botbook/src/chapter-04-gbui/admin-user-views.md

# Admin vs User Views

The General Bots Suite separates functionality into two distinct interfaces: the **User View** for personal productivity and the **Admin View** for organization management. This separation ensures users only see features relevant to their role while administrators have access to system-wide controls.

## Overview

| View | Access | Purpose |
|------|--------|---------|
| **User View** | All authenticated users | Personal settings, files, tasks, calendar |
| **Admin View** | Users with `admin` role | Organization management, user provisioning, DNS |

## User View

The User View is the default interface for all authenticated users. It provides access to personal productivity tools and settings.

### Accessing User Settings

1. Click your **avatar** in the top-right corner
2. Select **Settings**

### User Settings Sections

**Profile**
- Display name and avatar
- Email address
- Language and timezone

**Security**
- Change password
- Two-factor authentication (2FA)
- Active sessions management
- Trusted devices

**Appearance**
- Theme selection (dark, light, blue, purple, green, orange)
- Accent color
- Font size preferences

**Notifications**
- Email notification preferences
- Desktop alerts
- Sound settings

**Storage**
- View storage quota usage
- Manage connected storage providers
- Clear cache

**Integrations**
- API keys for external access
- Webhook configurations
- Connected OAuth providers

**Privacy**
- Data visibility settings
- Online status preferences
- Data export and account deletion

### User API Endpoints

All user endpoints use the `/api/user/` prefix:

| Endpoint | Method | Description |
|----------|--------|-------------|
| `/api/user/profile` | GET, PUT | User profile data |
| `/api/user/password` | POST | Change password |
| `/api/user/security/2fa/status` | GET | 2FA status |
| `/api/user/security/2fa/enable` | POST | Enable 2FA |
| `/api/user/security/sessions` | GET | Active sessions |
| `/api/user/notifications/preferences` | GET, PUT | Notification settings |
| `/api/user/storage` | GET | Storage quota |
| `/api/user/api-keys` | GET, POST, DELETE | API key management |
| `/api/user/webhooks` | GET, POST, DELETE | Webhook management |
| `/api/user/data/export` | POST | Request data export |

## Admin View

The Admin View provides organization-wide management capabilities. Access requires the `admin` role.

### Accessing Admin Panel

1. Click your **avatar** in the top-right corner
2. Select **Admin Panel**

If you don't see "Admin Panel", you don't have administrator privileges.

### Admin Panel Sections

**Dashboard**
- Quick statistics (users, groups, bots, storage)
- System health overview
- Recent activity feed
- Quick action buttons

**Users**
- View all organization users
- Create new users
- Edit user details and roles
- Disable or delete accounts
- Reset user passwords

**Groups**
- Create and manage groups
- Assign users to groups
- Set group permissions
- Manage group invitations

**Bots**
- View deployed bots
- Bot configuration management
- Usage statistics per bot

**DNS**
- Register custom hostnames
- Manage DNS records
- SSL certificate status

**Audit Log**
- View all system events
- Filter by user, action, or date
- Export audit reports

**Organization Billing** (Admin-level)
- Organization subscription status
- Usage across all users
- Payment methods for organization
- Invoice history

### Admin API Endpoints

All admin endpoints use the `/api/admin/` prefix and require `admin` role:

| Endpoint | Method | Description |
|----------|--------|-------------|
| `/api/admin/dashboard` | GET | Dashboard statistics |
| `/api/admin/users` | GET, POST | List/create users |
| `/api/admin/users/:id` | GET, PUT, DELETE | Manage specific user |
| `/api/admin/groups` | GET, POST | List/create groups |
| `/api/admin/groups/:id` | GET, PUT, DELETE | Manage specific group |
| `/api/admin/bots` | GET | List organization bots |
| `/api/admin/dns` | GET, POST, DELETE | DNS management |
| `/api/admin/audit` | GET | Audit log entries |
| `/api/admin/stats/*` | GET | Various statistics |
| `/api/admin/health` | GET | System health status |
| `/api/admin/activity/recent` | GET | Recent activity feed |

## Permission Levels

The system uses role-based access control (RBAC):

| Role | User View | Admin View | Description |
|------|-----------|------------|-------------|
| `guest` | Limited | ❌ | Read-only chat access |
| `user` | ✅ | ❌ | Standard user features |
| `manager` | ✅ | Partial | Can view monitoring |
| `admin` | ✅ | ✅ | Full system access |

### Checking User Role

In BASIC scripts, check the user's role:

```basic
role = user.role

IF role = "admin" THEN
    TALK "Welcome, administrator!"
ELSE
    TALK "Welcome, " + user.name
END IF
```

## Desktop App Considerations

When running the Suite as a desktop application (via Tauri), additional features become available:

**Desktop-Only Features**
- Local file system access
- Rclone-based file synchronization
- System tray integration
- Native notifications

**Sync Feature**
The desktop app can sync local folders with cloud Drive using rclone:

1. Configure remote in Settings → Storage → Sync
2. Select local folder to sync
3. Start/stop sync from Drive sidebar

Note: Sync controls (`/files/sync/start`, `/files/sync/stop`) communicate with the local rclone process on the desktop. These features are not available in the web-only version.

