Platform Admin
FinToken X internal staff. The most dangerous role on the platform — sees everything, can do anything. Every action is distinctly tagged in the audit trail so a Financial Conduct Authority (FCA) auditor can tell admin actions apart from real customer actions. The bypass marking is the single most important regulatory invariant for full production.
The bypass-marking invariant
The single most important rule on this page. Money-control rule 12 is non-negotiable: every action a platform admin takes on behalf of a customer must be tagged in the audit log with the actor role and the on-behalf-of subject. The regulator has to be able to read the audit log and answer "did the customer do this, or did an admin do this?" with a single column lookup.
{
"id": "audit_a8h2…",
"timestamp": "2026-05-22T15:48:21.804Z",
"action": "SUBMIT_INVOICE",
"actor": "sub_marcus_doyle",
"actor_role": "platform_admin",
"on_behalf_of": "sub_cop_g1k_77241", // the customer's subject ID
"on_behalf_of_role": "sme_seller",
"reason": "Support ticket SUP-2026-1184: customer's PDF upload failing on their device, walking them through over the phone.",
"bypass_gate": ["GATE_3_MLRO_REQUIRED"], // any guard that was not enforced
"chain_anchor": "0x7a2c…b811", // hash anchored on FinToken X Network every 10 minutes
"resource": { "type": "invoice", "reference": "FX-INV-23A4F" },
"diff": { "…": "…" }
}
Console surfaces
| Route | Purpose |
|---|---|
/admin | Console landing — Key Performance Indicators (KPIs) across the whole platform. |
/admin/users | User management. Subject access exports. Role overrides (with audit marking). |
/admin/roles | RBAC matrix. Read-only view of which actions each role can take, with bypass markers. |
/admin/config | System configuration. Feature flags, sandbox-vs-production switches. |
/admin/rate-limits | Per-tenant, per-key rate limits. |
/admin/providers | External provider credentials (Sumsub, ComplyAdvantage, Chainalysis, Companies House, FCA register, banking rails). |
/admin/deployments | Deployment history, rollbacks, environment promotion. |
/admin/incidents | Incident management. Live and historical incidents with timelines. |
/audit-log | The audit log itself. Filterable by actor, actor_role, action, time. The single most-used screen during an FCA review. |
The console · /admin
Platform admin
Tuesday 22 May 2026 · environment production
Open incidents
Recent admin-bypass actions (last 24h · 4 entries)
Audit log · /audit-log
The single most important screen on the platform. Every action by every actor — customer, broker, lender, investor, partner, compliance, admin — lands here. Tamper-evident via Merkle anchoring to the FinToken X Network every 10 minutes.
Audit log
Filtered: actor_role = platform_admin · last 24h · 4 entries · all anchor-verified
on_behalf_of Coppergate JoineryIncidents · /admin/incidents
Live ops surface. Severity ladder follows standard SRE practice. Incidents that touch customer money or compliance are auto-escalated to compliance for sign-off on resolution.
INC-114 · Sumsub webhook delays
P3 · opened 11:44 · ~2% of submissions delayed by ~3 min
Impact
- Onboarding O3 status surface lags Sumsub decision by ~3 min.
- No customer is given a wrong outcome — the actual decision is correct, just shown later.
- No money is affected.
Timeline
- 11:44 · paged on Sumsub webhook latency > 60s
- 11:51 · acknowledged · Marcus Doyle
- 11:58 · root cause identified · Sumsub upstream queue saturation
- 12:14 · Sumsub confirmed they are scaling · ETA 30 min
- 12:38 · monitoring
Compliance escalation
Auto-escalated to Priya Lall at 11:51 because Gate 1 timing is regulator-relevant. Priya signed off on the user-facing copy ("checks running, please bear with us") at 11:54.
User management · /admin/users
Look up any subject; impersonate (with audit marking); export Data Subject Access Request (DSAR); force role override.
Coppergate Joinery Limited (Ltd) · Aisha Mahmood
sub_cop_g1k_77241 · sme_seller · ACTIVE since 22 May 2026
Identity
Companies House (CH) 07452983 · Sumsub GREEN · ComplyAdvantage clear · Money Laundering Reporting Officer (MLRO) approved by Priya Lall on 22 May 12:18
Activity (90d)
14 invoices · £142,420 cumulative · 0 disputes · 0 Suspicious Activity Report (SAR) triggers
Admin actions
actor_role=platform_admin and on_behalf_of=sub_cop_g1k_77241. Reasons are mandatory and recorded.Where it can go wrong
| Branch | Mitigation |
|---|---|
| Admin acts without bypass marking | Impossible by design — the middleware sets actor_role; the API rejects customer-action requests from a platform_admin session unless on_behalf_of is set. |
| Admin tries to freeze a subject for non-compliance reasons | Freeze button requires a compliance sign-off step; freeze without sign-off is rejected at the API. |
| Audit log anchor breaks (Merkle path failure) | Audit-log surface refuses to render until ops investigate; alert pages SRE on call; compliance is auto-notified. |
| Admin attempts to retroactively edit an audit entry | Database-level append-only with row-version protection; attempts return 403 and themselves write a new audit entry of the attempt. |
| Provider credential rotation fails | Provider falls into degraded mode — onboarding pauses with a "checks running" status; customer is not silently approved. |
actor_role = 'platform_admin'is set by middleware, not by the caller — the platform admin cannot forge it as a customer action. (2)on_behalf_ofis required whenactor_role = 'platform_admin'andaction ∈ customer-actions; missing this returns 422 from the API. (3) Every audit entry hashes to a Merkle root anchored to the FinToken X Network every 10 minutes — tampering with a historical entry breaks the chain. Compliance tests this quarterly by sampling 20 admin-bypass entries and verifying each has anon_behalf_of, areason, and a non-broken Merkle path.