Platform admin

Super-admin tenant switcher

A V28 top-nav dropdown for superadmins to switch which tenant they're acting as — no re-login (gh#714).

Where it appears

Top-nav, right side, next to the user avatar. Visible only to users with the superadmin role; invisible to regular tenant admins.

What it does

Picking a tenant from the dropdown:

  1. Sets the x-platform-tenant-id header on all subsequent requests.
  2. Re-fetches the current page's data against the picked tenant.
  3. Updates the URL path's ?tenantId= query param so links + browser back/forward preserve the switch.
  4. Browser tab title gains the tenant slug suffix (e.g. Pulse — Castle&River).

No re-login. No cookie change. The session JWT stays the same; the header overrides the tenant scope for each request.

Why this exists

Pre-gh#714, switching tenants meant log out + log in as a different tenant admin. For a team running ~10 tenants, that's ~10 logout/login cycles per investigation.

After gh#714: one click, instant context switch.

Audit

Every action a superadmin takes while in switched-tenant mode logs both:

  • The acting superadmin's user ID
  • The target tenant ID (from the header)

So tenant audit logs show actor=superadmin-impersonate:<id> instead of conflating with the tenant's own admin actions. Operator at the tenant can see when a platform-admin touched their data.

Super-admin grant

The superadmin role is granted by another superadmin via the platform-admin tenant editor — see Admin → Admin Users. New tenant admins default to admin (scoped to their tenant); promotion to superadmin is a deliberate manual step.

Restrictions

Some destructive actions are gated even for superadmins:

  • Deploying a config change that would affect ALL tenants requires confirmation in the platform-admin UI.
  • Tenant deletion requires a soft-delete first + 30-day cooldown.

Implements: gh#714 (super-admin tenant switcher in V28 top-nav + super-admin grant).

Source: the FlatsBratislava operator manual.