Documentation > Administration > Phase 8 Features

Phase 8 Foundation Features — Operator Guide

How to use the new Settings tabs, the HostDetail Compliance tab, and the Broadcast Refresh action shipped in Phase 8 (v2.0.0.0).

What's new in v2.0.0.0

  • Access Groups + Registration Keys — hierarchical RBAC scoping and pre-shared agent-enrollment tokens.
  • Scheduled Update Profiles — cron-driven fleet updates with security-only and staggered-rollout options.
  • Package Compliance Profiles — REQUIRED / BLOCKED package policy evaluated against each host.
  • Audit-log enhancements — script EXECUTE entries with stdout/stderr, plus CSV export.
  • Broadcast Messaging — single-shot fan-out to every connected agent.
  • Report Branding (Pro+) — org logo and header text injected into every generated report.
  • Custom Report Templates (Pro+) — admin-defined column selections layered on the eight built-in reports.
  • Dynamic Secrets (Pro+) — short-lived OpenBAO-backed credentials that expire automatically.

Settings → Access Groups

An access group is a named scope you can hang hosts and users off. Groups can nest up to 10 levels deep — a user granted a top-level group inherits every descendant.

  1. Open Settings → Access Groups.
  2. Click Add Group, fill in name + optional description, optionally pick a parent.
  3. Use the row's edit / delete buttons to rename, reparent, or remove. Re-parenting refuses cycles and depth violations with a clear 400 error.

Registration keys live on the same tab. A key optionally binds an enrolling host to an access group AND optionally auto-approves it (skipping the manual approval gate). The plaintext key value is shown once in the create dialog — copy it before you close the modal, since there is no recovery.

To enroll a host with a key: paste it into the agent's registration_key config field before first start, or pass it as the --registration-key CLI argument.

Settings → Update Profiles

Each profile schedules an apply_updates command against a tag-filtered host set on a POSIX cron schedule.

  1. Open Settings → Update Profiles, click Add Profile.
  2. Set the cron expression. The OSS parser supports lists (1,15,30), ranges (9-17), step intervals (*/15), day/month names (mon-fri), and POSIX dom/dow OR-semantics.
  3. Toggle Security Updates Only to limit the agent to the security channel.
  4. Set Staggered Window (minutes) to spread agent dispatch over a window — useful to avoid all hosts pulling at once.
  5. Pick an optional tag to scope the profile (omit for the entire fleet).
  6. Use Trigger Now on any row to fire immediately for that profile.

Settings → Compliance Profiles & HostDetail Compliance Tab

Compliance profiles list packages a host MUST or MUST NOT have. Constraints can include version comparisons (>=, !=, ~=, etc.) using PEP 440 / SemVer rules with a lex fallback for non-SemVer.

  1. Define a profile in Settings → Compliance Profiles.
  2. Add constraints: pick the package, set type (Required or Blocked), optionally constrain the version.
  3. Open any host in the Hosts list, navigate to its Compliance tab, and choose between two evaluation modes:
    • Scan — server evaluates against the cached software_package inventory. Fast.
    • Live Scan — dispatches the constraints to the agent, which evaluates against its current installed-package state and reports back via the existing WS command channel. Slower but always-current.
  4. The result row shows Compliant / Non-Compliant / Pending. Expand any non-compliant row to see the per-constraint violation list.

Hosts page → Broadcast Refresh

Click the Broadcast Refresh button on the Hosts page header to send a single refresh_inventory envelope to every connected agent. The result toast surfaces delivered_count and elapsed_ms so you can verify the <5 s SLA from the UI.

Settings → Report Branding (Pro+)

The Pro+ reporting engine prepends an org-branding strip (logo + company name + header text) to every PDF and every HTML report.

  1. Open Settings → Report Branding.
  2. Type your company name and any header text (e.g. "Confidential — Internal Use").
  3. Click Upload Logo and pick a PNG, JPEG, SVG, or WEBP file (≤ 1 MB).
  4. Click Save. The next report you generate carries the branding.

Settings → Report Templates (Pro+)

A template is a saved column-subset (and order) for one of the eight base report types. When you generate a report with a template applied, the renderer drops columns the template omits and reorders the rest to match.

  1. Open Settings → Report Templates, click Add Template.
  2. Pick a base report type. The available-fields panel shows the column codes the renderer recognizes for that type.
  3. Tick the columns you want, in the order you want them.
  4. Save. To apply: include ?template_id=<uuid> on a /view/... or /generate/... URL, or pick the template from the Reports page when launching a generation.

Settings → Dynamic Secrets

Issue, revoke, and reconcile short-lived credentials backed by your OpenBAO / Vault deployment. The plaintext value is shown exactly once at issue time — copy it immediately. SysManage stores only the lease metadata (kind, role, TTL, expires_at) and never the secret itself.

  1. Open Settings → Dynamic Secrets, click Issue Lease.
  2. Pick a kind (token, database, ssh), enter the OpenBAO backend role, set TTL (60 s – 24 h).
  3. Copy the secret from the reveal modal. Closing the dialog is irreversible — you cannot retrieve the value again.
  4. Use the leases table to revoke ahead of expiry or to filter by status.
  5. Click Reconcile to mark any ACTIVE rows whose TTL has elapsed as EXPIRED — useful if the sweeper hasn't run.

Audit Trail

Every state-changing action above is logged to the audit log with the operator's user, the entity touched, and the result. Use Reports → Audit Log to view, filter, and export to CSV.

i18n / l10n

All Phase 8 UI strings are translated into 14 languages (ar, de, en, es, fr, hi, it, ja, ko, nl, pt, ru, zh_CN, zh_TW). Switch the active locale from your user-profile dropdown.