Corteza Admin Panel
Basics
To access Corteza Admin Panel, click on a new tab and select it from the list of available applications.
| You must have Administrator rights to access and edit this part of Corteza system. |
Dashboard
In the dashboard section you can overview some basic statistics of the usage of the Corteza system:
-
Number of total active, suspended and deleted users
-
Number of total active, archived and deleted roles
-
Number of total active and deleted applications
Users
Overview
A user is someone who can log in to the Corteza system.
Each user has Email, Full name and Nickname (handle). Additionally, each user has a username (=email) and password to enable them to log in to the system. In the list of users an admin can also see the timestamp when user was created and updated.
In the list of users an admin is allowed to:
-
Filter users by name or email using search input on the top
-
Filter deleted and suspended users
-
Edit existing users
-
Create new users
User Management
Create a new user
To create a new user click on "New" button on top right corner above the User list.
Fulfill the Basic information and hit submit. You can set a user a password to log in (but he’ll need to confirm his email after the first attempt to log in). Alternatively, a user can request a "Forgotten password" on login screen and set a password on his own.
Roles
Overview
A role allow you to define groups of users with particular access rights. Role-Based Access Control (RBAC) is used for all applications across Corteza system.
The role is assigned to an individual user.
In the list of roles an admin is allowed to:
-
Filter roles by name using search input on the top
-
Filter deleted and suspended roles
-
Edit existing roles
-
Create new roles
Applications
Overview
You can create and manage applications inside Corteza One.
By default the following applications are included in the system:
-
Messaging
-
Low Code
-
CRM
-
Jitsi Video
-
Corteza Admin Area
-
Google Maps
In the list of applications an admin is allowed to:
-
Filter applications by name using search input on the top
-
Filter deleted applications
-
Edit existing applications
-
Create new applications
Applications Management
Create a new application
To create a new role click on "New" button on top right corner above the Applications list.
Set an application name and mark it as enabled so it becomes visible in the list of applications. In the next step you can add an URL to the favicon and logo and assign application URL.
You can add any Namespace as a separated application. Additionally, you can add as an application all external websites and web applications that don’t have iFrame access denied.
System Settings
Internal Authentication
In this section you can control the following:
-
Internal authentication enabled
-
Password reset enabled (if unchecked, users won’t be able to reset their password)
-
Signup email confirmation required (if unchecked, users can log in to the system right after the registration, without confirming their email)
-
Signup enabled (if unchecked, admins will add users manually in the Admin panel and nobody will be able to register on their own)
Authentication Email Settings
In this section you can set:
-
Sender email address (i.e. info@company.org)
-
Sender name (i.e. Organization Ltd.)`
Email templates:
Email templates used for authentication purposes are the following:
{{.EmailHeaderEn}}
<h2 style="color: #1397CB;text-align: center;">Confirm your email address</h2>
<p>Hello,</p>
<p>Follow <a href="{{ .URL }}" style="color:#1397CB;">this link</a> to confirm your email address.</p>
<p>You will be logged-in after successful confirmation.</p>
{{.EmailFooterEn}}
{{.EmailHeaderEn}}
<h2 style="color: #1397CB;text-align: center;">Reset your password</h2>
<p>Hello,</p>
<p>Follow <a href="{{ .URL }}" style="color:#1397CB;">this link</a> and reset your password.</p>
<p>You will be logged-in after successful reset.</p>
{{.EmailFooterEn}}
We recommend using Codepen or similar browser-based tools to preview the layout of the template before changing the template.
|
Email Settings
In this section you can control the header and the footer template which are wrapped around all emails sent from the system.
<div style="width:100%;min-height:100%;margin:0;padding:0;color:#3a393c;font-size:12px;line-height:18px;font-family:Verdana,Arial,sans-serif">
<table width="100%" align="center" style="width:100%;height:100%;border-collapse:collapse;border:0;padding:60px" border="0" cellspacing="0" cellpadding="0" summary="">
<tbody>
<tr>
<td valign="top" align="center" style="padding: 20px 0;">
<table width="800" cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr>
<td width="800" bgcolor="#ffffff" style="color:#3a393c;font-size:14px;line-height:20px;font-family:Helvetica Neue,Helvetica,Arial,sans-serif;text-align:left">
<table width="800" cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr style="background-color:#ffffff;height:50px;">
<td style="border-bottom:2px solid #1397CB;">
<a href="{{ .BaseURL }}" style="text-decoration:none" target="_blank">
<img src="{{ .Logo }}" style="display: block;margin: 0 auto;padding: 10px;">
</a>
</td>
</tr>
<tr>
<td width="800" style="padding:40px 30px">
</td>
</tr>
<tr>
<td style="padding:30px;border-top: 1px solid #F3F3F5">
<p>If you have any questions, please contact <a href="mailto:{{ .SignatureEmail }}" style="color:#1397CB;">{{ .SignatureEmail }}</a>.</p>
<p>We hope you enjoy using Corteza!</p>
<p>Best regards, <br>
{{ .SignatureName }}</p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
We recommend using Codepen or similar browser-based tools to preview the layout of the template before changing the template.
Pay attention to variables used in the default template(i.e. {{.BaseURL}}, {{.SignatureEmail}}, …)
External Authentication
Check the "Enable external authentication" box if you wish to allow your users to register and log in using external providers. Currently, we support Google, Facebook, Github and LinkedIn authentication.
