Security Dashboard

Description

The Security Dashboard gives organization and global administrators a consolidated real-time view of the platform's security posture. It surfaces key metrics including active session counts, recent authentication events, failed login attempts, and module access patterns, enabling admins to detect anomalies and respond proactively. As part of the always-on admin-security area it is non-toggleable and present for every tenant, supporting both day-to-day security hygiene and incident-response workflows within the Admin Web Portal. Metrics are tenant-scoped; global admins see cross-organization summaries only when a time-bounded support access grant is active.

Sources & reasoning

admin-security is explicitly listed as always-on for the Admin Web Portal (line 241), establishing MVP scope. The Security Dashboard is the primary visibility surface for that area. The strict multi-tenant isolation requirement (line 259) and the sensitive data categories processed by all four organizations justify a dedicated security metrics page from launch, not a later phase.

docs/source/likeperson.md · line 239-241

Always-on core. A small set of modules is non-toggleable because the operational products are meaningless without them... Admin Web Portal: `admin-dashboard`, `admin-user-management`, `admin-organization`, `admin-security`.
docs/source/likeperson.md · line 259

No default access to an organization's operational data (users, activities, contacts). Tenant separation is strict: each org's data is isolated.

Analysis

Business Value

All four partner organizations handle sensitive personal data including health information and encrypted assignments under Norwegian GDPR obligations. A dedicated security dashboard provides administrators with self-service visibility into their security posture, reducing time-to-detect for anomalies from days to minutes and eliminating ad-hoc support requests to Norse Digital Products staff. The strict multi-tenant isolation requirement means each organization needs its own scoped security view to maintain independent governance. For Norse Digital Products, a built-in security surface strengthens enterprise credibility and provides evidence of ongoing security governance for regulatory audits without requiring custom reporting work per organization.

Implementation Notes

Implemented as a Next.js SSR page (SecurityDashboardPage) backed by SecurityMetricsService, which aggregates data from audit_logs, user_sessions, and authentication events. All queries are filtered by the requesting admin's organization_id to enforce tenant isolation. Global admin cross-organization views are gated on an active support_access_grants record. Metrics are computed server-side to avoid exposing raw security data to the client. WCAG 2.2 AA compliance is required: all metric cards and visualizations must include accessible text alternatives and be keyboard-navigable. The service layer reads from the same tables used by AuditLogService and SessionManagementService to avoid data duplication.