System Administrator — CRMconnect
Department: IT / Admin
Level: Senior / Technical management
Primary objective: Platform runs correctly, all users have appropriate access, data is secure and intact
What this role does
The System Administrator is the technical owner of the CRMconnect instance. They configure the platform at launch, manage users and permissions, monitor system health, integrate CRMconnect with external systems, and ensure data security. They are the only person with full access (admin = 1) and are responsible for everything related to technical operation.
Detailed technical documentation (stack, security, Kubernetes, GDPR, API): IT / Administrator Guide
Modules managed
| Module | URL | Responsibility |
|---|---|---|
| General Settings | /admin/settings |
Complete platform configuration |
| Staff | /admin/staff |
User accounts |
| Roles & Permissions | /admin/roles |
Access matrix |
| 2FA | /admin/authenticator_2fa |
Two-factor authentication |
| Custom Fields | /admin/custom_fields |
Business-specific fields |
| API Management | /admin/api/api_management |
API tokens for integrations |
| Webhooks | /admin/webhooks |
Real-time external notifications |
| Workflow Automation | /admin/workflow_automation |
Internal CRM automations |
| Excel Import | /admin/excel_import |
Bulk data import |
| GDPR | /admin/gdpr |
Deletion and portability requests |
| Utilities | /admin/utilities |
Activity log, email queue, pipe log |
| Team Password | /admin/team_password |
Shared team passwords |
Initial setup — complete checklist
At first configuration of the instance, work through these steps in order:
Step 1 — Company data (`/admin/settings`)
General tab:
✓ Company name
✓ Logo light mode (PNG, max 300px width)
✓ Logo dark mode (version for dark theme)
✓ Favicon (32×32px)
✓ Full physical address (appears on PDF invoices)
✓ PDF logo width (logo width on documents)
Email tab (SMTP):
✓ email_protocol = smtp
✓ smtp_host (e.g. smtp.gmail.com or mail.company.com)
✓ smtp_port: 587 (TLS) or 465 (SSL)
✓ smtp_email (From address)
✓ smtp_username + smtp_password
✓ TEST: Send Test Email button → confirm it arrives
Localization tab:
✓ Default language
✓ Timezone (CRUCIAL for correct timestamps)
✓ Date format (DD/MM/YYYY for RO, MM/DD/YYYY for US)
✓ Thousands / decimal separator (per local standard)
Cronjob tab:
✓ Cron URL configured on server
✓ Verify last_run is updated every minute
Essential cron job. Without active cron, these won't work: recurring billing, WooCommerce sync, Marketing Automation, expiry notifications. Server configuration:
* * * * * curl -s "https://company.com/cron/index" > /dev/null
Step 2 — Organisational structure
1. /admin/departments → create company departments
(with dedicated email addresses for ticket routing)
2. /admin/roles → create roles per job function:
- Sales Agent, AR Accountant, Warehouse Operator, etc.
- Principle: least privilege — strictly necessary access
3. /admin/staff → add all users:
- Unique email (= username)
- Role assigned from list created in step 2
- Send welcome email with password setup link
Step 3 — Financial configuration
/admin/taxes → VAT rates (19%, 9%, 5%, 0%, reverse charge)
/admin/currencies → currencies used + exchange rates
/admin/paymentmodes → accepted payment methods
/admin/billing/config → number series for invoices/proposals/contracts
Step 4 — Security
/admin/authenticator_2fa → enable 2FA for all admins
/admin/roles → audit that none have more permissions than the role requires
Communicate to all users: temporary password must be changed at first login
Step 5 — Custom fields (if needed)
/admin/custom_fields → add business-specific fields:
e.g. on Leads: Industry, No. employees, Estimated budget
e.g. on Clients: VAT number, Company registration no., ERP client code
e.g. on Invoices: Customer PO no., Project reference
Step 6 — Integrations
API tokens (/admin/api/api_management):
→ Create one token per external integration
→ Named explicitly (e.g. "Zapier - Leads", "Mobile App", "ERP Sync")
→ Token displayed once only — copy immediately
Webhooks (/admin/webhooks):
→ Configure for each external system that needs notifications
→ Test with debug_mode = 1 before activating
Email Pipe (for tickets):
→ Department email forwarding → pipe.php configured on server
→ Test with a real email
User management
New employee
/admin/staff → Add Staff
→ Email (unique in system)
→ Role: select from roles list
→ Department(s): can be in multiple
→ Check "Send welcome email"
→ Save
Verify:
→ Can user log in?
