Manage workspace settings

Workspace settings are only accessible to Staff (RBAC admin) or Superuser (RBAC superuser) members.

Settings menuStaff (admin)Superuser (superuser)
GeneralOO
Plan & billing > UsageOO
Access > RolesO
Access > ApprovalsO
Security > AuthenticationO
Security > Server access policiesO
Integrations > ExtensionsOO
Integrations > NotificationsO
Integrations > Monitoring rulesO
Integrations > WebhookOO

Access settings

Click Workspace settings in the left sidebar. This menu is only visible to Staff or Superuser members.

General

Basic configuration

  • Workspace display name: Set the workspace name
  • Timezone: Select default timezone
  • Language: Set default display language
  • Billing email: Email for billing notifications

Advanced settings

Invitation TTL:

  • Validity period for invitation links
  • Default: 48 hours, Maximum: 30 days

Websh session timeout:

  • Auto-terminate inactive sessions
  • Longer timeout may increase costs
  • Range: 10 minutes ~ 24 hours

Auto agent upgrade:

  • When enabled, Alpacon agents installed on registered servers automatically upgrade to the latest version.
  • Default: enabled

Package proxy:

  • Specify a proxy server URL for package installations on servers that cannot access the internet directly.
  • Leave empty to use direct connections (default).

Allowed domains:

  • Users with specific email domains can join without invitation.
  • Available on Essential plan or higher

Plan & billing

Usage

Plan information

View your current plan and allowed resources (members, servers).

Change plan:

  1. Click Change plan
  2. Select desired plan and complete payment
  3. For Enterprise plan, contact support@alpacax.com

Active resources

Visual display of resource usage:

  • Number of users
  • Number of servers
  • Websh session time
  • FTP transfer volume

Estimated costs

View estimated monthly costs based on service usage.

Access

Roles

Manage roles and their permissions within the workspace. Roles are collections of permissions that can be assigned to users and groups. Only Superuser members can access this setting.

Built-in roles

Built-in roles are automatically assigned based on the user’s role setting.

RoleAuto-assigned whenDescription
superuserUser is set to SuperuserFull workspace control
adminUser is set to StaffManage users/groups and access some settings
memberDefault for all usersAccess assigned servers and edit own profile

Resource-scoped roles

Resource-scoped roles are automatically assigned when a user becomes an owner or manager of a specific resource.

Examples include group:owner (assigned when set as a group owner) and server:owner (assigned when set as a server owner).

Role list

The role list displays all roles in the workspace, showing the role name and the number of assigned permissions, users, and groups.

Create a role

  1. Click New role
  2. Enter the Name and Description for the role
  3. Save

The role is created without any permissions. Assign permissions, users, and groups from the role detail page.

Delete a role

  1. Navigate to the role detail page
  2. Go to the Settings tab
  3. Click Delete role
  4. Confirm the deletion

Role detail page

The role detail page has four tabs: Permissions, User assignments, Group assignments, and Settings.

Permissions tab

Manage permissions assigned to this role. Each permission follows the resource:action format (e.g., server:read, server:write).

The permissions list shows the permission name, and whether it is scoped to a specific resource type and object.

You can search permissions using the search bar and filter by All or Assigned status.

Assign a permission:

  1. Click Assign permission
  2. Select a Permission from the dropdown
  3. Optionally, check Limit to specific resource to restrict the permission to a specific resource type and object:
    • Select a Resource type from the dropdown
    • Select one or more Object entries from the checkbox list
    • If no objects are available for the selected resource type, the permission applies to all objects of that type
  4. Save

Remove a permission:

Select the assignment and click Remove assignment to remove it from this role.

User assignments tab

Manage users assigned to this role. The list shows each user’s name, email, and scope information.

Assign a user:

  1. Click Assign user
  2. Select a User from the dropdown
  3. Optionally, configure the Scope to limit this role to a specific resource
  4. Save

Remove a user assignment:

Select the assignment and click Remove assignment to remove it.

Group assignments tab

Manage groups assigned to this role. When a role is assigned to a group, all members of that group inherit the role’s permissions.

Assign a group:

  1. Click Assign group
  2. Select a Group from the dropdown
  3. Optionally, configure the Scope to limit this role to a specific resource
  4. Save

Remove a group assignment:

Select the assignment and click Remove assignment to remove it.

Settings tab

Edit the role’s name and description, or delete the role.

  • Name: A unique name for this role
  • Description: An optional description of the role’s purpose

Click Save to apply changes, or Delete role to permanently remove the role and all its assignments.

Approvals

Review and approve or reject member requests.

TypeDescription
UsernameUsername request from new members joining workspace

Security

Authentication

Configure workspace security policies. MFA authentication is required to change these settings.

MFA enforcement:

  • When enabled, all workspace members must complete MFA during login.
  • Members without any MFA method configured will be prompted to set one up on their next login.

