visit Anthropic Console
2. Sign up for an account
3. Navigate to API Keys
4. Create a new key
5. Copy and configure in Control Core

Google AI:

1. Visit Google AI Studio
2. Sign in with your Google account
3. Create API key
4. Copy and configure in Control Core

Azure OpenAI:

1. Go to Azure Portal
2. Create an Azure OpenAI resource
3. Deploy a model (GPT-4, GPT-3.5)
4. Get API key and endpoint from Keys and Endpoint section
5. Configure in Control Core with custom base URL

AWS Bedrock:

1. Go to AWS Bedrock Console
2. Enable Bedrock service
3. Use AWS IAM credentials (Access Key ID and Secret Access Key)
4. Configure in Control Core

Custom LLM:

• Ensure your LLM service supports OpenAI-compatible API format
• Configure base URL and API key in Control Core
• Select "Custom LLM" provider option

Content Filtering

1. Configure Content Policies

   • Define sensitive content categories
   • Set filtering rules
   • Configure response actions

2. Monitor AI Usage

   • Track API calls and costs per provider
   • Monitor response times
   • Set usage limits and alerts
   • Review usage statistics in Settings → Integrations → AI Integration

Best Practices

• Start with Free/Low-Cost Providers: Use providers with free tiers (like Groq) for testing
• Configure Multiple Providers: Set up multiple providers for redundancy and cost optimization
• Set Cost Limits: Configure daily/monthly limits to control spending
• Monitor Usage: Regularly review usage statistics and costs
• Use Appropriate Models: Choose models based on use case (faster models for simple tasks, advanced models for complex reasoning)
• Secure API Keys: Never commit API keys to version control, use environment variables or secure storage

🤖 Monitoring and Maintenance

Performance Monitoring

System Metrics

1. Resource Monitoring

   • CPU and memory usage
   • Database performance
   • Network throughput
   • Disk I/O performance

2. Application Metrics

   • API response times
   • Policy evaluation performance
   • User session duration
   • Error rates

Real-Time Metrics Dashboard

The dashboard provides real-time metrics aggregated from all active Policy Enforcement Points (PEPs):

Key Metrics Displayed:

1. Request Rates

   • Total requests per hour across all PEPs
   • Requests per minute for current activity
   • Historical trends and patterns

2. Latency Percentiles

   • P50 (median) latency
   • P95 latency (95th percentile)
   • P99 latency (99th percentile)
   • Helps identify performance issues

3. Error Rates

   • Overall error rate percentage
   • Total error count
   • Breakdown by error type (4xx, 5xx)

4. Health Scores

   • Average health score across all PEPs
   • Individual PEP health scores
   • Health score factors:
     • Connection status (30%)
     • Error rate (25%)
     • Response time (20%)
     • Load percentage (15%)
     • Uptime (10%)

5. Policy Denials

   • Total policy denials in time period
   • Denial rate trends
   • Most denied resources

Accessing Metrics:

• Dashboard: Navigate to Dashboard → Home
• PEP Metrics: Navigate to Settings → Bouncers → Select PEP → Metrics tab
• API: Use /api/v1/dashboard/stats endpoint

Metrics Retention:

• Detailed metrics (1m, 5m): Retained for 24 hours
• Hourly aggregates: Retained for 7 days
• Automatic cleanup runs daily at 3 AM
• Historical trends preserved in aggregates

Alerting Configuration

1. Set up Monitoring Alerts

   alerts:
     - name: "high_cpu_usage"
       condition: "cpu_usage > 80%"
       duration: "5 minutes"
       actions: ["email", "slack"]
     
     - name: "database_slow_queries"
       condition: "slow_queries > 10"
       duration: "2 minutes"
       actions: ["email"]
   

2. Incident Response

   • Define escalation procedures
   • Set up on-call rotations
   • Create incident response playbooks

Backup and Recovery

Backup Strategy

1. Database Backups

   # Daily automated backup
   pg_dump -h localhost -U postgres control_core_db | gzip > backup_$(date +%Y%m%d).sql.gz
   
   # Weekly full backup
   pg_basebackup -h localhost -U postgres -D /backups/weekly/$(date +%Y%m%d)
   

2. Configuration Backups

   # Backup configuration files
   tar -czf config_backup_$(date +%Y%m%d).tar.gz /etc/controlcore/
   
   # Backup policy files
   cp -r /var/lib/controlcore/policies /backups/policies_$(date +%Y%m%d)
   

Disaster Recovery

1. Recovery Procedures

   • Document recovery steps
   • Test recovery procedures
   • Maintain recovery contacts

2. Business Continuity

   • Identify critical functions
   • Define recovery time objectives
   • Plan for service continuity

📌 Subscription and License Management

Subscription Management

Control Core subscription management allows you to view your current plan, understand license requirements, and manage your subscription.

Key Topics:

• Subscription Management Guide - View and understand subscription plans
• Telemetry Management Guide - Configure License Server connection
• License Enforcement Guide - Understand feature gating and license requirements
• General Settings Guide - Configure platform settings

Quick Links

• View Subscription: Navigate to Settings → General → Subscription tab
• Configure License Server: Navigate to Settings → General → Telemetry tab
• Check License Status: Use the license status endpoint or check telemetry health

Subscription Plans

• Kickstart: 30-day zero-cost pilot with basic features
• Custom: Self-hosted deployment with full control

License Requirements

• Policy Testing: Requires License Server connection
• Production Promotion: Requires License Server connection and active subscription
• Trial Management: Trial periods tracked and enforced automatically

🛠️ Troubleshooting

For more, see the Troubleshooting Guide.

📞 Support and Documentation

Getting Help

• Documentation: Documentation Home
• General Inquiries: info@controlcore.io
• Support Email: support@controlcore.io
• Emergency Support: emergency@controlcore.io

Contact Information

• General Inquiries: info@controlcore.io
• Technical Support: support@controlcore.io
• Security Issues: security@controlcore.io