Skip to main content
AuthenlySign
Resources/Administrator Guide

AuthenlySign Administrator Guide

Version: 2.0 Last Updated: February 2026 Target Audience: System Administrators, IT Managers, Security Officers

Table of Contents

  1. Administrator Roles & Responsibilities
  2. Initial Setup
  3. User Management
  4. Security Management
  5. Compliance & Auditing
  6. Monitoring & Analytics
  7. Integration Management
  8. Database Administration
  9. Incident Response
  10. Routine Maintenance
  11. Troubleshooting
  12. Best Practices

Administrator Roles & Responsibilities

Role Hierarchy

RoleCapabilities
OwnerFull system access, billing, organization deletion. Cannot be removed by others.
AdminUser management (except owners), security settings, compliance config, all-document access. Cannot modify billing.
MemberStandard user: own documents, shared templates, personal analytics. No admin functions.

Assign roles at Dashboard > Team. Best practice: maintain at least 2 owners for redundancy.

Initial Setup

Step 1: Organization Configuration

Navigate to Dashboard > Settings:

  1. Organization Profile: Company name, industry, address, tax ID, primary contact
  2. Domain Verification (Enterprise): Add DNS TXT record to verify domain ownership and restrict signup to your domain
  3. Default Timezone & Locale: Set organization-wide defaults

Step 2: Security Configuration

Navigate to Dashboard > Admin > Security:

  1. Password Policy: Minimum 12 characters, complexity requirements, optional expiration
  2. Two-Factor Authentication: Enforce 2FA for all users (strongly recommended)
  3. Session Management: Idle timeout (default 30 minutes), concurrent session limits
  4. IP Whitelisting (Enterprise): Restrict access to known IP ranges at Settings > IP Whitelist

Step 3: Compliance Setup

Navigate to Dashboard > Admin > Compliance Center:

  1. Data Retention: Set retention periods (minimum 7 years recommended for legal documents)
  2. Audit Logging: Enabled by default with hash-chained integrity verification
  3. HIPAA (if applicable): Sign a BAA at Dashboard > Compliance > BAA, enable PHI encryption, configure breach notification
  4. GDPR/CCPA: Consent tracking is automatic. Data export and deletion available via Settings > Privacy

Step 4: Integration Configuration

  1. SSO/SAML (Large Team+): Configure at Settings > SSO -- supports Okta, Azure AD, OneLogin
  2. API Access (Medium Team+): Generate organization API keys at Settings > API Keys
  3. Webhooks: Configure event subscriptions at Settings > Webhooks
  4. Email Domain: Verify sender domain with SPF/DKIM/DMARC at Admin > Email Setup

Step 5: User Provisioning

  1. Individual: Invite via Dashboard > Team > Invite Member
  2. Bulk Import: Upload CSV (email,name,role) at Admin > Users > Bulk Import
  3. SCIM (Enterprise): Automatic provisioning via identity provider

User Management

Adding Users

  • Individual: Dashboard > Team > Invite Member > enter email, select role, send
  • Bulk: Admin > Users > Bulk Import > upload CSV > review > confirm

Managing Accounts

At Dashboard > Admin > Users, for each user you can:

  • View account status, last login, documents created, storage used
  • Change role
  • Reset password
  • Suspend or reactivate account
  • Extend trial period
  • Delete user (with option to transfer documents)

Offboarding

  1. Navigate to the user's profile in Admin > Users
  2. Click "Remove User"
  3. Choose data handling: Transfer documents to another user, Archive, or Delete (GDPR-compliant)
  4. Confirm removal -- access revoked immediately

Security Management

Security Dashboard (/dashboard/admin/security)

Real-time overview of:

  • Failed login attempts and suspicious activity
  • 2FA enrollment status across the organization
  • Active security incidents
  • WAF block events (SQL injection, XSS, bot detection)
  • Rate limit violations

Authentication Security

  • Password Policy: Configurable minimum length, complexity, expiration, and history
  • 2FA Enforcement: Toggle organization-wide enforcement; track enrollment percentage
  • SSO/SAML: Federated authentication with automatic provisioning
  • Session Management: Idle timeout, concurrent limits, force-logout on password change

