AuthenlySign Administrator Guide
Version: 2.1 Last Updated: June 2026 Target Audience: System Administrators, IT Managers, Security Officers
Table of Contents
- Administrator Roles & Responsibilities
- Initial Setup
- User Management
- Security Management
- Compliance & Auditing
- Monitoring & Analytics
- Integration Management
- Database Administration
- Platform Administration
- Incident Response
- Routine Maintenance
- Troubleshooting
- Best Practices
Administrator Roles & Responsibilities
Role Hierarchy
| Role | Capabilities |
|---|---|
| Owner | Full system access, billing, organization deletion. Cannot be removed by others. |
| Admin | User management (except owners), security settings, compliance config, all-document access. Cannot modify billing. |
| Member | Standard user: own documents, shared templates, personal analytics. No admin functions. |
Assign roles at Dashboard > Team. Best practice: maintain at least 2 owners for redundancy.
Initial Setup
Step 1: Organization Configuration
Navigate to Dashboard > Settings:
- Organization Profile: Company name, industry, address, tax ID, primary contact
- Domain Verification (Enterprise): Add DNS TXT record to verify domain ownership and restrict signup to your domain
- Default Timezone & Locale: Set organization-wide defaults
Step 2: Security Configuration
Navigate to Dashboard > Admin > Security:
- Password Policy: Minimum 12 characters, complexity requirements, optional expiration
- Two-Factor Authentication: Enforce 2FA for all users (strongly recommended)
- Session Management: Idle timeout (default 30 minutes), concurrent session limits
- IP Whitelisting (Enterprise): Restrict access to known IP ranges at Settings > IP Whitelist
Step 3: Compliance Setup
Navigate to Dashboard > Admin > Compliance Center:
- Data Retention: Set retention periods (minimum 7 years recommended for legal documents)
- Audit Logging: Enabled by default with hash-chained integrity verification
- HIPAA (if applicable): Sign a BAA at Dashboard > Compliance > BAA, enable PHI encryption, configure breach notification
- GDPR/CCPA: Consent tracking is automatic. Data export and deletion available via Settings > Privacy
Step 4: Integration Configuration
- SSO/SAML (Large Team+): Configure at Settings > SSO -- supports Okta, Azure AD, OneLogin
- API Access (Medium Team+): Generate organization API keys at Settings > API Keys
- Webhooks: Configure event subscriptions at Settings > Webhooks
- Email Domain: Verify sender domain with SPF/DKIM/DMARC at Admin > Email Setup
Step 5: User Provisioning
- Individual: Invite via Dashboard > Team > Invite Member
- Bulk Import: Upload CSV (
email,name,role) at Admin > Users > Bulk Import - SCIM (Enterprise): Automatic provisioning via identity provider
User Management
Adding Users
- Individual: Dashboard > Team > Invite Member > enter email, select role, send
- Bulk: Admin > Users > Bulk Import > upload CSV > review > confirm
Managing Accounts
At Dashboard > Admin > Users, for each user you can:
- View account status, last login, documents created, storage used
- Change role
- Reset password
- Suspend or reactivate account
- Extend trial period
- Delete user (with option to transfer documents)
Offboarding
- Navigate to the user's profile in Admin > Users
- Click "Remove User"
- Choose data handling: Transfer documents to another user, Archive, or Delete (GDPR-compliant)
- Confirm removal -- access revoked immediately
Security Management
Security Dashboard (/dashboard/admin/security)
Real-time overview of:
- Failed login attempts and suspicious activity
- 2FA enrollment status across the organization
- Active security incidents
- WAF block events (SQL injection, XSS, bot detection)
- Rate limit violations
Authentication Security
- Password Policy: Configurable minimum length, complexity, expiration, and history
- 2FA Enforcement: Toggle organization-wide enforcement; track enrollment percentage
- SSO/SAML: Federated authentication with automatic provisioning
- Session Management: Idle timeout, concurrent limits, force-logout on password change
Access Control
- Row Level Security (RLS): All 60 database tables enforce RLS policies -- users can only access their own data
- IP Whitelisting: Restrict dashboard and API access to known IP ranges
- API Key Scoping: Keys are scoped to the organization with configurable expiration
- Role-Based Access: Admin actions require
requireAdmin()guard; cron jobs requireCRON_SECRET
Encryption
| Layer | Standard |
|---|---|
| Data at rest | AES-256 (Supabase managed) |
| Data in transit | TLS 1.3 with HSTS |
| Digital signatures | RSA-2048 / ECDSA PKI certificates |
| Audit trail | SHA-256 hash chain |
| Webhook payloads | HMAC-SHA256 signature |
WAF (Web Application Firewall)
Integrated into the proxy middleware, inspecting all /api/ requests for:
- SQL injection patterns
- Cross-site scripting (XSS) payloads
- Path traversal attempts
- Command injection
- Known bot/scanner user agents (sqlmap, nikto, etc.)
