firmflow. Super Admin Guide¶
This guide is intended for the firmflow. vendor administrators (Super Admins) who manage the system-level components, including firm onboarding, licensing, and global technical health.
1. Role Overview¶
The SUPER_ADMIN is a unique role defined at the system level. Unlike FIRM_ADMIN, who is confined to a single firm/tenant, the Super Admin has cross-tenant visibility and control.
Main Responsibilities: * Firm Onboarding: Creating and configuring new firms (tenants). * Licensing: Generating cryptographically signed license keys for firms. * Infrastructure Health: Monitoring database sync nodes and system logs. * Security Auditing: Accessing global audit logs to monitor system-wide activity.
Security Requirements
Super Admins must enable MFA immediately after first login. Never share Super Admin credentials. The SUPER_ADMIN role has cross-tenant visibility — treat it with the same care as a database root account.
2. Initial Setup¶
A SUPER_ADMIN user must be a member of the firmflow. vendor firm (slug: firmflow-vendor). The schema requires every user to have a firmId, so this dedicated firm acts as the vendor's own tenant.
Option A: Fresh Installation (Recommended)¶
Run the database seed — it creates the vendor firm and super admin automatically:
Default super admin credentials (change immediately):
| Field | Value |
|---|---|
admin@firmflow.co |
|
| Password | SuperAdmin@123 |
| Role | SUPER_ADMIN |
Option B: Existing Database (CLI Script)¶
Use the provisioning script to create or promote a super admin on a live database without overwriting existing data:
# New super admin
npx tsx scripts/create-super-admin.ts admin@firmflow.co "MyStr0ngP@ss!" "Vendor Admin"
# Promote an existing user to SUPER_ADMIN
npx tsx scripts/create-super-admin.ts existing@user.com "ExistingPass"
The script will:
1. Create the firmflow-vendor firm if it doesn't exist.
2. Create a new SUPER_ADMIN user, or promote an existing user if the email already exists.
Option C: Direct SQL (Emergency)¶
If scripts are unavailable, run this directly against the PostgreSQL database:
-- Step 1: Create the vendor firm (only needed once)
INSERT INTO "Firm" (id, name, slug, email, country, "createdAt", "updatedAt")
VALUES (gen_random_uuid(), 'firmflow. (Vendor)', 'firmflow-vendor', 'admin@firmflow.co', 'Nigeria', NOW(), NOW())
ON CONFLICT (slug) DO NOTHING;
-- Step 2: Get the vendor firm ID
SELECT id FROM "Firm" WHERE slug = 'firmflow-vendor';
-- Step 3: Create the super admin user (replace <FIRM_ID> and <BCRYPT_HASH>)
INSERT INTO "User" (id, "firmId", email, name, "passwordHash", role, "isActive", "createdAt", "updatedAt")
VALUES (gen_random_uuid(), '<FIRM_ID>', 'admin@firmflow.co', 'Vendor Admin', '<BCRYPT_HASH>', 'SUPER_ADMIN', true, NOW(), NOW());
Generating a bcrypt hash
Generate a hash for the SQL option using Node.js:
Onboarding a New Firm¶
Currently, new firms are created via the system registration or by manual database insertion. Every firm is assigned a unique slug, which determines their client portal URL (e.g., firmname.firmflow.ng).
Viewing Firm Statistics¶
Navigate to System Administration (/dashboard/admin/firms) to see a bird's-eye view of all firms:
* Active Status: Whether the firm is currently operational or suspended.
* User Counts: Total staff and client users.
* License Expiry: Days remaining on their current subscription.
Lead Pipeline Management¶
To manage prospective enterprise clients and inquiries from the public landing page:
1. Navigate to Enterprise Leads (/dashboard/admin/leads).
2. Review incoming contact requests, staff size requirements, and messages.
3. Update the progress status (New, Contacted, Demo, etc.) as the sales cycle progresses.
4. For more details, see the Lead Management Guide.
3. License Generation & Management¶
firmflow. uses an offline-first cryptographic licensing model. Licenses are signed with a private secret (LICENSE_SECRET) and verified locally by the firm's node.
Tiers & Limits¶
| Tier | Staff Seat Limit | Key Features |
|---|---|---|
| BASIC | 10 Seats | Core Document Vault, Basic Audit Logs |
| PROFESSIONAL | 25 Seats | Compliance Pulse™, Signature Requests |
| ENTERPRISE | Unlimited (1000+) | AI Workflows, LDAP Integration, Batch Billing |
Issuing a License¶
- Navigate to the specific firm's detail page (
/dashboard/admin/firms/[id]). - Select the desired Tier.
- Set an Expiry Date (leave blank for Perpetual).
- The system will generate a Signed License Key.
- Provide this key to the firm's IT administrator to apply to their on-premise installation.
4. Technical Operations¶
Database Sync Nodes¶
Super Admins can monitor the status of local sync nodes. These nodes handle the transfer of data from legacy SQL Anywhere databases to the main FirmFlow PostgreSQL storage.
- Status Indicators: Green (Active), Amber (Delayed), Red (Offline).
- Action: If a node is Red, notify the firm's IT department to restart the local
firmflow-syncservice.
Global Audit Logs¶
The Audit section allows Super Admins to view every high-level administrative action taken across the entire system, including: * License issuance. * Firm creation/suspension. * Super Admin login attempts.
5. Security Best Practices¶
- MFA Mandatory: Super Admins must have Multi-Factor Authentication enabled.
- Least Privilege: Do not share Super Admin credentials. Use the "Team" section within a firm to grant
FIRM_ADMINaccess if you only need to manage a specific organization's data. - On-Premise Boundaries: Remember that while you manage the software, the actual data resides on the firm's hardware. Your access is typically limited to metadata and management APIs unless a direct support tunnel is established.