Home / Help

Site guide — roles, admin tasks & email

The Admin & Roles Overview covers permissions, admin areas, workflows, and who receives operational email — all in one place on the live site.

Simple guide (non-technical)Open Admin PanelMember dashboard

Published on the site: https://nsva.org/help/admin-site-guide — use this page in the browser for printing or sharing; no source code access required.

New to the Admin screens? Start with the non-technical walkthrough: Admin dashboard — simple guide.

Contract / SOW traceability (A–I): see SOW-CONTRACT-A-I.md.

This document is an overview of what the NSVA website can do, focused on:

  • What each role can access
  • What admin panels exist
  • What workflows generate notifications / email
  • Where to look when something is “stuck”

It is intended to be printed/exported to PDF for officers and administrators.

1) Quick map of the site

Public (not signed in)

  • Homepage: overview and navigation
  • Membership: membership information + application
  • Events: public events + convention registration page
  • Donate: donations flow
  • Locations: island locator
  • Member roll (/member-roll): name + primary island for active members (full roster is members-only)
  • Commander's messages (/commander): National Commander blog posts flagged in the Bulletin editor
  • Forms: public forms and form submissions (where enabled)
  • Bulletin Board: public posts (scoped by island/national rules)
  • Can Do Archives: published issues and archives

Member Dashboard (signed in)

  • Dashboard home: account summary
  • Document library (/members/library): searchable catalog of official PDFs (same catalog as sitewide; protected downloads per document rules)
  • Member Directory (/members/directory): officers/islands from national data + Member roster tab (live DB, contact fields) + Buddy Finder
  • Messages: bulletin board interaction (where permitted)
  • Orders: ships store order history
  • Calendar: registrations and RSVP
  • Notifications: in-app notifications for workflow activity
  • Island Transfer: request transfer to another island
  • Service history: buddy finder/service history features
  • Settings: profile + email preferences

Admin Panel (signed in, permissioned)

Admins access the admin area at:

  • Admin Panel: /admin

The admin panel is composed of “feature panels” (Membership, Content, Operations). Each is shown/hidden by permissions (see below).

2) How access works (roles & permissions)

The platform uses RBAC (Role-Based Access Control):

  • A member can have one or more roles
  • Roles grant permissions
  • Most admin APIs check permissions server-side (security boundary)

Important

  • UI visibility (menu items) is also gated by permissions, so a user can be “admin” but not see every admin panel.
  • The super_admin role has a server-side override for all permissions.

See SOP background:

3) Current roles (baseline)

These role names are the canonical system roles:

  • member
  • island_officer
  • island_admin
  • regional_commander
  • secretary
  • national_admin
  • super_admin

4) Permissions (capability list)

These permission names are what the app checks to allow admin actions.

Membership

  • approve_members: review/approve/reject membership applications
  • manage_members: edit member profiles, unlock accounts, force resets
  • view_members: view the member list and member details
  • export_members: export member data

Content

  • post_blog: create/publish blog posts
  • manage_blog: edit/delete any blog posts
  • post_message: post to message boards
  • moderate_messages: remove/flag messages
  • manage_site_images: edit public site imagery (hero/quick links/page banners)

Store

  • manage_store: manage store products/inventory
  • view_orders: view order details
  • manage_orders: update order status and shipping

Calendar

  • manage_calendar: create/edit calendar events

Forms / Admin

  • manage_forms: create/edit/publish custom forms
  • view_audit_log: view audit history of sensitive actions
  • manage_island: edit island details/settings
  • review_island_transfers: process island transfer requests
  • send_newsletter: send email news blasts
  • manage_notifications: send system notifications
  • manage_roles: create/modify roles
  • manage_permissions: assign roles/permissions to members

Access / scope

  • access_admin_panel: access the admin landing page and admin panels that only need basic admin access
  • view_all_content: view content across islands (scope expansion)
  • access_national_board: access national board content where used

System

  • system_admin: maintenance endpoints and high-privilege operations

5) Role → permissions (summary)

This is a summary of the baseline mapping currently seeded.