Access Control

  • Row Level Security (RLS): All 60 database tables enforce RLS policies -- users can only access their own data
  • IP Whitelisting: Restrict dashboard and API access to known IP ranges
  • API Key Scoping: Keys are scoped to the organization with configurable expiration
  • Role-Based Access: Admin actions require requireAdmin() guard; cron jobs require CRON_SECRET

Encryption

LayerStandard
Data at restAES-256 (Supabase managed)
Data in transitTLS 1.3 with HSTS
Digital signaturesRSA-2048 / ECDSA PKI certificates
Audit trailSHA-256 hash chain
Webhook payloadsHMAC-SHA256 signature

WAF (Web Application Firewall)

Integrated into the proxy middleware, inspecting all /api/ requests for:

  • SQL injection patterns
  • Cross-site scripting (XSS) payloads
  • Path traversal attempts
  • Command injection
  • Known bot/scanner user agents (sqlmap, nikto, etc.)

Blocked requests return HTTP 403 with the triggering rule ID.

Security Health Check

Run the automated security validation at:

GET /api/health/security

This admin-only endpoint validates: environment variables, RLS policies, auth configuration, GDPR endpoints, HIPAA compliance, encryption standards, WAF engine (6 test vectors), input sanitizer (25+ injection patterns), and audit trail integrity.

Compliance & Auditing

Audit Logging

All user and system actions are logged to the audit_logs table with:

  • Actor (user ID, email, IP address, user agent)
  • Action type (documentcreated, documentsigned, userlogin, settingschanged, etc.)
  • Target resource
  • Timestamp
  • SHA-256 hash chain for tamper detection

Access logs at Dashboard > Compliance > Audit Log. Filter by user, event type, date range, or IP. Export as CSV or JSON.

Compliance Frameworks

FrameworkStatusConfiguration
SOC 2 Type IISupportedAudit logging, access controls, encryption
HIPAASupportedSign BAA at Compliance > BAA, enable PHI settings
GDPRSupportedData export/deletion at Settings > Privacy
CCPASupportedConsent tracking automatic
eIDASSupportedAdvanced electronic signatures with PKI
ESIGN Act / UETACompliantDefault for all signatures

Data Retention

Configure at Compliance > Data Retention:

  • Documents: 7 years (default), configurable
  • Audit logs: 10 years (default)
  • User data: 30 days after account deletion
  • Auto-deletion runs via cron job (/api/cron/data-retention)

GDPR Data Subject Rights

  • Right to Access (Export): Users can request a full data export at Settings > Privacy, or admins can trigger via POST /api/legal/export-data
  • Right to Erasure (Deletion): Users can request account deletion at Settings > Privacy, processed via POST /api/legal/delete-account
  • Right to Portability: Export includes all documents, signatures, and profile data in JSON format
  • All GDPR actions are logged in the compliance audit trail

Breach Notification

Automated breach detection and notification via lib/breach-notification.ts:

  1. Detect potential breach event
  2. Assess severity (critical, high, medium, low)
  3. Notify affected users and administrators
  4. Report to regulators if required (Enterprise)
  5. Generate incident report

Monitoring & Analytics

System Health (/dashboard/admin/health)

  • Database connectivity, API server status, storage health, email delivery rate
  • Response times, error rates, uptime percentage
  • Automated health checks at /api/health, /api/health/database, /api/health/email, /api/health/storage, /api/health/signing

Usage Analytics (/dashboard/analytics)

  • Total documents, active users, storage consumption
  • Signing completion rates and average time-to-complete
  • Template usage and performance
  • Predictive analytics at /dashboard/analytics/predictions

Admin Monitoring (/dashboard/admin/monitoring)

  • Real-time performance metrics
  • Alert configuration with thresholds for error rates, response times, and failed logins
  • Uptime monitoring for all services
  • Quality metrics at /dashboard/admin/quality-metrics

Integration Management

API Keys (/dashboard/settings/api-keys)

  1. Generate keys with name, description, and optional expiration
  2. Keys support Authorization: Bearer <key> header
  3. Rotate keys every 90 days (rotation available at Settings > API Keys)
  4. Monitor usage via the API analytics dashboard

SSO/SAML (/dashboard/settings/sso)

  1. Select provider (Okta, Azure AD, OneLogin, custom SAML 2.0)
  2. Exchange metadata between AuthenlySign (SP) and your IdP
  3. Configure attribute mapping (email, name, role)
  4. Test the SSO flow before enabling organization-wide

