Platform staff (TenancyEngine)
Manage TenancyEngine operator accounts — people who run the control plane, not tenant end-users or vendor organization members.
Console: TenancyEngine console → Users (/users)
Requires Users read to view; write permissions to create, assign roles, or delete.
Platform roles
| Role | Typical use |
|---|---|
platform_admin | Full platform operations — apps, orgs, audit, settings |
platform_impersonator | Support access to vendor consoles (audited) |
app_impersonator | Sign in as a tenant user within a registered application |
vendor_builder | Build and configure applications without full admin |
organization_admin | Scoped to a vendor org (usually provisioned via org invite, not this page) |
Assign roles per user with Add role / Remove on each row. Users can hold multiple roles.
Create a user
- Click Add user.
- Set email, password (12+ characters per identity policy), and optional display name.
- Select initial roles — default is
platform_adminfor break-glass operators. - Save; the user can sign in at the console login page.
Delete a user
Deletion requires typing the user's email to confirm. Prefer removing roles over deletion when temporarily revoking access.
Related
- Platform email templates — invite emails for organization members (different audience)
- Organizations — vendor accounts and their team invites