Skip to content
Supen Docs

SUPER ADMIN MODEL

Super Admin Model

Section titled “Super Admin Model”

Overview

Section titled “Overview”

Super Admins are platform-level administrators who can manage the entire Supen instance, create organizations, and assign organization admins.

Hierarchy

Section titled “Hierarchy”
Super Admin (Platform Level)
  └─ Organizations
      ├─ Owner (Organization Level)
      ├─ Admin (Organization Level)
      └─ Member (Organization Level)

Super Admin Capabilities

Section titled “Super Admin Capabilities”

Platform Management

Section titled “Platform Management”
  • View all organizations across the platform
  • Create new organizations for customers/teams
  • Assign users as organization owners
  • View platform-wide statistics and usage
  • Manage platform settings and configurations

Organization Management

Section titled “Organization Management”
  • Access any organization’s admin panel
  • Promote/demote organization owners
  • Delete organizations (with proper safeguards)
  • View organization member lists
  • Reset organization settings if needed

User Management

Section titled “User Management”
  • View all users on the platform
  • Grant/revoke super admin access
  • View user activity and login history
  • Manage user accounts (disable, delete)

Database Schema

Section titled “Database Schema”

super_admins table

Section titled “super_admins table”
CREATE TABLE super_admins (
  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  user_id UUID UNIQUE NOT NULL REFERENCES auth.users(id) ON DELETE CASCADE,
  granted_by UUID REFERENCES auth.users(id),
  granted_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
  notes TEXT,
  created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
);

Helper Functions

Section titled “Helper Functions”
-- Check if user is super admin
CREATE FUNCTION is_super_admin(uid UUID)
RETURNS BOOLEAN AS $$
BEGIN
  RETURN EXISTS (
    SELECT 1 FROM super_admins WHERE user_id = uid
  );
END;
$$ LANGUAGE plpgsql SECURITY DEFINER;

RLS Policy Updates

Section titled “RLS Policy Updates”

Organizations Table

Section titled “Organizations Table”

Super admins can view and manage ALL organizations:

CREATE POLICY "Super admins can view all organizations"
  ON organizations FOR SELECT
  USING (is_super_admin(auth.uid()));


CREATE POLICY "Super admins can update all organizations"
  ON organizations FOR UPDATE
  USING (is_super_admin(auth.uid()));

Organization Members Table

Section titled “Organization Members Table”

Super admins can manage members of ANY organization:

CREATE POLICY "Super admins can manage all organization members"
  ON organization_members FOR ALL
  USING (is_super_admin(auth.uid()));

Frontend Routes

Section titled “Frontend Routes”
/superadmin/                    # Super admin dashboard
├── organizations/              # All organizations list
│   ├── new                    # Create new organization
│   └── [id]                   # Organization details
├── users/                     # All users list
├── super-admins/              # Manage super admins
└── settings/                  # Platform settings

API Endpoints

Section titled “API Endpoints”
GET    /api/superadmin/organizations        # List all organizations
POST   /api/superadmin/organizations        # Create organization
GET    /api/superadmin/organizations/:id    # Get any organization
PATCH  /api/superadmin/organizations/:id    # Update any organization
DELETE /api/superadmin/organizations/:id    # Delete organization


GET    /api/superadmin/users                # List all users
GET    /api/superadmin/users/:id            # Get user details
PATCH  /api/superadmin/users/:id            # Update user


GET    /api/superadmin/super-admins         # List super admins
POST   /api/superadmin/super-admins         # Grant super admin
DELETE /api/superadmin/super-admins/:id     # Revoke super admin


GET    /api/superadmin/stats                # Platform statistics

Access Control

Section titled “Access Control”

Middleware Check

Section titled “Middleware Check”
// In proxy.ts
const isSuperAdmin = await checkSuperAdmin(userId);
if (request.url.startsWith('/superadmin') && !isSuperAdmin) {
  return NextResponse.redirect('/');
}

Context Integration

Section titled “Context Integration”
interface AuthContextType {
  user: User | null;
  isSuperAdmin: boolean;  // New field
  // ... other fields
}

Initial Setup

Section titled “Initial Setup”

Bootstrap First Super Admin

Section titled “Bootstrap First Super Admin”

Since there’s no super admin initially, we need a way to create the first one:

Option 1: Environment Variable

[email protected]

Option 2: SQL Direct Insert

INSERT INTO super_admins (user_id, notes)
SELECT id, 'Initial super admin'
FROM auth.users
WHERE email = '[email protected]';

Option 3: Special Setup Route Create a one-time setup route that checks if any super admins exist:

GET /setup/super-admin?token=SECRET_SETUP_TOKEN

Security Considerations

Section titled “Security Considerations”
  1. Audit Logging: All super admin actions should be logged
  2. Two-Factor Authentication: Require 2FA for super admins
  3. Session Timeout: Shorter session timeout for super admin sessions
  4. IP Restrictions: Optional IP whitelist for super admin access
  5. Approval Process: Major actions (delete org) require confirmation

UI/UX Differences

Section titled “UI/UX Differences”

Super Admin Badge

Section titled “Super Admin Badge”
  • Display “Super Admin” badge in user menu
  • Different color scheme for super admin interface
  • Clear indication when accessing as super admin vs org admin

Organization Switcher

Section titled “Organization Switcher”
  • Super admins see “All Organizations” view
  • Can impersonate/switch to any organization
  • Clear indicator of current context (platform vs organization)

Audit Trail

Section titled “Audit Trail”
  • All super admin actions visible in audit log
  • Show who performed action and when
  • Include before/after state for modifications