Allowed MFA methods:

  • Select which MFA methods members can use (multiple selection).
  • Available methods: TOTP authenticator app, email, phone, and WebAuthn (hardware keys)

MFA timeout:

  • Maximum duration that MFA authentication remains valid after completion
  • This sets the workspace-wide range. Individual members can configure their own timeout within this range from Settings > Security settings—see Security settings.
  • Shorter timeouts provide stronger security but require more frequent re-authentication.

MFA required actions:

  • When enabled, system account access with sudo privilege in Websh, WebFTP, and Deploy Shell requires additional MFA verification.
  • This applies when a user connects as a system account (e.g., root) rather than their personal Alpacon account.
  • Users are prompted to complete MFA before the privileged session starts.

Server access policies

Configure server access and security policies for the workspace. MFA authentication is required to access these settings.

Server defaults

Allow tunnel by default:

  • When enabled, tunnel access is allowed by default for newly registered servers.
  • Tunnel sessions provide direct network access to the server.

Allow editor by default:

  • When enabled, code editor access is allowed by default for newly registered servers.
  • Editor sessions provide file editing access on the server.

Tunnel and editor sessions are not recorded in session monitoring. Review these defaults carefully based on your security requirements.

Account defaults

Set home directory access permissions when provisioning IAM user accounts to Linux systems.

  • Private: Owner only
  • Group shared: Group members
  • Public: All users

sudo and root access

Allow direct root access:

  • Whether to allow direct connection as the root user via system account selection
  • Default: disabled
  • When disabled, the root account is excluded from the system accounts list in Websh, WebFTP, and code editor connections.

Use sudo with MFA:

  • Enable sudo with MFA to allow Staff and Superuser members to run sudo commands in Websh with MFA verification.
  • When enabled, the required PAM module is automatically installed on servers running Alpamon 1.3.2+.
  • Works independently from Allow direct root access—users can use sudo commands even when direct root access is disabled.

sudo with MFA timeout:

  • Duration that sudo privilege remains valid after MFA authentication
  • After this period expires, the next sudo command requires MFA verification again.

Disable sudo outside Websh:

  • When enabled, only allows sudo commands within Alpacon Websh sessions.
  • All other server connection methods have sudo disabled.
  • This setting is only configurable when Use sudo with MFA is enabled.

Integrations

Notifications

Manage notification types and configure your preferred notification channels while using Alpacon.

Notification types

Select which events should trigger notifications. Available types include:

  • Server disconnection: Receive warning/error notifications when a server loses connection with Alpacon for 1 minute or 5 minutes.

Notification channels

Choose how you want to receive notifications. Available methods include:

  • Email
  • Webhook: Send notifications to external webhook endpoints. Configure in Webhook.
  • Push notifications: Receive browser push notifications.

Monitoring rules

Sends dashboard and email alerts based on defined monitoring rules during real-time server metrics monitoring.

Add rule

  1. Click New rule button
  2. Select target
  3. Set threshold
  4. Set whether it’s a default rule
  5. Save

Note: Only one default rule can be created per target

What are default rules? Rules automatically applied when new servers are registered.

Edit rule

  • Modify/delete from Actions menu
  • Cannot delete the only default rule for a target

Webhook

Register webhook URLs to send notification events to external services. Alpacon supports Slack, Discord, Microsoft Teams, Telegram, and custom endpoints.

Create webhook

  1. Click New webhook
  2. Enter information:
    • Name: Webhook name
    • URL: Webhook endpoint URL
    • Provider: Messaging platform (auto-detected from URL if not set)
    • Verify SSL: SSL certificate validation
    • Enabled: Activation status
  3. Save

Supported providers

ProviderURL pattern
Slackhooks.slack.com
Discorddiscord.com/api/webhooks
Microsoft Teams*.logic.azure.com, *.webhook.office.com
Telegramapi.telegram.org
CustomAny other URL

Provider setup guides

Slack

  1. Go to your Slack workspace → Apps → search for “Incoming WebHooks”
  2. Add to a channel and copy the webhook URL

Discord

  1. Go to Server settingsIntegrationsWebhooks
  2. Click New webhook, select a channel, and copy the URL

Microsoft Teams

Using Workflows (recommended):

  1. Hover over the channel name in the sidebar and click More options (…)Workflows
  2. Search for “Post to a channel when a webhook request is received”
  3. Complete the setup and copy the webhook URL

Using Incoming Webhook (legacy):

  1. Hover over the channel name in the sidebar and click More options (…)Manage channel
  2. Select Edit, search for Incoming Webhook, and select Add
  3. Configure and copy the webhook URL

Telegram

  1. Message @BotFather to create a bot and get the token
  2. Get your chat ID, then construct: https://api.telegram.org/bot<token>/sendMessage?chat_id=<id>

Custom

Configure any HTTP endpoint that accepts POST requests and enter the URL directly.

Manage webhooks

  • Click webhook card for detailed management
  • Modify settings or delete

Extensions

Enterprise plan users can selectively enable Alpacon extensions.

Last updated: