Manage workspace settings

Workspace settings are only accessible to Staff (RBAC admin) or Superuser (RBAC superuser) members.

Menu access by role

Note: Approvals is now a separate page—see Approvals. On self-hosted deployments, Usage, Authentication, and Sudo access aren’t shown. Security groups and Extensions require the Enterprise plan.

Access settings

Click Workspace settings in the left sidebar. This menu is only visible to Staff or Superuser members.

General

Basic configuration

• Workspace display name: Set the workspace name
• Timezone: Select default timezone
• Language: Set default display language
• Billing email: Email for billing notifications

Advanced settings

Invitation link validity period:

• How long workspace invitation links stay valid
• Up to a maximum of 30 days

Websh session retention time:

• Inactive Websh sessions terminate automatically after this time
• Longer retention may increase costs
• Range: 15 minutes ~ 1 day

Auto agent upgrade:

• When enabled, Alpacon agents installed on registered servers automatically upgrade to the latest version.
• Default: enabled

Package proxy:

• Specify a proxy server URL for package installations on servers that cannot access the internet directly.
• Leave empty to use direct connections (default).

Allowed domains:

• Users with specific email domains can join without invitation.
• Available on Essential plan or higher

Plan & billing

Usage

The Usage page has four sections:

• Your plan — your current plan and its limits (members, servers). Change plan opens an external billing page to switch plans; for Enterprise, contact support@alpacax.com.
• Active resource — active users and active servers, with links to the Users and Servers pages.
• Resource utilization — Websh session usage time and FTP file transfer volume.
• Estimated month-to-date cost — a per-service breakdown (with any overage) and a total.

Note: Usage and billing aren’t shown on self-hosted deployments.

Access

Roles

Manage roles and their permissions within the workspace. Roles are collections of permissions that can be assigned to users and groups. Only Superuser members can access this setting.

Built-in roles

Built-in roles are automatically assigned to Staff and Superuser members based on their role setting.

Regular users aren’t given a workspace-wide built-in role. Their access comes from group membership and any roles explicitly assigned to them.

Resource-scoped roles

Resource-scoped roles are automatically assigned when a user becomes an owner or manager of a specific resource.

Examples include group:owner (assigned when set as a group owner) and server:owner (assigned when set as a server owner).

Role list

The role list displays all roles in the workspace, showing each role’s name, description, and created date.

Create a role

1. Click New role
2. Enter the Name and Description for the role
3. Save

The role is created without any permissions. Assign permissions, users, and groups from the role detail page.

Delete a role

1. Navigate to the role detail page
2. Go to the Settings tab
3. Click Delete role
4. Confirm the deletion

Role detail page

The role detail page has four tabs: Permissions, User assignments, Group assignments, and Settings.

Permissions tab

Manage permissions assigned to this role. Each permission follows the resource:action format (e.g., server:read, server:write).

The permissions list shows the permission name, and whether it is scoped to a specific resource type and object.

You can search permissions using the search bar and filter by All or Assigned status.

Assign a permission:

1. Click Assign permission
2. Select a Permission from the dropdown
3. Optionally, check Limit to specific resource to restrict the permission to a specific resource type and object:
   • Select a Resource type from the dropdown
   • Select one or more Object entries from the checkbox list
   • If no objects are available for the selected resource type, the permission applies to all objects of that type
4. Save

Remove a permission:

Select the assignment and click Remove assignment to remove it from this role.

User assignments tab

Manage users assigned to this role. The list shows each user’s name, email, and scope information.

Assign a user:

1. Click Assign user
2. Select a User from the dropdown
3. Optionally, configure the Scope to limit this role to a specific resource
4. Save

Remove a user assignment:

Select the assignment and click Remove assignment to remove it.

Group assignments tab

Manage groups assigned to this role. When a role is assigned to a group, all members of that group inherit the role’s permissions.

Assign a group:

1. Click Assign group
2. Select a Group from the dropdown
3. Optionally, configure the Scope to limit this role to a specific resource
4. Save

Remove a group assignment:

Select the assignment and click Remove assignment to remove it.

Settings tab

Edit the role’s name and description, or delete the role.

• Name: A unique name for this role
• Description: An optional description of the role’s purpose

Click Save to apply changes, or Delete role to permanently remove the role and all its assignments.

Server registration

Create and manage server registration tokens used to onboard servers. Set a token’s Name, optional Expiry, and Allowed groups (which groups the registered servers are assigned to). The token key is shown only once. Superuser only.

Security

Authentication

Configure workspace security policies. MFA authentication is required to change these settings.

MFA enforcement:

• When enabled, all workspace members must complete MFA during login.
• Members without any MFA method configured will be prompted to set one up on their next login.

Allowed MFA methods:

• Select which MFA methods members can use (multiple selection).
• Available methods: TOTP authenticator app, email, phone, and WebAuthn (hardware keys)

MFA timeout:

• Maximum duration that MFA authentication remains valid after completion
• This sets the workspace-wide range. Individual members can configure their own timeout within this range from Settings > Security settings—see Security settings.
• Shorter timeouts provide stronger security but require more frequent re-authentication.

