Administration

Super Admin Guide

A complete walkthrough for platform administrators. Learn how to set up your organization, manage tenants and users, configure modules, and secure your CMO ALTO instance.

First-Time Setup

When you first access CMO ALTO, the Setup Wizard at /setup guides you through four steps to create your organization.

Step 1: Create Organization

Organization Name — Your company or entity name (e.g. “Acme Corp”).
Slug — A URL-safe identifier auto-generated from the name. You can customise it.
Country — Primary country of operation (sets locale defaults).
Industry — Select from 17 industry categories for tailored module recommendations.

Step 2: Create Admin Account

Full Name — The display name for the super-admin account.
Email — Used for login and account recovery. Must be a valid email.
Password — Minimum 8 characters. Must contain uppercase, lowercase, a number, and a special character.

This account becomes the root Super Admin. Store credentials securely — you'll use them to create additional admin accounts later.

Step 3: Select Modules

Choose which modules to enable for your organization. The Core module (dashboard, users, settings) is always on. Optional modules include:

HR Management Finance & Billing CRM & Sales Project Management Marketing Analytics Documents Communication

You can enable or disable modules at any time from Admin → Modules. Start lean and add as needed.

Step 4: Confirm & Launch

Review your settings on the summary screen. When ready, click “Launch CMO ALTO”. The system will:

Create the organization / tenant record
Provision the admin user with Super Admin role
Enable selected modules and seed default data
Redirect you to the Admin Dashboard

Tenant Management

CMO ALTO is multi-tenant. Each tenant represents an independent organization with its own users, data, and module configuration.

Navigating to Tenants

Admin DashboardTenants

Creating a New Tenant

Click “Add Tenant” in the top-right corner.
Enter the organization name, slug, country, and industry.
Choose a subscription plan (if applicable).
Set the user limit and storage quota.
Click “Create Tenant” to provision the organization.

Enable/Disable Modules per Tenant

Open the tenant from the tenant list.
Navigate to the “Modules” tab.
Toggle modules on or off. Changes take effect immediately.
Disabled modules hide their navigation items for all tenant users.

Managing User Limits

Each tenant has a configurable user cap. When the limit is reached, new user invitations are blocked. Adjust limits from the tenant settings panel under “Subscription & Limits”.

User Management

Manage who can access the platform, what they can do, and which branches they belong to.

Inviting Users

AdminUsersInvite User

Click “Invite User” or “Add User”.
Enter the user's email address and full name.
Select a role: Super Admin, Admin, Manager, or Employee.
Optionally assign a branch / department.
The user receives an email invitation with a secure link to set their password.

Role Hierarchy

Role	Scope	Key Permissions
Super Admin	All tenants	Everything — tenant CRUD, system config, security
Admin	Own tenant	User management, modules, settings within tenant
Manager	Department / Branch	Approvals, reports, team oversight
Employee	Self-service	Own profile, leave, payslips, tasks

Branch Assignments

If your organization has multiple branches or locations, assign each user to their primary branch. Managers automatically inherit visibility over their branch's employees. Multi-branch assignment is supported for regional managers.

Bulk Import

For large teams, use the Bulk Import feature (CSV upload) from the Users page. Download the template, fill in user details, and upload. The system validates data and sends invitations automatically.

Module Configuration

Modules are the building blocks of CMO ALTO. Enable only what your organization needs.

AdminModules

Core

Always On

Dashboard, user management, settings, notifications

HR Management

Employees, attendance, leave, payroll, onboarding, offboarding, performance

Finance & Billing

Invoices, expenses, journal entries, bank reconciliation, budgeting

CRM & Sales

Leads, contacts, deals, pipeline, quotes, sales analytics

Project Management

Projects, tasks, milestones, Gantt charts, client portals

Marketing

Campaigns, email marketing, social media, workflows, analytics

Analytics & Reporting

Custom reports, dashboards, data export, scheduled reports

Document Management

File storage, version control, e-signatures, templates

Communication

Internal messaging, announcements, team chat

Disabling a module hides it from navigation but does not delete data. Re-enabling a module restores all previous data and settings.

Security Settings

Configure authentication, authorization, and security policies for your CMO ALTO instance.

JWT Configuration

Access Token Expiry — Default 15 minutes. Recommended: 15–60 minutes.
Refresh Token Expiry — Default 7 days. Adjust based on your session policy.
Token Rotation — Enabled by default. Each refresh issues a new token pair.

Password Policy

Minimum length: 8 characters (configurable up to 20).
Require uppercase, lowercase, digit, and special character.
Password history: prevent reuse of last 5 passwords.
Expiry policy: optional forced rotation every 90 days.

Rate Limiting

Protect against brute-force and abuse with built-in rate limiting:

Login attempts — 5 attempts per 15 minutes per IP. Lockout for 30 minutes after exceeded.
API rate limit — 100 requests per minute per user (configurable).
File uploads — 10 uploads per minute, max 25 MB per file.

Session Management

View active sessions for any user from Admin → Users → Sessions.
Force-terminate sessions remotely.
Enable 2FA (TOTP) for admin and sensitive roles.
IP allowlisting for admin panel access (optional).

Troubleshooting

Common issues and their solutions.

User cannot log in after invitation

Verify the invitation email was delivered (check spam). Ensure the invitation link hasn't expired (valid for 72 hours). You can resend the invitation from Admin → Users → Resend Invite.

Module is enabled but not showing in navigation

Clear the browser cache and refresh. If using role-based access, verify the user's role has permission to view that module. Check Admin → Modules to confirm the toggle is on for the correct tenant.

Setup wizard won't advance past Step 1

Ensure all required fields (name, slug, country, industry) are filled. The slug must be unique and URL-safe (lowercase letters, numbers, hyphens only). Check the browser console for validation errors.

API returns 401 Unauthorized

The JWT access token has expired. The client should use the refresh token to obtain a new access token. If the refresh token is also expired, the user needs to log in again. Check Security Settings → JWT Configuration for expiry values.

Bulk import fails with validation errors

Download a fresh CSV template and ensure column headers match exactly. Common issues: duplicate email addresses, invalid date formats (use YYYY-MM-DD), missing required fields. The error report downloadable after import shows each failed row.

Rate limit exceeded for an API integration

Default limit is 100 requests/minute/user. For integrations, request an elevated rate limit from Admin → Developer → API Settings. Consider implementing request batching or exponential backoff.

All Documentation Getting Started Guide