Administration Guide

Complete administration guide for managing users, roles, permissions, and system configuration in Champa Intelligence.

---

Overview

The Administration section provides tools for managing the Champa Intelligence platform at the system level. These features require elevated permissions and are typically used by platform administrators.

Required Permission: Most administrative functions require the manage_users or manage_roles permission.

---

Administrative Features

• User Management

  Create, edit, and manage user accounts. Configure API users and regenerate API tokens.

• Roles & Permissions

  Configure role-based access control (RBAC). Create custom roles with specific permission sets.

• Lint Rules Configuration

  Customize BPMN and DMN validation rules. Set severity levels and enable/disable specific checks.

• Cache Management

  Monitor and control the Redis cache. Clear caches, view statistics, and trigger cache warming.

• Session Management

  View active sessions, revoke sessions, and configure session timeouts.

• Audit Logging

  Review comprehensive audit trails of all user actions and security events.

---

Quick Access

Common Administrative Tasks

User Management:

Admin → User Management → Create User

Role Configuration:

Admin → Roles & Permissions → Create Role

Cache Control:

Admin → Cache Management → Clear Cache

View Audit Log:

Admin → Audit Log → Filter Events

---

Security Best Practices

1. User Account Security

• Strong Passwords: Enforce minimum 8 characters with uppercase, lowercase, and numbers
• Regular Reviews: Audit user accounts quarterly
• Deactivate Unused Accounts: Remove access for inactive users
• API Token Rotation: Regenerate API tokens every 90 days

2. Role-Based Access Control

• Principle of Least Privilege: Grant only necessary permissions
• Custom Roles: Create specific roles for job functions
• Regular Audits: Review role assignments monthly
• Separation of Duties: Avoid combining conflicting permissions

3. Session Management

• Session Timeouts: Configure appropriate TTL for user sessions
• Remember Me: Limit to 30 days maximum
• Concurrent Sessions: Monitor for unusual patterns
• Force Logout: Revoke sessions when needed

4. Audit & Compliance

• Regular Reviews: Review audit logs weekly
• Retention Policy: Maintain logs for compliance requirements
• Security Events: Monitor failed login attempts
• Permission Changes: Track all role modifications

---

Permission Reference

Administrative Permissions

Permission	Description	Grants Access To
full_access	Complete system access	All features and admin functions
manage_users	User management	Create, edit, delete users; manage API tokens
manage_roles	Role management	Create, edit, delete roles and permissions

Feature Permissions

Permission	Feature Access
portfolio_data	Portfolio Dashboard
extended_dashboard_data	Process Intelligence Dashboard
ai_analysis_data	AI-Powered Analysis
health_monitor_data	Health Monitoring
journey_analysis_data	Journey Monitoring
diff_tool_data	BPMN Diff Tool
model_validation_data	Model Validator (Linter)
bpmn_analysis_data	BPMN Analytics Viewer
dmn_analysis_data	DMN Analytics
api_access	Programmatic API Access

---

System Configuration

Environment Variables

Key administrative settings can be configured via environment variables:

# Session Configuration
SESSION_TTL_HOURS=24
SESSION_TTL_REMEMBER_ME_DAYS=30

# Security
JWT_EXPIRATION_HOURS=24
JWT_SECRET=your_secret_here

# System Database
SYSTEM_DB_ENABLED=true
SYSTEM_DB_HOST=champa-system-db
SYSTEM_DB_NAME=champa_system

# Redis Cache
REDIS_ENABLED=true
REDIS_SESSION_TTL=3600

See Configuration Guide for complete reference.

---

Monitoring Administrative Activity

Audit Log Filters

Use these filters to monitor administrative actions:

User Management Activities:

Action Type: admin_action
Resource Type: user

Role Changes:

Action Type: admin_action
Resource Type: role

Failed Permissions:

Action Type: permission_check
Status: failed

Security Events:

Action Type: security
Status: failed

---

Troubleshooting

Common Issues

User Can't Log In:

1. Check if account is active
2. Verify password hasn't expired
3. Check for account lockout (failed attempts)
4. Review audit log for security events

Permission Denied:

1. Verify user's role has required permission
2. Check if permission is correctly assigned to role
3. Review audit log for permission check failures
4. Confirm user session is valid

Cache Not Clearing:

1. Verify Redis connection
2. Check Redis authentication
3. Review application logs
4. Test with selective cache clear

Session Issues:

1. Check Redis availability
2. Verify session TTL configuration
3. Review cookie settings
4. Check for browser security restrictions

---

Maintenance Tasks

Daily

• [ ] Monitor failed login attempts
• [ ] Review critical audit events
• [ ] Check cache hit rates

Weekly

• [ ] Review new user accounts
• [ ] Audit permission changes
• [ ] Check for inactive sessions
• [ ] Review API token usage

Monthly

• [ ] User access review
• [ ] Role assignment audit
• [ ] Cache performance analysis
• [ ] Audit log retention cleanup

Quarterly

• [ ] API token rotation
• [ ] Security policy review
• [ ] Comprehensive audit report
• [ ] System configuration review

---

Next Steps

• User Management - Create and manage users
• Roles & Permissions - Configure RBAC
• Cache Management - Optimize caching
• Audit Logging - Review security events
• API Reference - Administrative APIs