Administration overview
H2O AI Engine Manager (AIEM) splits security responsibilities between the H2O AI Cloud platform and workspace administrators. The platform manages infrastructure-level controls — TLS, OIDC authentication, container hardening, and network policies. Workspace administrators manage the tenant-level controls described in this section: who can do what, what resources users can request, and which engine software is available.
What administrators configure
Workspace administrators are responsible for four areas of tenant security. Each row links to the page that covers it in full:
| Area | What you control | Where to start |
|---|---|---|
| Access control | Assign workspace-scoped RBAC roles to grant users the minimum permissions they need. | RBAC roles and permissions |
| Resource governance | Create engine profiles that set CPU, GPU, memory, storage, and duration limits for each engine type. | Engine profile security configuration |
| Software catalog | Manage which engine versions, container images, and sandbox templates users can select. | Engine profile security configuration |
| Audit review | Review the audit trail to verify that access patterns and administrative changes match expectations. | Audit trail |
What the platform manages
The following controls are enforced by the H2O AI Cloud platform. Administrators do not configure them:
- Authentication — OIDC/OAuth2 identity provider integration with MFA support. See Authentication and authorization for how the auth flow works.
- Token validation — Signature verification, expiration, and issuer checks on every request.
- Network security — TLS encryption in transit and ingress controls.
- Container security — Hardened base images and resource isolation.
Hardening checklist
Use this checklist when setting up a new workspace or reviewing an existing one:
- Assign roles — Grant each user the lowest tier (Reader, User, or Admin) that lets them do their work. See RBAC roles and permissions.
- Create profiles — Define at least one profile per engine type with conservative resource constraints before users create engines. See Engine profiles.
- Set duration limits — Configure
max_idle_duration,max_running_duration, andmax_unused_durationto prevent idle resource consumption. - Set concurrency limits — Configure
max_running_enginesper profile to prevent a single user from monopolizing resources. - Restrict DAI config editability — Set
config_editabilitytoCONFIG_EDITABILITY_DISABLEDorCONFIG_EDITABILITY_BASE_CONFIG_ONLYunless users need full control. - Curate the software catalog — Create approved engine versions and images; deprecate outdated versions; disable unused images.
- Review sandbox templates — Verify resource limits and confirm that environment variables contain no secrets.
- Enable profile role restrictions — Turn on
assigned_oidc_roles_enabledfor sensitive profiles and list the allowed OIDC roles. - Review audit events — Periodically review the audit trail for unauthorized or unexpected activity.
Feedback
- Submit and view feedback for this page
- Send feedback about AI Engine Manager to cloud-feedback@h2o.ai