Platform Admin guide

This chapter is for Sukrit Nidhi staff — the people who run the platform on behalf of the NGOs using it. If you record donations or approve expenses for a single centre, this chapter is not for you; read the Roles & permissions chapter instead.

What you are (and are not)

A Platform Admin is identified by a single flag on their User row (is_platform_admin). Holding this flag grants you platform-level capabilities but does not make you a user of any tenant. Specifically:

  • You CAN provision, suspend, and archive tenants.
  • You CAN seed each new tenant with its first Tenant Admin.
  • You CAN inspect any tenant read-only for support and oversight.
  • You CAN unlock a closed period (with a reason + step-up MFA) when a tenant needs a correction outside the normal close.
  • You CAN grant external auditor scopes.
  • You CANNOT record donations, submit or approve expenses, or edit any tenant’s master data. The service layer refuses those writes when they come from a Platform Admin who does not hold a Tenant role.
This separation is intentional. Running the platform and keeping a tenant’s books are two different jobs, and Sukrit Nidhi’s audit guarantees depend on them staying apart. If you ever do need to record a transaction inside a specific tenant for an emergency correction, the right pattern is to grant yourself a time-boxed Tenant Admin role, make the correction (fully audit-logged under your name), and then revoke the role.

Signing in as a Platform Admin

The first Platform Admin on a new deployment is bootstrapped with: 

python manage.py create_platform_admin \
    --email alice@nidhi.ops \
    --name  "Alice (Sukrit Nidhi Ops)" \
    --password "…"

After that, existing Platform Admins promote other Sukrit Nidhi staff from the Users & Roles page.

Platform Admins sign in at the dedicated /auth/platform-login page. The tenant login page at /auth/login requires a centre code and will refuse blank entries; there is a “Platform Admin access” link in its footer that takes you to the right door in one click.

When a Platform Admin signs in, they land on the Platform dashboard, not on any tenant. The sidebar shows platform-specific navigation:

  • Platform dashboard — tenants table, platform audit health, onboarding shortcuts.
  • Tenants — list / detail / status transitions.
  • Auditor scopes — grant external auditors time-boxed read-only access.
  • Platform audit log — the full hash-chained event stream.
  • NGO rollup (read-only) — cross-tenant KPI snapshot + Consolidated I&E.

Onboarding a new tenant

Run provision_tenantCLI
Tenant DB createdmigrations + seed
First Tenant Adminone-time password
Hand overTenant Admin invites rest
  1. Run provision_tenant with the tenant slug, legal / display names, and the first Tenant Admin’s email. See Provisioning a new centre for the full command line.
  2. Sukrit Nidhi prints the temporary password for the first Tenant Admin once. Deliver it securely (a sealed envelope, a password manager share, a brief encrypted email — not a plain email).
  3. From that point, do not invite the tenant’s ordinary users yourself. The Tenant Admin does that. Your job is done.

Ongoing oversight

Audit health

The Platform dashboard surfaces a red badge if any tenant’s audit chain fails integrity verification. Red is always a security incident — see the Chain integrity chapter for the investigation workflow.

Suspensions and archival

  • Suspend a tenant to freeze logins while preserving all data — used during investigations or disputes.
  • Archive a tenant to mark it historical; the tenant stays readable but is no longer included in NGO rollups.
  • Both transitions are audit-logged with a reason.

Unlocking a period

A Tenant Admin closes their own periods, but only a Platform Admin can unlock one — precisely so back-dating corrections cannot happen without platform-level visibility. Unlocking always requires a reason and step-up MFA, and both the unlock and the subsequent lock are joined into the audit chain.

Auditor scopes

See Auditor scopes for the full flow. Only Platform Admins can grant or revoke scopes.

Things you should never do

  • Record donations or expenses inside a tenant using your Platform Admin account. The system blocks this; don’t try to route around it by granting yourself a Tenant role casually.
  • Reset a user’s MFA without a documented request from them or their Tenant Admin. Every MFA reset is audit-logged with your name on it.
  • Share a Platform Admin account. Each Platform Admin is a real individual person with their own email.
  • Disable the append-only audit log or try to edit audit rows directly in the database. The hash chain will catch it, and the next daily chain anchor will make the tampering permanent in the record.