To enable Google authentication you need to create a client ID:
-
Go to Google Sign-in Guide and click on "Configure a project" button
-
Select and existing project or create a new one
-
Set a product name (i.e. Corteza)
-
On "Configure your OAuth client" screen select "Web browser" and paste the URL where your Corteza system is running (inlcuding https://)
-
Copy and paste both Client ID and Client Secret fields to Corteza Admin panel and hit submit
To enable Facebook authentication you need to create Facebook app to receive Client key and Secret:
-
Go to Facebook for developers website, click on "Add a new app" and choose a name of the app (i.e. Corteza) or select and existing app
-
In the list of available products search for "Facebook Login" and click on "Set Up" button
-
Select "Web" platform and paste the URL where your Corteza system is running
-
Go to "Settings" and then "Basic" in the left sidebar
-
Copy and paste "App ID" to "Client key" inside Corteza Admin panel
-
Copy and paste "App Secret" to "Secret" inside Corteza Admin panel and hit Submit
Github
To enable Github authentication you need to register Github application to get unique Client ID and Client Secret:
-
Go to this link and create a new OAuth application
-
Copy and paste both Client ID and Client Secret fields to Corteza Admin panel and hit submit.
To enable LinkedIn authentication you need crete a LinkedIn application:
-
Go to this form, fill out the form and click on "Create app"
-
Go to Auth section and copy and paste both Client ID and Client Secret fields to Corteza Admin panel and hit submit.
Other Settings
Low Code Settings
Messaging Settings
User Interface
In this section you can select:
-
To allow users to use emoji
-
To enable Messaging notifications
-
If notifications are enabled you can set a template for notification header (default
${user} in ${channel}) and what is the maximum number of characters visible in the notification (default is 200)
Permissions
Overview
Corteza uses Role-based access control (RBAC) as a method of restricting access based on the roles of individual users within the system. RBAC lets users have access rights only to the parts of the system/application they need and prevents them from accessing information that doesn’t pertain to them.
Permissions setting is fine-grained, meaning the system administrator can control permissions on several layers, for example:
-
which role can access applications
-
which role can read the data
-
which role can edit the data
-
which role can access admin area, etc.
By default, a user is assigned to "Everyone" role which is very limited due to security (in case someone uninvited registers to your system, they won’t see any data, Messaging channels, list of applications, etc.). The first registered user is granted admin rights by default.
Working with permissions in Admin Panel
Each user can be a member of multiple roles. We suggest having "modular" approach, so creating multiple smaller roles (i.e. Messaging admin, CRM admin) and then stacking them to cover all the parts of the system where a user needs access.
Admin can create unlimited amount of roles. Permissions system in the Admin Panel is a playground, where you bring each role on the table, adjust the permissions and save it. More details in the following chapters.
|
Permissions check in the System
The overall flow of verifications if a role has access to perform an operation on a resource is the following:
-
Can this combination of roles perform an operation on this specific resource
-
Can this combination of roles perform an operation on any resource of the type (wildcard)
-
Can anyone/everyone perform an operation on this specific resource
-
Can anyone/everyone perform an operation on any resource of the type (wildcard)
Permissions in the Admin Panel are general and can be overridden per individual application/namespace/etc. For a better overview, we suggest you first set permissions on this level and then go lower on the hierarchy.
Inherit value always checks the setting in the layer above. For example: if an individual application has access permissions set to "Inherit", it will use the permission set for All applications (default: "Deny"). Explicit "Allow" or "Deny" always override the Inherit value.
In practice, that means that check verifies if any of given roles has permission to perform an operation over a resource
-
Will return Inherit when:
-
No roles are given
-
More than 1 role is given and one of the given roles is Everyone
-
-
Will return Deny when:
-
There is one rule with Deny value
-
-
Will return Allow when:
-
There is at least one rule with Allow value (and no Deny rules)
-
System Permissions
To access System Permissions, go to Admin Panel and click on "Permissions" in the "System" section.
System Service
In this section you control overall access settings and usage of Admin Panel.
You can set permissions to:
-
Create new role/user/application/automation scripts
-
Allow reminder assignment
Corteza Elements
-
Access/update/delete any application
You can set rights to access any application to everyone and explicitly forbid it per few applications in the list of applications.
-
Access/update/delete any user
If a user doesn’t have access to read any user, they’ll see their IDs instead of a name in surname (for example in Messaging application)
-
Suspend/un-suspend any user
-
Access/update/delete any role
-
Manage members for any role
-
Read/update/delete any automation script
-
Run any trigger on any automation script
Any access you grant in this section can be overridden per individual element.
Low Code Permissions
To access System Permissions, go to Admin Panel and click on "Permissions" in the "Low Code" section.
Low Code Service
In this section you can control who can access Low Code, who can manage settings and who can create namespaces.
Please note that permissions are fine-grained, meaning if you allow users to access namespaces, they still need explicit allowance to read pages, modules and fields.
Namespaces
In this section you can control which role can:
-
Have read access to any namespaces
-
Update/delete/manage any namespace
-
Create modules/charts/pages/automation scripts
Any access you grant in this section can be overridden per individual namespace.
Messaging Permissions
To access System Permissions, go to Admin Panel and click on "Permissions" in the "Messaging" section.
Messaging Service
In this section, you can control who can access Messaging app, manage Messaging settings and who can create public/private/direct channels.
We recommend this permissions to be allowed to Administrators and Messaging Admins only.
Channels
In this section, you have full control over which role can to the following:
-
Update/View/Join/Leave any channel
-
Delete/un-delete/archive/un-archive any channel
-
Manage members and attachments of any channel
-
Send/Embed messages, Reply in threads
-
Send attachments to channels (if they’re enabled in the Messaging settings)
-
Update/delete own/all messages
| If no explicit "Allow" or "Deny" rules are set, we use a set of business logic rules as well. |
If a user doesn’t have explicit allowance to delete any channel, but they can create a public channel, they we’ll still be capable of deleting this channel as they’re the owner of it.