Admin¶

Cross-tenant platform controls. The entire Admin section is gated to role = superadmin and is not visible in the sidebar to regular tenant users. The sidebar label is rendered in red.

Platform¶

Route: /admin Role gating: superadmin.

Health overview across the platform:

Total tenants.
Total users.
Total servers.
Total incidents.
Open incidents.

Links into the Tenants & Users sub-page.

Tenants & Users¶

Route: /admin/tenants-users Role gating: superadmin.

Tabbed page with three tabs: Tenants, Users, and Registrations.

Tenants tab¶

Table of every tenant on the platform.

Columns: Name, Slug, Plan, Users (count), Servers (count), Created.

Actions: - Impersonate. Server-side cookie swap; the original superadmin access cookie is preserved in original_access_token (httpOnly) so the operation is reversible.

While impersonating, a banner is rendered at the top of every page showing the impersonated tenant name, with an Exit Impersonation button. The exit action calls /admin/stop-impersonating, which restores the original superadmin cookie and clears the banner. JavaScript cannot read either token; the swap is entirely server-side.

Users tab¶

Cross-tenant user list.

Columns: Email, Role, Status, Tenant, Created.

Roles in this tab: viewer / operator / admin / owner / superadmin.

Actions (not available for superadmin users or deleted users): - Edit role. - Delete.

An Invite user button sends an invitation email; the invite modal collects email address, role (viewer / operator / admin), and target tenant.

Registrations tab¶

Pending daemon/client registration requests awaiting superadmin approval.

settings.md — tenant-scoped user management lives there for non-superadmins