Admin Approval Process

Overview

As an SSO Administrator, you control which users can access which applications in the DoneIsBetter ecosystem. This is a critical security responsibility that ensures only authorized users can access sensitive applications.

Your Responsibilities:

• Review and approve/deny user access requests
• Assign app-level roles (user vs admin)
• Monitor active permissions across all apps
• Revoke access when needed (security incidents, role changes)
• Maintain audit trail of permission changes

Accessing the Admin Panel

Login

1. Navigate to https://sso.doneisbetter.com/admin
2. Enter your SSO admin email and 32-hex password token
3. Alternatively, request a magic link if configured
4. Session lasts 7 days with automatic extension

Admin Panel Layout

• Users Tab - Manage user accounts and app permissions (primary focus)
• OAuth Clients Tab - View registered applications
• Settings - Admin account settings and logout

Approving User Access

When Users Need Approval

Users need approval in these scenarios:

• First-time access - User tries to login to app for the first time
• After revocation - User's access was previously revoked, they're requesting again
• New app registration - App is newly registered, all users need approval

Step-by-Step Approval Process

1. Identify Pending Requests

Navigate to Admin Panel → Users tab:

Users List:
┌─────────────────────────────────────────────────┐
│ Name          │ Email              │ Actions   │
├─────────────────────────────────────────────────┤
│ John Doe      │ john@example.com   │ [View]    │ ← Click here
│ Jane Smith    │ jane@example.com   │ [View]    │
│ ...           │ ...                │ ...       │
└─────────────────────────────────────────────────┘

2. View User Details

Click "View" on a user to see their profile and app permissions:

User Details:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
User Information
  Name: John Doe
  Email: john@example.com
  ID: 550e8400-e29b-41d4-a716-446655440000

Application Access
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

┌─ Launchmass ────────────────────────┐
│ Landing page builder                │
│                                     │
│ Status: PENDING ⏳                  │ ← Needs approval!
│                                     │
│ Role: [Select ▼] [Grant Access]    │
└─────────────────────────────────────┘

┌─ Messmass ──────────────────────────┐
│ Messaging platform                  │
│                                     │
│ Status: APPROVED ✓                  │
│ Current Role: user                  │
│                                     │
│ Role: [user ▼] [Revoke Access]     │
└─────────────────────────────────────┘

3. Select Appropriate Role

Before granting access, choose the right role:

• user (Default)
  • Standard app access
  • Cannot access admin features
  • Best for: Regular users, team members
• admin (Elevated)
  • Full app access including admin panel
  • Can manage app-specific users and settings
  • Best for: Trusted administrators, app owners

4. Grant Access

1. Click the role dropdown next to "Grant Access"
2. Select "user" or "admin"
3. Click "Grant Access" button
4. Success message appears: "Access granted successfully"
5. Status changes to "APPROVED ✓"

5. Notify User (Optional)

SSO doesn't automatically email users. Consider:

• Sending manual notification: "Your access to [App] has been approved"
• Instructing user to try logging in again
• Setting up Slack/Discord notifications for your team

Managing User Roles

Changing an Existing Role

If a user's responsibilities change:

1. Navigate to User Details → Application Access
2. Find app with status "APPROVED"
3. Click role dropdown (shows current role)
4. Select new role: "user" or "admin"
5. Change applies immediately

Common Role Change Scenarios

• Promotion: user → admin

  User is now managing app features, needs admin panel access

• Demotion: admin → user

  User no longer needs administrative privileges, reduce access

Revoking User Access

When to Revoke Access

• User leaves organization - Offboarding process
• Security incident - Compromised account
• Policy violation - Terms of service breach
• Role change - User no longer needs app access
• Temporary suspension - Pending investigation

Revocation Process

1. Navigate to User Details → Application Access
2. Find app with status "APPROVED"
3. Click "Revoke Access" button
4. Confirm in dialog: "Are you sure you want to revoke access?"
5. Success message: "Access revoked successfully"
6. Status changes to "REVOKED ❌"

What Happens After Revocation

• Immediate: User cannot complete new OAuth flows
• Existing tokens: Remain valid until expiry (max 1 hour)
• Next login attempt: Shows "Access Denied" message
• Database record: Kept with status "revoked" (audit trail)
• Re-approval: Can grant access again later if needed

Batch Operations

Current Limitations

The admin panel currently requires one-by-one permission management. For bulk operations, contact development team to:

• Build batch approval UI
• Use API scripts for bulk grants/revokes
• Export/import permission lists

API-Based Bulk Operations

For administrators comfortable with APIs:

// Bulk approve script example
const users = ['user-uuid-1', 'user-uuid-2', 'user-uuid-3'];
const clientId = 'launchmass-client-id';

for (const userId of users) {
  await fetch(`https://sso.doneisbetter.com/api/admin/app-permissions/${userId}`, {
    method: 'POST',
    credentials: 'include', // Admin session cookie
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
      clientId: clientId,
      role: 'user',
      status: 'approved'
    })
  });
  console.log(`Approved ${userId}`);
}

