Super-admin tenant switcher
A V28 top-nav dropdown for superadmins to switch which tenant they're acting as — no re-login (gh#714).
Where it appears
Top-nav, right side, next to the user avatar. Visible only to users with the superadmin role; invisible to regular tenant admins.
What it does
Picking a tenant from the dropdown:
- Sets the
x-platform-tenant-idheader on all subsequent requests. - Re-fetches the current page's data against the picked tenant.
- Updates the URL path's
?tenantId=query param so links + browser back/forward preserve the switch. - Browser tab title gains the tenant slug suffix (e.g.
Pulse — Castle&River).
No re-login. No cookie change. The session JWT stays the same; the header overrides the tenant scope for each request.
Why this exists
Pre-gh#714, switching tenants meant log out + log in as a different tenant admin. For a team running ~10 tenants, that's ~10 logout/login cycles per investigation.
After gh#714: one click, instant context switch.
Audit
Every action a superadmin takes while in switched-tenant mode logs both:
- The acting superadmin's user ID
- The target tenant ID (from the header)
So tenant audit logs show actor=superadmin-impersonate:<id> instead of conflating with the tenant's own admin actions. Operator at the tenant can see when a platform-admin touched their data.
Super-admin grant
The superadmin role is granted by another superadmin via the platform-admin tenant editor — see Admin → Admin Users. New tenant admins default to admin (scoped to their tenant); promotion to superadmin is a deliberate manual step.
Restrictions
Some destructive actions are gated even for superadmins:
- Deploying a config change that would affect ALL tenants requires confirmation in the platform-admin UI.
- Tenant deletion requires a soft-delete first + 30-day cooldown.
Implements: gh#714 (super-admin tenant switcher in V28 top-nav + super-admin grant).