Teams & Access Control

Overview

Team separation is a core feature of Ajutant. It ensures that conversations, documents, and assistant access are isolated by team. The board can’t see legal’s chats. HR can’t access finance’s document uploads. This isn’t a “nice to have” in regulated industries — it’s a requirement.

How It Works

Ajutant maps Azure AD security groups to platform teams. When a user signs in, their group memberships determine:

1. Which assistants they see on the dashboard
2. Which conversations they can access (their own only)
3. Which document collections they can query

There’s no application-level user management to maintain. Your existing Azure AD groups are the single source of truth.

Setting Up Teams

1. Create Azure AD Security Groups

If you don’t already have suitable groups, create them in Azure AD / Entra ID:

Legal Team → sg-ajutant-legal
HR Team → sg-ajutant-hr
Finance Team → sg-ajutant-finance
Executive Team → sg-ajutant-exec

2. Map Groups in Ajutant

Navigate to Admin → Teams and map each Azure AD group:

• Team name — Display name in Ajutant (e.g., “Legal”)
• Azure AD Group ID — The Object ID of the security group
• Default assistants — Which assistants are available to this team by default

3. Assign Users

Add users to the appropriate Azure AD groups. Changes propagate to Ajutant on next sign-in — no sync delay.

Admin Roles

Ajutant has two admin levels:

Platform Admins are identified by membership in a designated Azure AD group (configured during deployment).

Access Control Rules

• Users see only assistants assigned to their team(s)
• Users in multiple groups see assistants from all their teams
• Conversation data is private to the user who created it
• Document collections can be scoped to specific teams
• Admin access does not grant visibility into user conversations