## Security Best Practices

**For Users**
- Enable 2FA on your account
- Review active sessions regularly
- Use strong, unique passwords
- Revoke unused API keys

**For Administrators**
- Follow principle of least privilege
- Review audit logs regularly
- Rotate service account credentials
- Monitor for unusual activity
- Keep user list current (remove departed employees)

## Related Documentation

- [Permissions Matrix](../chapter-12-auth/permissions-matrix.md) - Detailed permission definitions
- [User Authentication](../chapter-12-auth/user-auth.md) - Login and session management
- [REST Endpoints](../chapter-10-rest/README.md) - Complete API reference
- [Suite User Manual](./suite-manual.md) - End-user guide
Reorganize chapters and add admin/user views documentation Chapter renames: - chapter-09-api -> chapter-09-tools (LLM Tools) - chapter-10-api -> chapter-10-rest (REST Endpoints) New documentation: - chapter-04-gbui/admin-user-views.md: Complete guide to User vs Admin interfaces - User Settings (/api/user/): profile, security, notifications, storage - Admin Panel (/api/admin/): users, groups, bots, DNS, audit - Permission levels: guest, user, manager, admin - Desktop sync considerations Updated: - Drive app docs with sync feature (rclone, desktop-only) - All cross-references to renamed chapters - SUMMARY.md with new structure and admin-user-views entry 2025-12-05 06:50:56 -03:00			`# Admin vs User Views`

			`The General Bots Suite separates functionality into two distinct interfaces: the User View for personal productivity and the Admin View for organization management. This separation ensures users only see features relevant to their role while administrators have access to system-wide controls.`

			`## Overview`

			`\| View \| Access \| Purpose \|`
			`\|------\|--------\|---------\|`
			`\| User View \| All authenticated users \| Personal settings, files, tasks, calendar \|`
			\| Admin View \| Users with `admin` role \| Organization management, user provisioning, DNS \|

			`## User View`

			`The User View is the default interface for all authenticated users. It provides access to personal productivity tools and settings.`

			`### Accessing User Settings`

			`1. Click your avatar in the top-right corner`
			`2. Select Settings`

			`### User Settings Sections`

			`Profile`
			`- Display name and avatar`
			`- Email address`
			`- Language and timezone`

			`Security`
			`- Change password`
			`- Two-factor authentication (2FA)`
			`- Active sessions management`
			`- Trusted devices`

			`Appearance`
			`- Theme selection (dark, light, blue, purple, green, orange)`
			`- Accent color`
			`- Font size preferences`

			`Notifications`
			`- Email notification preferences`
			`- Desktop alerts`
			`- Sound settings`

			`Storage`
			`- View storage quota usage`
			`- Manage connected storage providers`
			`- Clear cache`

			`Integrations`
			`- API keys for external access`
			`- Webhook configurations`
			`- Connected OAuth providers`

			`Privacy`
			`- Data visibility settings`
			`- Online status preferences`
			`- Data export and account deletion`

			`### User API Endpoints`

			All user endpoints use the `/api/user/` prefix:

			`\| Endpoint \| Method \| Description \|`
			`\|----------\|--------\|-------------\|`
			\| `/api/user/profile` \| GET, PUT \| User profile data \|
			\| `/api/user/password` \| POST \| Change password \|
			\| `/api/user/security/2fa/status` \| GET \| 2FA status \|
			\| `/api/user/security/2fa/enable` \| POST \| Enable 2FA \|
			\| `/api/user/security/sessions` \| GET \| Active sessions \|
			\| `/api/user/notifications/preferences` \| GET, PUT \| Notification settings \|
			\| `/api/user/storage` \| GET \| Storage quota \|
			\| `/api/user/api-keys` \| GET, POST, DELETE \| API key management \|
			\| `/api/user/webhooks` \| GET, POST, DELETE \| Webhook management \|
			\| `/api/user/data/export` \| POST \| Request data export \|

			`## Admin View`

			The Admin View provides organization-wide management capabilities. Access requires the `admin` role.

