Tenant Management
En resumen
Cross-tenant CRUD and configuration for every federation, club, pilot, and sandbox: a sortable directory, a per-tenant detail view with billing and OrgNode shape, a guided creation wizard, feature-flag overrides, one-click `Visit tenant` impersonation, reversible 90-day archive, and full GDPR-compliant export.
Cómo funciona
Tenant Management replaces the scattered Cosmos queries operators used to run by hand. The directory at `sys/(dashboard)/tenants` lists every tenant with type (federation/club/pilot/sandbox), plan, status, created date, and primary contact. Filters and sorts are server-driven, and an export emits CSV for finance and legal reviews.
Drilling into a tenant opens a single-page detail with the full operational picture: configuration, billing profile, feature flags, OrgNode hierarchy, user count, revenue summary, and a recent-activity feed sourced from `sys_audit_entries`. New tenants are provisioned through a guided wizard that captures slug, country, hierarchy depth (Norway flat, Sweden two-level, France three-level), initial admin email, plan, and trial length; on completion it dispatches `seed_system_roles` and triggers the onboarding email through the marketing pipeline. Feature flags mirror GrowthBook for tenant-controlled rollouts, but sys operators can override per tenant for targeted testing or incident mitigation; every override is audited.
The `Visit tenant` action is a one-click sys-scoped impersonation into the tenant's admin context — read-only by default, elevated only when the operator explicitly switches access level (which falls back to the F21.02 consent flow when the target is a real user rather than the tenant boundary). Archival is intentionally reversible: writes are disabled, reads stay live for 90 days, and a hard delete is then scheduled. The window can be unwound at any time inside the 90-day grace period.
Export produces a zip containing all tenant data — documents, uploaded assets, and the full audit log — packaged for GDPR exit or contract termination.
Capacidades clave
- Cross-tenant directory with filter, sort, and CSV export
- Detail view: config, billing, flags, OrgNode shape, user count, revenue, activity
- Guided creation wizard with hierarchy depth, plan, trial length, seed roles
- Per-tenant feature-flag overrides on top of GrowthBook for targeted rollouts
- One-click `Visit tenant` sys-scoped read-only enter
- Reversible 90-day archive then hard delete
- GDPR-compliant tenant export packaged as a single zip
En la práctica
An operator gets a sales hand-off for a new pilot federation in Belgium. He opens the create-tenant wizard, sets country BE, hierarchy depth 1 (district→club), enters the contact email, picks the pilot plan with a 60-day trial, and submits. The wizard provisions the tenant, seeds system roles, and emails the contact a setup link.
Three months later the pilot fails to convert; the operator opens the tenant detail, runs `Export`, hands the zip to the contact, and clicks `Archive`. Writes stop immediately; reads remain live for 90 days; the audit log records both actions with reasons.
Funcionalidades de este subsistema
7| ID | Status | Funcionalidades |
|---|---|---|
| F21.05.01 | Entregado | Tenant directory — all tenants with type (federation/club/pilot/sandbox), plan, status, created date, primary contact. Filter + sort + export. Defensive iterators (_safe_iter/_safe_get/_safe_find_one) keep the list rendering even when a single legacy document fails pydantic validation (PL-T316). ✅ PL-T125, ✅ PL-T316 |
| F21.05.02 | Entregado | Tenant detail view — config, billing profile, feature flags, OrgNode hierarchy, user count, revenue summary, recent activity. Friendly <ErrorPanel> (copy + retry) replaces the bare red banner when the API returns 5xx (PL-T316). ✅ PL-T125, ✅ PL-T316 |
| F21.05.03 | Entregado | Create tenant — guided wizard: slug, country, hierarchy depth, initial admin email, plan, trial length. Emits seed_system_roles + sends onboarding email. Plan-tier picker is fed by GET /sys/tenants/plan-tiers and filters SKU options to the chosen tenant_type (PL-T315). ✅ PL-T125, ✅ PL-T315 |
| F21.05.04 | Entregado | Feature-flag panel per tenant — on/off + percentage rollout. Mirrors GrowthBook but overrideable by sys operators for targeted testing. ✅ PL-T125 |
| F21.05.05 | Entregado | "Visit tenant" — one-click impersonation as a sys operator within that tenant's scope (read-only unless explicitly elevated). ✅ PL-T125 |
| F21.05.06 | Entregado | Tenant archive — disable writes, keep reads for 90 d, then schedule hard delete. Reversible within the 90 d window. ✅ PL-T125 |
| F21.05.07 | Entregado | Tenant export — produces a zip with all tenant data (documents, uploads, audit log) for GDPR/contract exit. ✅ PL-T125 |