Webhooks (/dashboard/settings/webhooks)

  1. Add endpoint URL
  2. Select events: document.created, document.signed, document.completed, user.created, subscription.changed
  3. Each delivery includes an HMAC-SHA256 signature in the x-authenlysign-signature header
  4. Failed deliveries retry with exponential backoff (5 attempts over 6 hours)
  5. Monitor delivery health and dead-letter queue at the webhook dashboard

Third-Party Integrations (/dashboard/integrations)

Marketplace of integrations: Salesforce, HubSpot, Microsoft Dynamics, Zapier, Slack, Google Workspace, Microsoft 365. Configure OAuth connections at Settings > Integrations.

Database Administration

Database Dashboard (/dashboard/admin/database)

  • Connection health and pool utilization
  • Slow query analysis
  • Index recommendations
  • Backup status and verification
  • Migration history

Backups

  • Automated daily backups via Supabase
  • Manual backup trigger at POST /api/admin/database/backups
  • Backup verification at POST /api/admin/database/backups/[backupId]/verify

Migrations

All schema changes are managed via numbered SQL scripts in the /scripts directory. Currently 82+ migrations covering 60 tables with full RLS policies.

Incident Response

Security Incidents

Report and track incidents at POST /api/security/incidents:

  1. Identify: Detect via monitoring alerts, WAF blocks, or user reports
  2. Contain: Suspend affected accounts, block IPs, revoke compromised keys
  3. Assess: Review audit logs, determine scope and severity
  4. Notify: Alert affected users and stakeholders
  5. Remediate: Apply fixes, rotate credentials, update policies
  6. Review: Post-incident analysis and documentation

Severity Levels

LevelResponse TimeExamples
Critical1 hourData breach, system-wide outage
High4 hoursUnauthorized access, major functionality loss
Medium1 business dayMinor vulnerability, intermittent errors
Low2 business daysInformational, feature requests

Routine Maintenance

Weekly Tasks

  • [ ] Review security event logs at Admin > Security
  • [ ] Check system health dashboard
  • [ ] Review failed webhook deliveries
  • [ ] Monitor storage and database usage

Monthly Tasks

  • [ ] Rotate API keys approaching 90-day expiration
  • [ ] Audit user roles and remove inactive accounts
  • [ ] Review compliance dashboard for upcoming certification renewals
  • [ ] Export and archive audit logs

Quarterly Tasks

  • [ ] Run full security health check (GET /api/health/security)
  • [ ] Review and update data retention policies
  • [ ] Audit third-party integration permissions
  • [ ] Conduct access review across all admin accounts
  • [ ] Test incident response procedures

Troubleshooting

Common Issues

Users cannot sign in: Check account status (active/suspended), verify SSO configuration, review failed login logs, reset password.

Document upload failures: Verify file is PDF under 50 MB, check storage capacity, review error logs.

Email delivery issues: Verify sender domain DNS records (SPF, DKIM, DMARC), check email health at /api/health/email, review spam rates.

API errors: Verify API key validity and expiration, check rate limits, review error codes, test with /api/health.

Diagnostic Endpoints

EndpointPurpose
GET /api/healthOverall system health
GET /api/health/databaseDatabase connectivity
GET /api/health/emailEmail delivery status
GET /api/health/storageFile storage health
GET /api/health/securitySecurity posture (admin only)
GET /api/health/productionFull production readiness check
GET /api/startup-checkEnvironment and config validation

Best Practices

Security

  1. Enforce 2FA organization-wide
  2. Rotate API keys every 90 days
  3. Review security logs weekly
  4. Principle of least privilege -- grant minimum necessary roles
  5. IP whitelisting for admin and API access (Enterprise)

User Management

  1. Onboard thoroughly -- share this guide and the User Guide with new users
  2. Offboard immediately -- revoke access the same day an employee departs
  3. Audit roles quarterly -- remove unnecessary admin access

Compliance

  1. Keep certifications current -- set calendar reminders for renewals
  2. Test data export/deletion annually to verify GDPR workflows
  3. Sign BAA before handling any PHI
  4. Document everything -- maintain records of all compliance decisions

AuthenlySign Administrator Guide v2.0 -- February 2026 For the latest version, visit /resources/docs/admin-guide

AUTH DEBUG