Admin tasks

The Admin layer is for Unphish staff and platform operators. Admin lives at /admin inside the same application as the analyst workspace; it is gated by capability, not deployed separately.

You will be using Admin if you have the admin role on the Unphish organization plus internal-domain email and elevated system_role.

What Admin covers

Section	What you do
`/admin/organizations`	Create, list, edit organizations (Unphish, partners, direct customers).
`/admin/clients`	Manage clients globally; assign clients to organizations or partners.
`/admin/users`	Search, view, suspend, and audit users across all tenants.
`/admin/memberships`	Manage user-to-organization and user-to-client memberships and roles.
`/admin/integrations`	Provider configurations, modes (`live`, `fixture`, `sandbox`), credential metadata.
`/admin/quotas`	Plan and quota administration.
`/admin/api-applications`	API applications and key issuance for clients.
`/admin/audit`	Global audit log search across tenants.
`/admin/imports`	v1 migration runs, status, retries, validation reports.

Routine analyst work still happens on /dashboard/*. Admin is for the things only operators do.

Onboarding a new direct-customer organization

Create the organization at /admin/organizations. Enter legal name, primary contact, billing details, and plan tier.
Create the first client. A direct-customer organization typically has one client, identical to the org. Partners have many.
Configure brands. Add the domains, social handles, logos, trademarks, copyright URLs, and content URLs the client wants protected. Upload proof-of-authorization documents.
Set the client policy. Automation thresholds, required approvals, allowed channels, watchlist frequency, notification rules.
Configure SSO if applicable. Add and verify the email domain; configure the OIDC/SAML federation in Authentik; enable the SSO domain in /admin/clients/[id]/sso.
Invite the client admin. Use /admin/users/invite. Choose role admin, scope to the new client. The user receives a Postmark email and goes through Authentik enrollment.
Onboard their users. The client admin can now invite their own team. You do not need to do this for them.

Onboarding a partner

The flow is similar to a direct customer with two differences:

The organization is a partner, not a direct customer. Partner branding, custom domain, and white-label settings apply.
The partner will manage their own portfolio of clients. You create the partner organization, invite the first partner admin, and they take it from there.

Managing integrations

/admin/integrations lists every external provider: URLScan, WhoisXML, NothingPhishy, CleanDNS, WhoisFreaks, Cloudflare, Google Safe Browsing, Microsoft SmartScreen, Meta, X, Postmark, plus any client-specific integrations.

For each provider, you can:

See mode: live, fixture, or sandbox. Production tenants need live; staging usually runs fixture or sandbox.
See credential metadata: which environment holds the secret, when it was last rotated, whether the last health check passed. The actual secrets live in Vercel environment variables (or Render env groups for workers); the database stores only metadata and fingerprints.
See last-call status: success, failure, rate-limited, unconfigured.
Trigger a test call to validate credentials.

To rotate a credential, update it in Vercel/Render environment for the appropriate environment, redeploy the affected service, and the next health check will reflect the new fingerprint.

Running and validating v1 migration

/admin/imports is the operator console for v1 → v2 migration. Migration is phased:

Phase	Tables	Status
1	clients, brands, users, memberships	MVP imported
2	cases, notes, attachments, tags, assignments	MVP imported
3	enforcements and related artifacts	In progress
4	watchlist items, updates, screenshots, subscribers	Foundation imported
5	whitelist, scan configs, scan runs, quotas, API apps, SSO	In progress
6	Validation and audit reconciliation	Per-phase

Each run produces:

A migration report with imported, skipped, failed, and manually-reviewed counts.
A row map preserving v1 IDs in legacy_v1_* fields for traceability.
An audit summary of source-vs-destination row counts per table.

Imported data is labelled source: imported. Production UI shows the label so customers and analysts can distinguish migrated history from current production activity.

Audit log

/admin/audit is the global audit log. Every sensitive action writes an entry:

Authentication events (sign-in, sign-out, MFA enrollment).
Membership changes (invite, accept, revoke, role edit, removal).
Provider secret writes (metadata only; secrets never logged).
Impersonation start/stop with reason and target.
Case lifecycle transitions.
Enforcement submissions and provider responses.
Client approvals and rejections.
Configuration changes (organization, client, brand, policy).

Audit entries are append-only. Corrections are added as new entries; nothing is deleted. Retention is set per record class and meets the contractual obligations for the highest-tier client.

Support preview (impersonation)

When a customer reports a problem you need to reproduce, use support preview:

From /admin/users/[id], click Start support preview.
Enter the reason (free text) and an expiry (max 60 minutes).
The preview opens in a new session with a persistent banner showing your real identity, the target user, and the time remaining.
Every action you take is audited under both your real identity and the target user.
End the preview manually or wait for expiry.

Support preview is gated by the impersonation.start capability and only available to internal-domain Engram and Unphish admin users.

Things you should never have to do

Edit raw database rows. If a tool does not exist for an operation, that is a product gap; file it. The only exception is verified incident response, which is documented in the production runbook and requires two-person approval.
Read or paste provider secrets. Secret values are managed in Vercel/Render. The app surface shows fingerprints only.
Bypass auth. v2 has no fallback authentication. If Authentik is unavailable, the platform is unavailable; that is intentional.