			`### Accessing Admin Panel`

			`1. Click your avatar in the top-right corner`
			`2. Select Admin Panel`

			`If you don't see "Admin Panel", you don't have administrator privileges.`

			`### Admin Panel Sections`

			`Dashboard`
			`- Quick statistics (users, groups, bots, storage)`
			`- System health overview`
			`- Recent activity feed`
			`- Quick action buttons`

			`Users`
			`- View all organization users`
			`- Create new users`
			`- Edit user details and roles`
			`- Disable or delete accounts`
			`- Reset user passwords`

			`Groups`
			`- Create and manage groups`
			`- Assign users to groups`
			`- Set group permissions`
			`- Manage group invitations`

			`Bots`
			`- View deployed bots`
			`- Bot configuration management`
			`- Usage statistics per bot`

			`DNS`
			`- Register custom hostnames`
			`- Manage DNS records`
			`- SSL certificate status`

			`Audit Log`
			`- View all system events`
			`- Filter by user, action, or date`
			`- Export audit reports`

			`Organization Billing (Admin-level)`
			`- Organization subscription status`
			`- Usage across all users`
			`- Payment methods for organization`
			`- Invoice history`

			`### Admin API Endpoints`

			All admin endpoints use the `/api/admin/` prefix and require `admin` role:

			`\| Endpoint \| Method \| Description \|`
			`\|----------\|--------\|-------------\|`
			\| `/api/admin/dashboard` \| GET \| Dashboard statistics \|
			\| `/api/admin/users` \| GET, POST \| List/create users \|
			\| `/api/admin/users/:id` \| GET, PUT, DELETE \| Manage specific user \|
			\| `/api/admin/groups` \| GET, POST \| List/create groups \|
			\| `/api/admin/groups/:id` \| GET, PUT, DELETE \| Manage specific group \|
			\| `/api/admin/bots` \| GET \| List organization bots \|
			\| `/api/admin/dns` \| GET, POST, DELETE \| DNS management \|
			\| `/api/admin/audit` \| GET \| Audit log entries \|
			\| `/api/admin/stats/*` \| GET \| Various statistics \|
			\| `/api/admin/health` \| GET \| System health status \|
			\| `/api/admin/activity/recent` \| GET \| Recent activity feed \|

			`## Permission Levels`

			`The system uses role-based access control (RBAC):`

			`\| Role \| User View \| Admin View \| Description \|`
			`\|------\|-----------\|------------\|-------------\|`
			\| `guest` \| Limited \| ❌ \| Read-only chat access \|
			\| `user` \| ✅ \| ❌ \| Standard user features \|
			\| `manager` \| ✅ \| Partial \| Can view monitoring \|
			\| `admin` \| ✅ \| ✅ \| Full system access \|

			`### Checking User Role`

			`In BASIC scripts, check the user's role:`

			```basic
			`role = user.role`

			`IF role = "admin" THEN`
			`TALK "Welcome, administrator!"`
			`ELSE`
			`TALK "Welcome, " + user.name`
			`END IF`
			```

			`## Desktop App Considerations`

			`When running the Suite as a desktop application (via Tauri), additional features become available:`

			`Desktop-Only Features`
			`- Local file system access`
			`- Rclone-based file synchronization`
			`- System tray integration`
			`- Native notifications`

			`Sync Feature`
			`The desktop app can sync local folders with cloud Drive using rclone:`

			`1. Configure remote in Settings → Storage → Sync`
			`2. Select local folder to sync`
			`3. Start/stop sync from Drive sidebar`

			Note: Sync controls (`/files/sync/start`, `/files/sync/stop`) communicate with the local rclone process on the desktop. These features are not available in the web-only version.

			`## Security Best Practices`

			`For Users`
			`- Enable 2FA on your account`
			`- Review active sessions regularly`
			`- Use strong, unique passwords`
			`- Revoke unused API keys`

			`For Administrators`
			`- Follow principle of least privilege`
			`- Review audit logs regularly`
			`- Rotate service account credentials`
			`- Monitor for unusual activity`
			`- Keep user list current (remove departed employees)`

			`## Related Documentation`

			`- [Permissions Matrix](../chapter-12-auth/permissions-matrix.md) - Detailed permission definitions`
			`- [User Authentication](../chapter-12-auth/user-auth.md) - Login and session management`
			`- [REST Endpoints](../chapter-10-rest/README.md) - Complete API reference`
			`- [Suite User Manual](./suite-manual.md) - End-user guide`