Admin Mode
Why a separate admin mode?
Earlier releases mixed tenant-configuration screens (/settings/*) into the
same shell users see for everyday work. The mental model and visual language
were identical for "I am working" and "I am administering" — which led to
confused clicks and made it impossible to enforce tenant-admin-only
navigation patterns reliably.
Admin mode splits the two:
- App mode —
/dashboard,/assets,/processes, … Daily user workflows. Standard sidebar, standard top bar. - Admin mode —
/admin/*. Tenant-only configuration. Dedicated sidebar grouped byTenant,Mitglieder,Abrechnung,System, andAPI & Entwickler; dedicated top bar with an accent-green stripe so you can tell at a glance which mode you are in.
The HGE Uslimato platform administration is unrelated — it is for the product team, not tenant admins, and is reached via a separate access point.
Permissions
Only users with the admin permission see the admin-mode toggle in the
avatar menu and can navigate to /admin/* URLs. The route group
permission-gates every URL underneath; non-admins who reach an admin URL
directly (e.g. via a stale bookmark) are redirected to /dashboard.
The gate is enforced at three independent layers:
- Avatar menu visibility — non-admins never see the toggle.
- Page-level guard — non-admin users are automatically redirected to the dashboard.
- Server-side check — unauthenticated requests are blocked before any UI renders.
URL structure
Settings and the developer portal are located under /admin/*.
The legacy URLs return a permanent redirect:
| Old URL | New URL |
|---|---|
/settings | /admin/settings |
/settings/general | /admin/settings/general |
/settings/permissions | /admin/settings/permissions |
/settings/plan | /admin/settings/plan |
/settings/billing | /admin/settings/billing |
/settings/asset-tags | /admin/settings/asset-tags |
/settings/itsm-email | /admin/settings/itsm-email |
/settings/sample-data | /admin/settings/sample-data |
/settings/onboarding | /admin/settings/onboarding |
/settings/app | /admin/settings/app |
/developer | /admin/developer |
/developer/keys | /admin/developer |
/developer/usage | /admin/developer |
Bookmarks pointing at old URLs continue to work.
User-facing changes
Avatar menu
The standalone "Tenant settings" gear icon in the header is gone. Tenant admins reach the admin shell via the avatar menu, which now shows a single "Enter admin mode" / "Leave admin mode" toggle. The label flips based on the current pathname.
/profile tabs
The personal-profile page has three tabs:
- Preferences — read-only summary of the user's locale and theme. Both are still controlled by the global switchers (sidebar / header).
- Security — surface for the HGE ID login state and a logout link. Password resets happen at HGE ID.
- API keys — only rendered when the caller is admin or the tenant
has opted in via
api_access_enabled_for_users. Lets the user mint and revoke their own personal keys.
API access for users
A tenant-level setting controls whether non-admin users can manage
personal API keys. It defaults to off so existing tenants are
unaffected. Toggle it from /admin/developer (tenant admins only).
When the setting is off:
- The "API keys" tab on
/profileis not visible for non-admins. - Non-admins cannot create, edit, or delete API keys.
Admins always bypass the setting — they own the toggle.
Classic mode
The classic UI (pre-Experience) is still supported: /admin/* pages
work, but the dedicated admin chrome is Experience-only. In classic mode
the standard sidebar and top bar wrap the admin pages, with a small
"Admin mode" pill below the header so users still know where they are.
Strategic direction is Experience-first.