Monitoring & Audit Trail

Permission Metadata

Every permission record includes audit fields:

• createdAt - When permission was first requested (ISO 8601 UTC)
• updatedAt - Last modification timestamp
• grantedAt - When approval was granted
• grantedBy - Admin user ID who granted access
• revokedAt - When access was revoked (if applicable)
• revokedBy - Admin user ID who revoked access

Viewing Audit Information

Currently, audit fields are stored in MongoDB but not shown in UI. To view:

1. Connect to MongoDB Atlas
2. Query appPermissions collection
3. Filter by userId or clientId
4. Examine audit fields

Future Audit Features

Planned enhancements:

• Permission change history log in UI
• Export audit reports (CSV/PDF)
• Email notifications for permission changes
• Slack/Discord integration for real-time alerts

Best Practices

Security

• ✅ Default to "user" role - Only grant "admin" when truly needed
• ✅ Review pending requests daily - Don't leave users waiting unnecessarily
• ✅ Verify user identity - Confirm via email/Slack before approving
• ✅ Document approval decisions - Keep notes on why access was granted
• ✅ Regular access reviews - Quarterly audit of who has what access
• ✅ Revoke on departure - Part of offboarding checklist
• ❌ Don't share admin credentials - Each admin should have own account

Workflow Efficiency

• 📋 Check pending requests daily - Morning routine
• 📋 Batch similar requests - Approve all "user" roles together
• 📋 Set approval criteria - Define who auto-qualifies (e.g., company email domain)
• 📋 Communicate expectations - Tell users typical approval time (e.g., "within 24 hours")
• 📋 Delegate when possible - Multiple SSO admins for coverage

Communication

• 💬 Notify users of approval - Manual email or Slack message
• 💬 Explain rejections - If denying, tell user why and next steps
• 💬 Announce new apps - When registering new app, notify team
• 💬 Coordinate with app admins - They manage org-level access, you manage SSO-level

Troubleshooting

User Says "Access Pending" But I Already Approved

Possible Causes:

• User hasn't tried logging in again after approval
• Wrong app - Check which app they're trying to access
• Wrong user - Verify email matches SSO account
• Cache issue - Have user clear browser cache/try incognito

Resolution:

1. Navigate to user details in admin panel
2. Verify status shows "APPROVED" for correct app
3. Have user logout and login again
4. Check browser console for OAuth errors

I Changed Role But User Still Has Old Permissions

Cause: Existing access tokens cached old role (max 1 hour)

Resolution:

• Wait: Token expires within 1 hour, new role applies automatically
• Force refresh: Revoke access, wait 5 seconds, re-grant with new role
• User action: Have user logout and login again (forces token refresh)

User Can't Login After Revocation

Expected Behavior: If you revoked access, user should see "Access Denied"

If they need access back:

1. Navigate to user details
2. Find app with status "REVOKED"
3. Select role and click "Grant Access" (same as first-time approval)
4. User can now login again

Don't See Any Pending Requests

Possible Reasons:

• No users have attempted login recently
• All existing requests already approved
• Users are trying to login to different SSO instance (check environment)

To Generate Test Request:

1. Open incognito browser
2. Navigate to your app (e.g., https://launchmass.doneisbetter.com)
3. Click "Login with SSO"
4. Register new test account
5. Complete OAuth flow - Should create pending request
6. Check admin panel for new pending entry

Multiple Admins & Delegation

SSO Admin Roles

SSO has two admin levels:

• admin - Can manage users and app permissions
• super-admin - Can manage users, permissions, AND create new SSO admins

Creating New Admins (Super-Admins Only)

1. Login to admin panel as super-admin
2. Navigate to Users tab
3. Click "Create Admin User"
4. Enter email, name, select role (admin or super-admin)
5. System generates 32-hex password token
6. Copy and securely share token (shown only once!)
7. New admin can login at https://sso.doneisbetter.com/admin

Delegation Best Practices

• Assign primary admin for each app (e.g., Launchmass admin handles Launchmass approvals)
• Cross-train admins for coverage (vacations, time zones)
• Document approval criteria (who qualifies for automatic approval)
• Use shared Slack channel for coordination
• Review admin access quarterly (remove unused accounts)

Related Documentation

• App Permissions - Technical details of permission system
• Authentication Guide - OAuth 2.0 flow users experience
• Quick Start Guide - For app developers integrating SSO
• SSO Admin Panel - Login to manage permissions

Support & Escalation

For SSO-related issues:

• Email: sso@doneisbetter.com
• Slack: #sso-support (internal)
• Emergency: Contact development team directly

When escalating, include:

• User's email address
• App they're trying to access (client_id if known)
• Current permission status (pending/approved/revoked)
• Screenshots of admin panel
• Error messages from user's browser console
• Timestamps (ISO 8601 UTC format)