  • member
    • Post messages
  • island_officer
    • Post messages, view members
  • island_admin
    • Admin access + membership management + orders + calendar + island settings
  • regional_commander
    • Broad admin access + blog management + permissions management + audit log
  • secretary
    • Admin access + island transfer review (focused)
  • national_admin
    • Most permissions (everything except newsletter + system_admin by default)
  • super_admin
    • All permissions (developer/system role)

If someone can’t see a panel, they are missing the permission that gates it (see “Admin panels and what they do” below).

6) Admin panels and what they do

This section describes each major admin panel and the typical officer job function it supports.

Membership → Applications (/admin/applications)

Purpose

  • Review membership applications
  • Approve/reject applications
  • Manage DD214 verification flow (where applicable)

Primary permissions

  • approve_members

Membership → Member Management (/admin/members)

Purpose

  • Search and view members
  • Unlock accounts
  • Force password reset
  • Update member info/status

Primary permissions

  • view_members (view/list)
  • manage_members (edit/unlock/reset)

Membership → Island Transfers (/admin/island-transfers)

Purpose

  • Review transfer requests
  • Approve/reject/mark under review (workflow dependent)

Primary permissions

  • review_island_transfers (or broad admin)

Membership → Island Charter Applications (/admin/island-charter-applications)

Purpose

  • Review island charter requests
  • Approve/reject with notes

Primary permissions

  • approve_members

Membership → Duty Station Requests (/admin/duty-station-requests)

Purpose

  • Review and approve/reject duty station submissions (data quality + moderation)

Primary permissions

  • approve_members (current gate)

Membership → Convention Registrations (/admin/convention-registrations)

Purpose

  • Manage convention registrations through a full admin workflow
    • Approve / Reject / Cancel
    • Mark Paid / Pending / Refunded
  • Send registrant updates and office notifications

Primary permissions

  • access_admin_panel (and other membership/admin roles that include it)

Content → Island Locations (/admin/islands)

Purpose

  • Create/edit island listings displayed on /locations

Primary permissions

  • access_admin_panel + manage_island

Content → Site Images (/admin/site-images)

Purpose

  • Update public-facing imagery:
    • Homepage hero slideshow
    • Quick Links images
    • Hero/banner images across public pages

Primary permissions

  • manage_site_images

Content → Calendar (/admin/calendar)

Purpose

  • Create, update, move, delete events
  • Configure event fees and registration settings

Primary permissions

  • manage_calendar

Content → Can Do Uploads (/admin/can-do-issues)

Purpose

  • Upload PDF issues and publish them to the public archive

Primary permissions

  • post_blog or manage_blog (current gate)

Content → News Blast (/admin/newsletter)

Purpose

  • Send a newsletter blast to members (outbound email must be configured — see EMAIL.md)

Primary permissions

  • send_newsletter

Operations → Ships Store (/admin/store)

Purpose

  • Create/edit products
  • Manage store listings and inventory

Primary permissions

  • manage_store

Operations → Store Orders (/admin/orders)

Purpose

  • Review orders
  • Update shipping/tracking
  • Mark refunds (where supported)

Primary permissions

  • view_orders / manage_orders / manage_store

Operations → Analytics & Reports (/admin/analytics)

Purpose

  • Operational stats: pipeline counts, revenue, orders, membership trends

Primary permissions

  • Broad admin access (one of: view_orders, manage_store, access_admin_panel)

Operations → Sponsorship pipeline (/admin/sponsorship)

Purpose

  • Review sponsorship inquiries and update their status

Primary permissions

  • access_admin_panel

Operations → Operations Center (/admin/operations)

Purpose

  • Verify routing and SOP recipients
  • Operational visibility

Primary permissions

  • access_admin_panel (and some endpoints allow manage_notifications)

Operations → General Requests (/admin/general-requests)

Purpose

  • Handle “contact us” / general request submissions

Primary permissions

  • access_admin_panel

Operations → Audit Log (/admin/audit-log)

Purpose

  • Review sensitive actions and approvals across the site

Primary permissions

  • view_audit_log

Operations → Roles & Permissions (/admin/roles)

Purpose

  • Assign roles to members
  • Manage permission mappings

Primary permissions

  • manage_roles and/or manage_permissions

7) Emails & notifications (how routing works)

Office mailbox routing (email)

Many workflows send email to role-based office inboxes (not individuals), using the national routing configuration.

