Admin Panel Overview
Audience: Administrators
Page Type: Reference Guide
Summary: Tenant settings, user management, role definitions, approvals, audit.
Accessing Admin Panel
COS Admin panel is accessed via /admin URL. Required Role: SUPER_ADMIN
Admin Menu
| Menu Item | Description | Access |
|---|---|---|
| Tenant Management | Tenant (company) CRUD | SUPER_ADMIN |
| Holding Groups | TenantGroup management | SUPER_ADMIN |
| Plan Management | PlanTemplate and FeatureDefinition CRUD | SUPER_ADMIN |
| Subscription Management | Subscription CRUD and overrides | SUPER_ADMIN |
| RBAC Management | DB-based permission management | SUPER_ADMIN |
| User Roles | Role listing and assignments | SUPER_ADMIN |
| Global KPI Library | Platform-wide KPI templates | SUPER_ADMIN |
| Global Product KPI Library | Platform-wide product KPI templates | SUPER_ADMIN |
| Global Resource Library | Platform-wide resource templates | SUPER_ADMIN |
| Sector Management | Sector lookups | SUPER_ADMIN |
| Country Management | Country lookups | SUPER_ADMIN |
| DMA Templates | Digital Maturity Assessment templates | SUPER_ADMIN |
| Excellence Templates | Excellence Assessment templates | SUPER_ADMIN |
| AI Prompt Management | AI system prompt templates | SUPER_ADMIN |
| AI Analytics | AI usage statistics | SUPER_ADMIN |
| AI Provider Default | Default AI provider settings | SUPER_ADMIN |
| AI Model Registry | AI model registry | SUPER_ADMIN |
| AI Tool Logs | AI tool call logs | SUPER_ADMIN |
Note: The Admin menu is for SUPER_ADMIN role only. Tenant-level management is under the Platform menu (Tenant Settings, Users, Integrations, etc.).
User Management
Adding Users
- Platform → Users → Add User
- Enter Email and Name
- Select Organizational unit
- Assign Role (MEMBER, TEAM_LEAD, STRATEGY_MANAGER, ADMIN)
- Save - System sends automatic invite email
User Roles (Tenant Level)
COS uses a 4-layer role architecture:
| Layer | Role | Scope | Permissions |
|---|---|---|---|
| Platform | SUPER_ADMIN | Entire system | Full admin menu, tenant/plan/subscription management |
| Holding | GROUP_ADMIN | Group tenants | View group tenants, view effective plan |
| Tenant | ADMIN | Single tenant | User management, tenant settings, approval workflows |
| Tenant | STRATEGY_MANAGER | Single tenant | Strategy modules, themes, planning |
| Tenant | TEAM_LEAD | Unit hierarchy | Unit strategy, OKR scoring, team management |
| Tenant | MEMBER | Own assignments | Assigned tasks, OKR updates |
Note: There is no "CEO" role in the system. CEO functionality is achieved by assigning the ROOT org unit leader as TEAM_LEAD or ADMIN.
Changing Roles
- Select user in Users table
- Edit → Role dropdown
- Select new role → Save
Deleting Users
- Select user
- Deactivate - Data preserved, access removed
- (You can reactivate later)
Role Definitions and Permissions
COS roles are managed with a DB-based RBAC system. Permissions for each role are defined in the Permission table and loaded via seed.
Menu Visibility Groups
The sidebar menu uses the new information architecture with the following groups:
| Menu Group | Content | Roles |
|---|---|---|
| Dashboard | Admin/Strategy/Team Lead/Employee dashboards | All roles (dashboard type varies by role) |
| Platform | Tenant settings, users, group mgmt, plan info, integrations, AI settings | ADMIN, GROUP_ADMIN, SUPER_ADMIN |
| Context | Organization, products, mission/vision, strategic cycles | All roles (write permission varies) |
| Analysis | Current State, Product Scorecard, Digital Maturity, Excellence Assessment, VRIO, PESTLE, Porter, BCG, Findings | SM, ADMIN + plan feature check |
| Synthesis | Product SWOT, SWOT, Strategic Themes | SM, ADMIN + plan feature check |
| Execution | BSC, OKR Cycles, My OKRs, OKR Control Center, DMA My Tasks, Excellence My Tasks | All roles (scope varies by role) |
| Gap Analysis | Strategic Alignment, Approval Queue, OKR Hygiene, Orphan Console, Gap Actions | SM, ADMIN |
| Library | Resource Library, KPI/IPF Library, Product KPI Library | All roles (write permission varies) |
| Reports | Strategy Reports, Performance Reports, Roadmap | SM, ADMIN + plan feature check |
| Admin | Tenant/Group/Plan/Subscription/RBAC/Library/Template/AI management | SUPER_ADMIN |
API Permissions
All API calls are protected by the following guard chain:
@UseGuards(JwtAuthGuard, TenantGuard, OrgUnitScopeGuard, PermissionGuard)
@RequirePermission('module.resource.action')
- JwtAuthGuard: JWT token validation
- TenantGuard: Tenant isolation (X-Tenant-ID header)
- OrgUnitScopeGuard: Organizational unit scope control
- PermissionGuard: DB-based permission check (
Permissiontable)
Approval Workflows
PHASE 2 - Resource Approval
| Item | Approver | Decision |
|---|---|---|
| Corporate Resource | CEO | Approve / Reject |
| Unit Resource | STRATEGY_MANAGER | Approve / Reject |
Rejection: System returns to PHASE 1, vision must be updated.
PHASE 4 - OKR Approval
| Item | Approver |
|---|---|
| Corporate OKR | CEO |
| Unit OKR | STRATEGY_MANAGER |
Audit Log
What is Logged
- All data create/update/delete operations
- All approval/rejection operations
- All user access (login)
- All role changes
Viewing Audit Log
- Admin → Audit Log
- Filter by Date range, entity type, action
- Click on row to see details
Access: People with ADMIN role
Tenant Settings
Organization Name
- Tenant's corporate name
- Displayed in all reports and dashboards
Fiscal Year Settings
- Q1, Q2, Q3, Q4 date ranges
- OKR cycles depend on this calendar
Email Notifications
- Approval reminders
- Deadline notifications
- Strategy phase notifications
See also
- Roles & Permissions
- How to Manage Users
- How to Read Audit Log (Future)