Smart Document Assistant

Super Admin Guide

Platform governance — provision sites, invite Site Admins, break-glass recovery, and the tenant-isolation boundary.

The Super Admin is the platform operator. Your job is governance: stand up new tenant workspaces, hand each one to its Site Admin, and step in only to recover locked-out accounts. You are deliberately walled off from tenant-internal data (departments, documents, staff memberships).

What you can do

  • Provision sites (tenant workspaces) and set each site's initial branding at creation.
  • Invite Site Admins — the only role you can appoint.
  • Break-glass recovery — deactivate, reactivate, or reset the password of any account.
  • Review the audit trail across sites.

Your sidebar is governance-only: Overview, Sites, Users, Audit. There is no Departments, Documents, or standalone Branding entry — by design.

Provisioning a site (atomic)

From Sites → Create site, provide the slug and name, and optionally the site's initial branding (product name, primary/secondary colors, logo URL, login-background URL).

  • The identity tenant and the site record are created atomically — if any part fails, nothing is persisted and the identity tenant is rolled back (no orphaned/half-created tenants).
  • If you fill in branding, the site's SiteBranding is created in the same transaction as the site. Leave branding blank and the site simply uses the platform defaults until its Site Admin customizes it.

Setting branding here is your only branding capability — there is no standalone branding editor for Super Admins, because branding belongs to a specific site.

Inviting the Site Admin

From Users, invite the institution's administrator. When you invite:

  • The only assignable role is Site Admin. You cannot create Department Admins or ordinary Users.
  • There is no department picker — Site Admins receive site-wide access, and you have no visibility into a tenant's departments anyway.
  • The invitee receives an automated welcome email with a secure, single-use link to set their password. You never see that link.

From there, the Site Admin runs their institution: branding, departments, staff, and documents.

Break-glass account recovery

If a tenant administrator is locked out or unreachable, you can still help without touching their data. On any user you may:

  • Deactivate / Reactivate the account.
  • Reset password — sends a fresh access link via the standard reset flow.

These status actions are the exception to the no-tenant-mutation rule — they restore access, they do not expose content. You cannot change a user's role or edit their department memberships.

The tenant-isolation boundary (why you can't see departments or documents)

This is the heart of the Super Admin role (Feature F21) and enforces Principle II (Tenant Isolation) and Principle III (PDPA):

  • A platform operator has a lawful basis to run the service, not to read an institution's clinical or personal documents or staff records.
  • Concretely, the Super Admin role has no manage_branding, manage_departments, or manage_documents permission, and resolves to an empty department scope. So:
    • The Departments, Documents, and Branding pages are hidden and blocked (server-side, not just in the UI).
    • Department member pickers and lists exclude Super Admins — you can never be added to a department, and you don't appear as an option to Site Admins.
    • Every one of these denials is server-authoritative and audited — hiding a menu item is never the only control.

Break-glass status actions remain available precisely because they restore access without revealing tenant content.

On this page