Defaults can be overridden via environment variables:

  • NSVA_OFFICE_EMAIL_<KEY>

Convention registration routing (example)

Convention workflow emails route to:

  • ConventionChair@nsva.org
  • EventsCoordinator@nsva.org
  • Secretary@nsva.org
  • Treasurer@nsva.org

In-app notifications

In addition to emails, many workflows also post in-app admin notifications so admins see the queue without relying on email alone.

8) Common “where is it?” troubleshooting

“A user can’t see an admin panel”

  • They’re missing the permission that gates it (for example, Site Images requires manage_site_images).
  • Verify in Admin → Roles & Permissions.

“A workflow didn’t email anyone”

  • Verify production email config (Microsoft 365 SMTP, EMAIL_FROM @nsva.org) — see EMAIL.md
  • Verify routing recipients:
    • GET /api/admin/operations/routing (admin-only)

“A registration/order/application is stuck”

  • Check the relevant admin panel queue:
    • Membership applications: /admin/applications
    • Transfers: /admin/island-transfers
    • Convention: /admin/convention-registrations
    • Store orders: /admin/orders
  • Check audit log for recent actions:
    • /admin/audit-log

9) GCP Cloud Scheduler (cron jobs)

These jobs call authenticated HTTP routes on the Cloud Run service. They are separate from Ship’s Store webhooks.

What runs

Job Route Purpose
Membership renewal reminders POST /api/cron/membership-renewal-reminders Emails at 90 / 30 / 7 days before annual expiry (UTC calendar days)
Commander digest POST /api/cron/commander-digest Weekly email listing new National Commander posts (isCommanderMessage)

Required environment (Cloud Run)

Variable Notes
NSVA_CRON_SECRET Shared secret; send as X-Cron-Secret: <value> or Authorization: Bearer <value>
APP_URL Public site base URL (e.g. https://nsva.org) — used in email links

Optional in-process scheduling (long-lived Node only, e.g. some VMs): set NSVA_CRON_ENABLED=true with the same secret — see instrumentation.ts. Cloud Run scale-to-zero usually prefers Cloud Scheduler → HTTP instead.

Automation: Infrastructure operators may create the jobs in the Google Cloud Console or use a deployment runbook script, if your organization provides one. Jobs must use NSVA_CRON_SECRET (Secret Manager: nsva-cron-secret) and target https://nsva.org unless your service URL differs.

Example: create jobs (replace placeholders)

Set variables once:

export PROJECT_ID=your-gcp-project
export REGION=us-central1
export SERVICE_URL="https://YOUR-CLOUD-RUN-URL.run.app"
export CRON_SECRET="$(gcloud secrets versions access latest --secret=nsva-cron-secret)"

Daily renewal run (after 08:00 UTC the job catches members whose expiry is exactly 90/30/7 days away; adjust cron if needed):

gcloud scheduler jobs create http nsva-membership-renewal \
  --project="$PROJECT_ID" --location="$REGION" \
  --schedule="0 8 * * *" \
  --uri="${SERVICE_URL}/api/cron/membership-renewal-reminders" \
  --http-method=POST \
  --headers="Content-Type=application/json,X-Cron-Secret=${CRON_SECRET}" \
  --attempt-deadline=600s

Weekly Commander digest (Monday 08:00 UTC; aligns with default NSVA_CRON_DIGEST_SCHEDULE):

gcloud scheduler jobs create http nsva-commander-digest \
  --project="$PROJECT_ID" --location="$REGION" \
  --schedule="0 8 * * 1" \
  --uri="${SERVICE_URL}/api/cron/commander-digest" \
  --http-method=POST \
  --headers="Content-Type=application/json,X-Cron-Secret=${CRON_SECRET}" \
  --attempt-deadline=600s

Store NSVA_CRON_SECRET in Secret Manager (e.g. nsva-cron-secret) and reference it from Cloud Run env — do not commit secrets.

PII purge (optional, different secret): POST /api/admin/maintenance/purge-pii with X-Purge-Secret — configure PII_PURGE_* in the hosting environment / Secret Manager per your retention policy.

10) Exporting this document to PDF

  1. Open https://nsva.org/help/admin-site-guide in your browser.
  2. Use PrintSave as PDF (or your browser’s equivalent).