→ Do they see the correct modules for their role?
→ Do they NOT see modules they shouldn't have access to?
Departing employee (offboarding)
IMMEDIATELY on departure (same day):
/admin/staff → open record → set Active = 0
Never delete an employee — deactivate!
If you do delete → system forces reassignment of ALL their records
(tickets, tasks, leads, projects) to another user you select.
Next: check and revoke connected access:
→ Corporate email
→ VPN
→ Other external systems with API tokens generated by them
Licensing limits
If you get an error when activating a new user → the licence has reached its seat limit (MEMBERS_INCLUDED + extra_seats):
- Deactivate an inactive account (
active = 0) — frees up a seat - Or contact CRMconnect to purchase additional seats
Roles and permissions — correct configuration
Access hierarchy structure
Admin (admin = 1) → full access, permissions NOT checked
↓
Staff with Role → inherit role permissions
↓
Client Contact → separate permissions (client portal)
Permission types per module
| Permission | What it means |
|---|---|
view |
Sees all records (everyone's) |
view_own |
Sees only own records / department records |
create |
Can create new records |
edit |
Can edit |
delete |
Can delete |
Recommended standard roles
Sales Agent:
Leads: view_own + create + edit
Clients: view + create
Proposals: view + create + edit
Invoices: view_own
Settings: ✗ (no access)
AR Accountant:
Invoices: view + edit
Payments: view + create
Bank Statements: view + create
Clients: view
Settings: ✗
Warehouse Operator:
Warehouse (all sub-modules): view + create + edit
Sales Orders: view
Acquisitions: view
Settings: ✗
HR Administrator:
Staff: view + create + edit
HR Profile: view + create + edit
Recruitment: view + create + edit
Payroll: view + create + edit
Settings: ✗
Individual permission overrides
If an employee needs different permissions than their role:
- Staff record → Permissions tab → set individual overrides
- Override takes priority over the general role
Daily and weekly monitoring
Daily (5 minutes)
/admin/utilities → Email Queue:
→ Blocked emails? → Process All or investigate error
/admin/utilities → pipe_log (if using email pipe for tickets):
→ Import errors? → check forward configuration
/admin/webhooks → Logs (if active webhooks):
→ Failed requests? → check destination URL
Weekly (15–20 minutes)
/admin/utilities/activity_log:
→ Unusual actions? (mass deletions, access at odd hours)
→ Logins from unknown IPs?
/admin/api/api_management:
→ API tokens with unexpectedly high usage?
→ Tokens inactive for > 6 months → deactivate them
/admin/staff → filter last_login:
→ Active users who haven't logged in for 90+ days → evaluate deactivation
2FA status (/admin/authenticator_2fa/userlist):
→ Do all admins have 2FA enabled? If not → remind or enforce
Integrations — API and Webhooks
API Management
For each new integration:
/admin/api/api_management → Add Token
→ Explicit name: "[System] - [Purpose]" (e.g. "Make.com - Leads Sync")
→ Associated staff: a dedicated integration user (not your personal account)
→ Copy the token IMMEDIATELY (displayed once only)
→ Send token securely to recipient
On departure of employee who held tokens:
→ Identify all tokens associated with them → deactivate them
→ Create new tokens and update integrations
Webhooks
When configuring a new webhook:
1. Add webhook with destination system URL
2. Select entity (Lead, Invoice, Ticket, etc.) and events (created, updated, deleted)
3. Enable debug_mode = 1 TEMPORARILY
4. Send a test event
5. Check Logs that request arrived and response is 200 OK
6. Disable debug_mode = 1 (otherwise logs grow rapidly)
Workflow Automation — configure internal flows
/admin/workflow_automation → Add Automation
Structure:
Trigger: what event fires it (Lead created, Ticket status changed, etc.)
