Administration¶
The Admin section provides access to user management, role configuration, billing, and authentication settings. These pages are typically restricted to administrators.
Where to find it¶
Navigate to Admin from the main menu to access the administration hub.
Permissions: Different admin pages require different permissions:
- Companies, Departments, Suppliers, Accounts: {resource}:reader to view
- Users & Access: users:reader to view, users:admin to manage
- Roles: users:reader to view, users:admin to edit
- Billing: Requires billing admin role
- Authentication: Requires users:admin
Admin Hub¶
The Admin landing page provides quick access to all administrative functions:
| Card | Description | Required Permission |
|---|---|---|
| Companies | Manage companies and year metrics | companies:reader |
| Departments | Manage departments and headcount | departments:reader |
| Suppliers | Manage suppliers and contacts | suppliers:reader |
| Accounts | Manage accounting codes | accounts:reader |
| Users & Access | Assign seats and roles | users:reader |
| Roles | Define role permissions | users:reader |
| Billing | Plan, seats and invoices | Billing admin |
Users & Access¶
Manage who can access CIO Assistant and what they can do.
The Users Grid¶
Default columns: - Name: User's full name - Email: Login email address - Role: Assigned role (determines permissions) - Company / Department: User's organizational assignment - Status: Active, Disabled, or Pending invitation - Last Login: When the user last accessed the system
User Management Actions¶
| Action | Description | Permission |
|---|---|---|
| New | Create a new user | users:manager |
| Edit | Modify user details | users:manager |
| Enable | Activate a disabled user (uses a seat) | users:admin |
| Disable | Deactivate a user (frees a seat) | users:admin |
| Invite | Send login invitation email | users:admin |
| Delete | Remove user permanently | users:admin |
Creating a User¶
- Click New
- Fill in required fields:
- Email: Login email address (must be unique)
- First Name / Last Name: User's name
- Optional fields:
- Job Title: Their role in the organization
- Role: Which role to assign (determines permissions)
- Company / Department: Organizational assignment
- Click Save or Save & Invite to send login email
Seat Management¶
Users consume seats based on your subscription plan: - Active users: Count against your seat limit - Disabled users: Don't consume seats - Enable/disable users to manage seat allocation
Roles¶
Define what each role can do across CIO Assistant.
How Roles Work¶
Each role has permission levels for different resources: - None: No access to this resource - Reader: View only - Manager: View, create, and edit - Admin: Full access including delete
Resources¶
Permissions can be set for these resources:
| Resource | What it controls |
|---|---|
opex |
OPEX items and spend tracking |
capex |
CAPEX items and projects |
contracts |
Vendor contracts |
applications |
Apps & Services, IT Operations |
tasks |
Task management |
suppliers |
Supplier master data |
contacts |
Contact directory |
companies |
Company master data |
departments |
Department master data |
accounts |
Chart of accounts |
analytics |
Analytics categories |
business_processes |
Business process registry |
users |
User and role management |
reporting |
Reports access |
settings |
Application settings |
budget_ops |
Budget operations tools |
billing |
Billing and subscription |
locations |
Location master data |
System Roles¶
Two roles are system-managed and cannot be modified: - Administrator: Full access to everything - Contact: Limited access for external contacts (directory visibility only)
Creating a Custom Role¶
- Click New Role
- Enter a name and description
- Set permission levels for each resource
- Click Save
Tip: Start with minimal permissions and add as needed.
Billing¶
Manage your subscription, seats, and invoices.
Subscription Overview¶
View your current plan: - Plan name: Your subscription tier - Status: Active, Trialing, Past Due, etc. - Seats: Used vs. available seats - Billing period: Current billing cycle dates
Billing Contact¶
Update the contact information used for invoices: - Name and company - Email and phone - Billing address - VAT number (if applicable)
Invoices¶
View invoice history: - Invoice date and number - Amount and currency - Status (Paid, Pending, etc.) - Download PDF invoices
Authentication¶
Configure single sign-on (SSO) for your organization.
Microsoft Entra ID (Azure AD)¶
Connect CIO Assistant to your Microsoft Entra ID tenant for SSO:
- Click Connect to Microsoft Entra
- Sign in with a Microsoft admin account
- Grant the requested permissions
- Users can now sign in with their Microsoft accounts
SSO Status¶
- Connected: Shows your Entra tenant ID
- Not connected: Local authentication only
Actions¶
| Action | Description |
|---|---|
| Connect | Start the Microsoft Entra setup flow |
| Test Sign-In | Test SSO with your Microsoft account |
| Disconnect | Remove SSO configuration (reverts to local auth) |
Tips¶
- Start with roles: Define roles before creating users to streamline permission assignment.
- Use SSO: If you have Microsoft 365, connect Entra ID for easier user management.
- Monitor seats: Keep track of seat usage to avoid hitting limits.
- Disable don't delete: When someone leaves, disable their account to preserve audit history.
- Review permissions regularly: Audit role permissions periodically to maintain least-privilege access.