Set up your platform account and 2FA

Platform-admin accounts are not self-service. Another platform admin must provision yours — there is no /platform/signup route. This mirrors the rule for users (admins create admins, per D78) applied one tier up (D80, D86): the platform tier’s trust model requires a live human to vouch for every account.

Every step below produces an audit entry in platform_audit_log (365-day retention). You will see your own entries listed at /platform/audit-log after your first login.

Caution

Platform-admin credentials give cross-org reach via scoped impersonation. Treat them with higher discipline than a normal admin account. No shared passwords. No credentials in chat, ever. If you suspect yours are compromised, page on-call immediately — see Incident response runbook.

Procedure

1. Request access. Post in #novavms-platform-access tagging the engineering lead. Include: your Novalien email, your expected role (SRE / support / engineer), a short reason ("on-call rotation — Q2 2026" is fine). The lead approves in-thread.

2. An existing platform admin provisions the account. They log into /platform/login, then use POST /api/v1/platform/platform-users (or the /platform/admins UI when it ships) with your email and display name. The server generates an initial 16-character random password and stores the bcrypt hash. platform.user_created is written to the platform audit log.

3. Receive your initial password via 1Password vault. The provisioning admin uploads the password to the shared vault path Engineering → NovaVMS → platform-admins → <your-email>.initial and sends you the item link in Slack DM. No plaintext passwords in chat. If 1Password is unavailable, the fallback is a Signal message — never email, never Slack body.

4. First login. Navigate to https://novavms.novalien.com/platform/login. Sign in with your email and the initial password. You will be redirected to a forced password-change page (password_reset_required = true).

5. Change your password. Minimum 12 characters, complexity rules same as org users. Store the new password in your own 1Password vault, not the shared one. Delete the initial-password item from the shared vault once you have confirmed sign-in works.

6. Enroll in 2FA (mandatory). Go to /platform/me/2fa. Scan the TOTP QR with your authenticator (1Password TOTP, Authy, Google Authenticator — not SMS). Enter the 6-digit code to confirm. Save the 8 backup codes to your personal 1Password. 2FA is enforced on every platform login from the moment you enable it.

Caution

2FA is required for every platform admin. An account without 2FA enabled cannot mint impersonation tokens — the POST /platform/orgs/{id}/impersonate endpoint returns 403 2FA_REQUIRED until you enroll. Do not wait until your first P1 to sort this out.

7. Verify cross-org read access. Navigate to /platform/orgs. You should see the full list of customer orgs (metadata only — name, slug, plan, owner email, status). If the list is empty or returns 403, your account was not granted the platform role correctly — ask the provisioning admin to check. No impersonation is needed for this step, only the platform JWT.

8. (Optional) Smoke-test a mint against staging. Mint a 30-minute impersonation token against the novalien-internal-staging org with reason: "onboarding smoke-test". Confirm the red banner appears, confirm your action shows up in both the platform audit log and the staging org’s /admin/audit-log. End the impersonation explicitly when done. This proves the full path works before your first real incident.

Verify

• /platform/me shows your email, display name, 2FA enrolled, last_login_at within the last hour.
• /platform/audit-log contains at minimum: platform.login, platform.password_changed, platform.2fa_enabled entries for you.
• /platform/orgs returns the full customer list without 403.
• If you ran step 8, the staging org’s audit log at /admin/audit-log (accessed via that same mint) shows your platform.impersonation_started entry with a Platform Support badge.

If this didn’t work

• Cannot reach /platform/login — check VPN/Tailscale (on-prem staff only). Platform console is not geo-restricted in prod but may be allowlisted in staging.
• 403 PLATFORM_ACCESS_DENIED after login — the provisioning admin set enabled = false or did not commit the insert. Ask them to re-run.
• 2FA QR does not scan — try the manual text secret under the QR. If that also fails, your clock is off by more than 90 seconds (check NTP).

See also

• How scoped impersonation works — what you are enrolling to do.
• Audit expectations — what your actions will produce in logs.
• On-call basics — what the rotation expects of you once onboarded.