Condition: additional filters (e.g. only leads from source X)
Action: what executes (notification, task created, email sent, status changed)
Standard examples to configure at initial setup:
1. Urgent Lead → immediate notification to Sales Manager
2. New ticket → department agent notification
3. Contract expiring in 60 days → renewal task for KAM
4. Invoice overdue > 30 days → automatic email reminder
5. New employee created → onboarding task for HR
Data import
Bulk Excel import
/admin/excel_import → select module (Leads, Clients, Products, etc.)
→ Download the Excel template
→ Fill in data in template (don't modify column structure!)
→ Upload file
→ System validates → shows errors row by row
→ Confirm import
Before any large import:
→ Make a backup export of existing data
→ Import 10 test rows before the full file
→ Verify data entered correctly
Custom fields — quick guide
/admin/custom_fields → Entity → Add Field
Important options:
required: mandatory at creation (think carefully — can't be disabled retroactively without missing data)
show_on_pdf: field appears on invoice/contract PDFs
show_on_client_portal: customer sees field in their portal
only_admin: field visible only to administrators
bs_column: width in form (6 = half width, 12 = full width)
Recommended types per purpose:
External code/reference → text (short)
Category/Status → select (dropdown with predefined values)
Expiry date → date_picker
Long notes → textarea
Yes/No → checkbox
Security — permanent checklist
| Check | Frequency | Where |
|---|---|---|
| 2FA active for all admins | At each admin hire | /admin/authenticator_2fa |
| Accounts deactivated on employee departure | Immediately | /admin/staff |
| Inactive API tokens revoked | Quarterly | /admin/api/api_management |
| Activity log reviewed | Weekly | /admin/utilities/activity_log |
| SMTP credentials rotated | Annually or after incident | /admin/settings Email tab |
| Roles audited (excessive permissions) | Semi-annually | /admin/roles |
| Active users without login > 90 days | Monthly | /admin/staff → last_login |
GDPR — rights requests
Where: /admin/gdpr
When you receive a GDPR rights request:
Right of access / Portability:
→ GDPR → identify the person
→ Export all data associated with their email/ID
→ Send data in structured format (JSON/CSV)
→ Legal deadline: 30 days from receipt of request
Right to erasure (right to be forgotten):
→ GDPR → Erasure Request → enter email
→ System anonymises: replaces personal data with [DELETED]
→ Transaction history remains (for legal fiscal obligations)
→ Document the request and processing date
Team Password Manager
Where: /admin/team_password
Securely store shared team passwords (social media access, external service accounts, shared credentials, etc.):
- Passwords organised by category
- Access controlled per role/department
- Visibility separate from employees' personal passwords
System health metrics
| Indicator | Good signal | Warning signal |
|---|---|---|
| Cron last_run | Updated within < 2 min | > 5 min → cron stopped |
| Email queue | 0 blocked emails | > 10 → SMTP problem |
| API error rate | < 1% of requests | > 5% → check integration |
| Webhook delivery rate | > 99% | < 95% → destination URL problem |
| Users with 2FA | 100% admins | Any admin without 2FA |
| Active accounts without login > 90 days | 0 | Any suspiciously inactive account |
Practical tips
The principle of least privilege is your protection. If an employee has access to something and makes a mistake, you're responsible for granting that access. Configure roles restrictively and adjust as needed — not permissively and restrict later.
Never
admin = 1for service accounts. API tokens and integration accounts should be normal Staff with limited roles — not Super Admin. A compromised token with admin rights is catastrophic.
Test SMTP after every credential change. Incorrect SMTP means the platform sends no emails (invoices, notifications, password resets) — and you won't know immediately. The Test button sends a verification email.
Document every API token created. Use clear names: "Make.com - Leads 2026" not "Token 1". When you need to revoke or replace, you know exactly what's affected.
Backup before any large import. An incorrect 10,000-row import is hard to undo. 5 minutes of backup saves hours of manual cleanup.