Blocked requests return HTTP 403 with the triggering rule ID.
Security Health Check
Run the automated security validation at:
GET /api/health/securityThis admin-only endpoint validates: environment variables, RLS policies, auth configuration, GDPR endpoints, HIPAA compliance, encryption standards, WAF engine (6 test vectors), input sanitizer (25+ injection patterns), and audit trail integrity.
SIEM Integration (/dashboard/admin/siem)
Forward security and audit events to your Security Information and Event Management platform for centralized monitoring:
- Select a provider: Splunk, Datadog, Elastic, Sumo Logic, or Microsoft Sentinel
- Enter the connection details (endpoint URL and API token/HEC key)
- Choose which event categories to stream (authentication, WAF blocks, admin actions, document events)
- Test the connection, then enable real-time forwarding
Use the Security Status view (/dashboard/admin/security-status) for an at-a-glance posture summary across these controls.
Compliance & Auditing
Audit Logging
All user and system actions are logged to the audit_logs table with:
- Actor (user ID, email, IP address, user agent)
- Action type (documentcreated, documentsigned, userlogin, settingschanged, etc.)
- Target resource
- Timestamp
- SHA-256 hash chain for tamper detection
Access logs at Dashboard > Compliance > Audit Log. Filter by user, event type, date range, or IP. Export as CSV or JSON.
Compliance Frameworks
| Framework | Status | Configuration |
|---|---|---|
| SOC 2 Type II | Supported | Audit logging, access controls, encryption |
| HIPAA | Supported | Sign BAA at Compliance > BAA, enable PHI settings |
| GDPR | Supported | Data export/deletion at Settings > Privacy |
| CCPA | Supported | Consent tracking automatic |
| eIDAS | Supported | Advanced electronic signatures with PKI |
| ESIGN Act / UETA | Compliant | Default for all signatures |
Data Retention
Configure at Compliance > Data Retention:
- Documents: 7 years (default), configurable
- Audit logs: 10 years (default)
- User data: 30 days after account deletion
- Auto-deletion runs via cron job (
/api/cron/data-retention)
GDPR Data Subject Rights
- Right to Access (Export): Users can request a full data export at Settings > Privacy, or admins can trigger via
POST /api/legal/export-data - Right to Erasure (Deletion): Users can request account deletion at Settings > Privacy, processed via
POST /api/legal/delete-account - Right to Portability: Export includes all documents, signatures, and profile data in JSON format
- All GDPR actions are logged in the compliance audit trail
Breach Notification
Automated breach detection and notification via lib/breach-notification.ts:
- Detect potential breach event
- Assess severity (critical, high, medium, low)
- Notify affected users and administrators
- Report to regulators if required (Enterprise)
- Generate incident report
Monitoring & Analytics
System Health (/dashboard/admin/health)
- Database connectivity, API server status, storage health, email delivery rate
- Response times, error rates, uptime percentage
- Automated health checks at
/api/health,/api/health/database,/api/health/email,/api/health/storage,/api/health/signing
Usage Analytics (/dashboard/analytics)
- Total documents, active users, storage consumption
- Signing completion rates and average time-to-complete
- Template usage and performance
- Predictive analytics at
/dashboard/analytics/predictions
Admin Monitoring (/dashboard/admin/monitoring)
- Real-time performance metrics
- Alert configuration with thresholds for error rates, response times, and failed logins
- Uptime monitoring for all services
- Quality metrics at
/dashboard/admin/quality-metrics
Collaboration Monitoring (/dashboard/admin/collaboration-monitoring)
Real-time analytics for document collaboration sessions:
- Active and total collaboration sessions per document
- Participants and their activity within a session
- Session duration and engagement metrics
Integration Management
API Keys (/dashboard/settings/api-keys)
- Generate keys with name, description, and optional expiration
- Keys support
Authorization: Bearer <key>header - Rotate keys every 90 days (rotation available at Settings > API Keys)
- Monitor usage via the API analytics dashboard
SSO/SAML (/dashboard/settings/sso)
- Select provider (Okta, Azure AD, OneLogin, custom SAML 2.0)
- Exchange metadata between AuthenlySign (SP) and your IdP
- Configure attribute mapping (email, name, role)
- Test the SSO flow before enabling organization-wide
Webhooks (/dashboard/settings/webhooks)
- Add endpoint URL
- Select events: document.created, document.signed, document.completed, user.created, subscription.changed
- Each delivery includes an HMAC-SHA256 signature in the
x-authenlysign-signatureheader - Failed deliveries retry with exponential backoff (5 attempts over 6 hours)
- Monitor delivery health and dead-letter queue at the webhook dashboard
Third-Party Integrations (/dashboard/integrations)
Marketplace of integrations: Salesforce, HubSpot, Microsoft Dynamics, Zapier, Slack, Google Workspace, Microsoft 365. Configure OAuth connections at Settings > Integrations.
