Platform admin

This section is for Novalien staff — SRE, support, and on-call engineers operating the NovaVMS deployment at novavms.novalien.com. It is not linked from the customer-facing role picker, and customers will never see it in navigation. If you are a customer admin, you want /admin instead.

What is different here from every other section: you operate across orgs. Your identity lives in platform_users, not users. Your login is /platform/login, a different route from /login. Your JWT carries no org_id claim and alone cannot reach any /api/v1/... org endpoint. To act inside a customer org you mint a scoped impersonation token (D80) — a 30-minute, non-refreshable JWT bound to exactly one target org, logged to both the platform audit log and the target org’s audit log. The customer’s Owner can revoke your access at any moment via the allow_platform_impersonation toggle. Every action you take is audited. Act accordingly.

Scope inclusions: onboarding and 2FA enrollment, scoped impersonation, cross-org search, feature-flag rollout, release-pipeline monitoring, incident response. Out of scope here: any customer-facing UI path (see /admin, /operator), engineering-only runbooks (those live in docs/superpowers/plans/ in the repo).

In this section

• How scoped impersonation works — the D80 mental model and token lifecycle.
• Audit expectations — what gets logged, where, for how long.
• On-call basics — rotation, PagerDuty, P1 criteria, first 10 minutes.
• Set up your platform account and 2FA — for a new Novalien staff member.
• Cross-org search — find a camera, user, or gateway across every org.
• Feature-flag rollout — alpha → beta → GA, per-org opt-in.
• Release-pipeline monitoring — post-deploy health checks.
• Incident response runbook — first 30 minutes of a P1.

See also

• Five-role RBAC — where platform_admin sits in the hierarchy (D78, D80, D86).
• Roles and permissions — endpoint-level matrix.