# Console Tenant Administration

This document describes tenant administration workflows in the Console: creating tenants, managing access, and operating safely in multi-tenant deployments.

## Tenant Lifecycle

Typical tenant operations:

- Create and deactivate tenants
- Configure tenant identity and display attributes (name, tags)
- Review tenant-level configuration and capabilities (feature exposure is configuration-driven)

## Access Control

Tenant administration typically includes:

- Role assignment (who can operate vs approve vs audit)
- Scope allocation (what each role is allowed to do)
- Optional ABAC filters (environment/project constraints)

See:

- `docs/security/scopes-and-roles.md`
- `docs/security/tenancy-overview.md`
- `docs/architecture/console-admin-rbac.md`

## Safety and Auditability

- All admin actions must be auditable (who, what, when, tenant).
- Prefer reversible operations:
  - deactivate instead of delete
  - rotate credentials instead of reusing
- Make tenant context explicit in the UI to avoid cross-tenant mistakes.

## Offline / Air-Gap Notes

- Admin actions should remain available in sealed-mode, but any import/export should be explicit and verified.
- When operating from Offline Kit snapshots, show snapshot identity and staleness for admin-relevant views (feeds, policies, issuer trust).

## References

- Console operator guide: `docs/15_UI_GUIDE.md`
- Offline Kit: `docs/24_OFFLINE_KIT.md`