Skip to content
Kisum • Documentation

Admin Platform Specification

Status

Section titled “Status”

This document is FINAL and ENFORCEABLE for the Platform Admin system.

1. Core Principle

Section titled “1. Core Principle”
Platform Admin = system brain

This is the ONLY system allowed to:

  • create packages
  • define modules
  • assign entitlements
  • manage subscriptions
  • control delegation limits

2. Responsibilities

Section titled “2. Responsibilities”

2.1 Platform Admin controls:

Section titled “2.1 Platform Admin controls:”
  • Package catalog
  • Module catalog
  • Add-on catalog
  • Company approval
  • Company subscription lifecycle
  • Entitlements (via Core)
  • Delegation limits (via Auth)

3. What Admin MUST NOT do

Section titled “3. What Admin MUST NOT do”

Admin platform must NOT:

  • compute access
  • assign permissions directly to requests
  • bypass Auth or Core
  • store user permissions locally

4. Core Areas

Section titled “4. Core Areas”

4.1 Package Management

Section titled “4.1 Package Management”

Admin can:

  • create package
  • update package
  • enable/disable package
  • map modules to package

4.2 Module Management

Section titled “4.2 Module Management”

Admin can:

  • define modules (basic, finance, market, venue, ai, etc.)
  • assign permissions to modules (via Auth)
  • control module availability

4.3 Company Management

Section titled “4.3 Company Management”

Admin can:

  • approve company
  • reject company
  • activate company
  • deactivate company

4.4 Subscription Management

Section titled “4.4 Subscription Management”

Admin can:

  • assign package to company
  • add/remove add-ons
  • upgrade/downgrade subscription
  • expire subscription

All actions write to Platform Core

4.5 Delegation Control

Section titled “4.5 Delegation Control”

Admin defines:

  • what Admin can grant
  • what Manager can grant
  • limits per role

This writes to Auth system

5. Data Flow

Section titled “5. Data Flow”
Admin → Core → Entitlements
Admin → Auth → Delegation

6. Example Flows

Section titled “6. Example Flows”

6.1 Add Finance module to company

Section titled “6.1 Add Finance module to company”
  1. Admin selects company
  2. Admin adds Finance add-on
  3. Core updates entitlements
  4. entitlementVersion increases
  5. Cache invalidation triggered
  6. Users gain access AFTER Auth merge

6.2 Restrict delegation

Section titled “6.2 Restrict delegation”
  1. Admin updates delegation rules
  2. Auth updates access policy
  3. accessVersion increases
  4. Cache invalidation triggered

7. Security Rules

Section titled “7. Security Rules”
  • Only Platform Admin can modify Core data
  • All actions must be audited
  • All changes must trigger cache invalidation

8. Audit Requirements

Section titled “8. Audit Requirements”

Every action must log:

  • actor (admin)
  • action
  • target (company/package/module)
  • timestamp
  • previous state
  • new state

9. Final Rule

Section titled “9. Final Rule”
Platform Admin writes the rules.
Core stores the rules.
Auth applies the rules.
Backends enforce the rules.

10. Summary

Section titled “10. Summary”

Platform Admin is the control plane of the system.

Everything else is execution plane.