Database Administration
Database Dashboard (/dashboard/admin/database)
- Connection health and pool utilization
- Slow query analysis
- Index recommendations
- Backup status and verification
- Migration history
Backups
- Automated daily backups via Supabase
- Manual backup trigger at
POST /api/admin/database/backups - Backup verification at
POST /api/admin/database/backups/[backupId]/verify
Migrations
All schema changes are managed via numbered SQL scripts in the /scripts directory. Currently 82+ migrations covering 60 tables with full RLS policies.
Platform Administration
Beyond users and security, administrators control how the platform looks, what features are enabled, and how support is handled.
Feature Flags (/dashboard/admin/feature-flags)
Manage feature rollouts and beta access without redeploying:
- Toggle features on or off organization-wide
- Grant beta access to specific features
- Review each flag's description and current state before changing it
Release Management (/dashboard/admin/releases)
Manage product releases and the customer-facing changelog. Publish release notes so users can see what's new.
White-Label & Branding
Customize the platform's appearance to match your organization:
- Branding (
/dashboard/settings/branding): Upload your logo and favicon, set brand colors - White-Label Platform (
/dashboard/settings/white-label): Apply full white-label branding, including a custom domain (Enterprise) - Appearance (
/dashboard/settings/appearance): Configure theme defaults
Email Templates (/dashboard/settings/email-templates)
Customize the transactional emails AuthenlySign sends (invitations, reminders, completions). Edit the copy and insert available merge variables so messages match your brand voice.
Support Tickets (/dashboard/admin/tickets)
Manage inbound email requests and support tickets:
- Track open, in-progress, and resolved tickets
- Monitor SLA status and tickets at risk of breaching
- Assign and reply to tickets directly from the dashboard
Incident Response
Security Incidents
Report and track incidents at POST /api/security/incidents:
- Identify: Detect via monitoring alerts, WAF blocks, or user reports
- Contain: Suspend affected accounts, block IPs, revoke compromised keys
- Assess: Review audit logs, determine scope and severity
- Notify: Alert affected users and stakeholders
- Remediate: Apply fixes, rotate credentials, update policies
- Review: Post-incident analysis and documentation
Severity Levels
| Level | Response Time | Examples |
|---|---|---|
| Critical | 1 hour | Data breach, system-wide outage |
| High | 4 hours | Unauthorized access, major functionality loss |
| Medium | 1 business day | Minor vulnerability, intermittent errors |
| Low | 2 business days | Informational, feature requests |
Routine Maintenance
Weekly Tasks
- [ ] Review security event logs at Admin > Security
- [ ] Check system health dashboard
- [ ] Review failed webhook deliveries
- [ ] Monitor storage and database usage
Monthly Tasks
- [ ] Rotate API keys approaching 90-day expiration
- [ ] Audit user roles and remove inactive accounts
- [ ] Review compliance dashboard for upcoming certification renewals
- [ ] Export and archive audit logs
Quarterly Tasks
- [ ] Run full security health check (
GET /api/health/security) - [ ] Review and update data retention policies
- [ ] Audit third-party integration permissions
- [ ] Conduct access review across all admin accounts
- [ ] Test incident response procedures
Troubleshooting
Common Issues
Users cannot sign in: Check account status (active/suspended), verify SSO configuration, review failed login logs, reset password.
Document upload failures: Verify file is PDF under 50 MB, check storage capacity, review error logs.
Email delivery issues: Verify sender domain DNS records (SPF, DKIM, DMARC), check email health at /api/health/email, review spam rates.
API errors: Verify API key validity and expiration, check rate limits, review error codes, test with /api/health.
Diagnostic Endpoints
| Endpoint | Purpose |
|---|---|
GET /api/health | Overall system health |
GET /api/health/database | Database connectivity |
GET /api/health/email | Email delivery status |
GET /api/health/storage | File storage health |
GET /api/health/security | Security posture (admin only) |
GET /api/health/production | Full production readiness check |
GET /api/startup-check | Environment and config validation |
Best Practices
Security
- Enforce 2FA organization-wide
- Rotate API keys every 90 days
- Review security logs weekly
- Principle of least privilege -- grant minimum necessary roles
- IP whitelisting for admin and API access (Enterprise)
User Management
- Onboard thoroughly -- share this guide and the User Guide with new users
- Offboard immediately -- revoke access the same day an employee departs
- Audit roles quarterly -- remove unnecessary admin access
Compliance
- Keep certifications current -- set calendar reminders for renewals
- Test data export/deletion annually to verify GDPR workflows
- Sign BAA before handling any PHI
- Document everything -- maintain records of all compliance decisions
AuthenlySign Administrator Guide v2.1 -- June 2026 For the latest version, visit /resources/docs/admin-guide