MFA required actions:

• When enabled, system account access with sudo privilege in Websh and WebFTP requires additional MFA verification.
• This applies when a user connects as a system account (e.g., root) rather than their personal Alpacon account.
• Users are prompted to complete MFA before the privileged session starts.

Server access policies

Configure server access and security policies for the workspace. MFA authentication is required to access these settings.

Server defaults

Allow tunnel by default:

• When enabled, tunnel access is allowed by default for newly registered servers.
• Tunnel sessions provide direct network access to the server.

Allow editor by default:

• When enabled, code editor access is allowed by default for newly registered servers.
• Editor sessions provide file editing access on the server.

Tunnel and editor sessions are not recorded in session monitoring. Review these defaults carefully based on your security requirements.

Account defaults

Set home directory access permissions when provisioning IAM user accounts to Linux systems.

• Private: Owner only
• Group shared: Group members
• Public: All users

sudo and root access

Allow direct root access:

• Whether to allow direct connection as the root user via system account selection
• Default: disabled
• When disabled, the root account is excluded from the system accounts list in Websh, WebFTP, and code editor connections.

Use sudo with MFA:

• Enable sudo with MFA to allow Staff and Superuser members to run sudo commands in Websh with MFA verification.
• When enabled, the required PAM module is automatically installed on servers running Alpamon 1.3.2+.
• Works independently from Allow direct root access—users can use sudo commands even when direct root access is disabled.

sudo with MFA timeout:

• Duration that sudo privilege remains valid after MFA authentication
• After this period expires, the next sudo command requires MFA verification again.

Disable sudo outside Websh:

• When enabled, only allows sudo commands within Alpacon Websh sessions.
• All other server connection methods have sudo disabled.
• This setting is only configurable when Use sudo with MFA is enabled.

Sudo access

Pre-authorize privileged commands with sudo policies, and audit how access was granted. This setting has two tabs:

• Policies — define which commands (wildcards allowed) are authorized, optionally scoped to specific users and servers, with a valid from/until window and a reason. A policy can be bound to a work session; a session-bound policy can allow MFA bypass so a non-interactive caller runs those commands without an MFA prompt, and is deactivated when the session ends.
• Grants — the authorization history (also shown in Sudo history).

See sudo with MFA. Superuser only.

Integrations

Notifications

Manage notification types and configure your preferred notification channels while using Alpacon.

Notification types

Select which events should trigger notifications. Available types include:

• Server disconnection: Receive warning/error notifications when a server loses connection with Alpacon for 1 minute or 5 minutes.

Notification channels

Choose how you want to receive notifications. Available methods include:

• Email
• Webhook: Send notifications to external webhook endpoints. Configure in Webhook.
• Push notifications: Receive browser push notifications.

Monitoring rules

Sends dashboard and email alerts based on defined monitoring rules during real-time server metrics monitoring.

Add rule

1. Click New rule button
2. Select target
3. Set threshold
4. Set whether it’s a default rule
5. Save

Note: Only one default rule can be created per target

What are default rules? Rules automatically applied when new servers are registered.

Edit rule

• Modify/delete from Actions menu
• Cannot delete the only default rule for a target

Webhook

Register webhook URLs to send notification events to external services. Alpacon supports Slack, Discord, Microsoft Teams, Telegram, and custom endpoints.

Create webhook

1. Click New webhook
2. Enter information:
   • Name: Webhook name
   • URL: Webhook endpoint URL
   • Provider: Messaging platform (auto-detected from URL if not set)
   • Verify SSL: SSL certificate validation
   • Enabled: Activation status
3. Save

Supported providers

Provider setup guides

Slack

1. Go to your Slack workspace → Apps → search for “Incoming WebHooks”
2. Add to a channel and copy the webhook URL

Discord

1. Go to Server settings → Integrations → Webhooks
2. Click New webhook, select a channel, and copy the URL

Microsoft Teams

Using Workflows (recommended):

1. Hover over the channel name in the sidebar and click More options (…) → Workflows
2. Search for “Post to a channel when a webhook request is received”
3. Complete the setup and copy the webhook URL

Using Incoming Webhook (legacy):

1. Hover over the channel name in the sidebar and click More options (…) → Manage channel
2. Select Edit, search for Incoming Webhook, and select Add
3. Configure and copy the webhook URL

Telegram

1. Message @BotFather to create a bot and get the token
2. Get your chat ID, then construct: https://api.telegram.org/bot<token>/sendMessage?chat_id=<id>

Custom

Configure any HTTP endpoint that accepts POST requests and enter the URL directly.

Manage webhooks

• Click webhook card for detailed management
• Modify settings or delete

Extensions

Enterprise plan users can selectively enable Alpacon extensions, each toggled on or off:

• IP — manage IP and DHCP settings
• DNS — translate domain names to IP addresses
• Proxy — control and configure proxy servers
• Private SSL — manage private SSL certificates
• Package mirrors — distribute and manage package mirrors
• Power control — monitor and control power settings

Related docs

• Delete a workspace
• Invite team members
• Set permissions
• Security settings
• sudo with MFA