Team Management

Staff & Users

Administration of Super Admin accounts, Team members, and Security audit logs.

This module allows you to manage the internal team responsible for running the SaaS platform. Unlike "Clients" (which are your customers), Staff members have elevated privileges to access the Super Admin Panel.

Staff Lifecycle

1

Inviting Team Members

Admins are added via email invitation. They receive a secure link to set their password.

  • Required: Valid email address.
  • Role Assignment: Must select a Role (e.g. Support) during invite.
  • Expiry: Invites expire in 48 hours.
2

Offboarding & banning

When a staff member leaves, their access must be revoked immediately.

  • Soft Ban: Toggle "Active" status to false. Preserves logs.
  • Delete: Permanently removes the user. Warning: Orphaned audit logs may remain.

Security Policies

Two-Factor Authentication (2FA)

The platform enforces 2FA for all Super Admin accounts. Staff members must configure TOTP (Google Authenticator, Authy) upon their first login.

For emergency access recovery, only a Super Admin with Root access can reset a staff member's 2FA keys via the console.

🔐

Enforced by Default

Impersonation Audit

Because Support Agents have the ability to "Login as" tenants, strict auditing is in place. Every impersonation session is logged.

LOG_ID | STAFF_EMAIL | TARGET_TENANT | ACTION | TIMESTAMP
#99212 | [email protected] | Neon Records | ENTER | 2024-10-24 10:42:11
#99213 | [email protected] | Neon Records | VIEW_INVOICE | 2024-10-24 10:43:05
#99214 | [email protected] | Neon Records | EXIT | 2024-10-24 10:45:00

LabelStack - Music Distribution Platform

Staff Management Module v1.0.0