Admin web dashboard
Server-rendered Blade pages styled with Tailwind (CDN in dev, baked in prod). Path: /admin/*. Auth: session-based; in dev mode an email + role picker, in production an SSO redirect to sb-iam.
Page-by-page
| Path | Purpose | RBAC |
|---|---|---|
/admin | Dashboard — total employees, inside-now, late, on-leave, pending approvals, 7-day trend bar, recent activity feed. | admin-attendance |
/admin/today | One row per active employee with first-IN, last-OUT, status pill (present / inside / absent), late flag. | admin-attendance |
/admin/late | Employees whose first IN today was after 09:30 IST. | admin-attendance |
/admin/absent | Active employees with no accepted punch and no approved leave today. | admin-attendance |
/admin/leaves/pending | Pending leave applications — inline approve / reject with audit trail. | admin-attendance |
/admin/tours/pending | Same shape for tour / out-of-office requests. | admin-attendance |
/admin/devices | All bound devices, last-used, status. Operator deactivation lands here. | admin-attendance |
/admin/holidays | Holidays calendar by year (read-only in dev; write coming). | admin-attendance |
/admin/employees/{id} | Per-employee monthly calendar grid (green/amber/red), leave balances, recent applications. | admin-attendance |
/admin/reports | CSV export by date range (≤ 90 days). | admin-attendance + admin-reports |
Login flow (dev vs prod)
flowchart LR
Hit[GET /admin/anything] --> Auth{authenticated?}
Auth -- no --> Mode{AUTH_MODE?}
Mode -- dev --> DevForm[show /admin/login form
email + role picker] Mode -- sso --> Redir[redirect /api/auth/sso/redirect → sb-iam] DevForm -- POST --> Login[create / update User
auto-link employee_id by email
Auth::login + session.regenerate] Login --> Hit Redir --> SBIAM[sb-iam Parichay] --> Cb[/api/auth/sso/callback] Cb --> Login Auth -- yes --> Rbac{rbac:admin-attendance?} Rbac -- no --> R403[403 Forbidden] Rbac -- yes --> Render[render Blade view]
email + role picker] Mode -- sso --> Redir[redirect /api/auth/sso/redirect → sb-iam] DevForm -- POST --> Login[create / update User
auto-link employee_id by email
Auth::login + session.regenerate] Login --> Hit Redir --> SBIAM[sb-iam Parichay] --> Cb[/api/auth/sso/callback] Cb --> Login Auth -- yes --> Rbac{rbac:admin-attendance?} Rbac -- no --> R403[403 Forbidden] Rbac -- yes --> Render[render Blade view]
RBAC roles
Permission registry: backend/config/permissions.php. The middleware rbac:<permission_key> looks up which roles satisfy that permission. Roles come from sb-iam; in dev, picked at login form.
| Permission key | Allowed roles |
|---|---|
admin-attendance | admin, hr_admin, attendance_admin |
admin-reports | admin, hr_admin, reports_viewer |
leave-approver | reporting_officer, appointing_authority, admin |
can_punch | staff, contract, vendor, member |
can_apply_leave | staff, contract, member |
What gets audit-logged
Every state-changing admin action — leave approve/reject, tour approve/reject, CSV export — emits an audit event with via: 'admin_web' in the payload, the actor user_id, and the entity reference. These show up in sds_audit.audit_events alongside API and mobile events for unified forensics.
Production cutover notes
- Tailwind CDN is fine for dev. For prod, run
npm install + npm run buildwith Vite + Tailwind to bake CSS — keeps the page working when the CDN is blocked. - Set
AUTH_MODE=ssoin.envand ensureSBIAM_*vars are populated. Dev login form will then redirect to Parichay automatically. - Operator should populate
config/permissions.phpemail_rolemap (or rely on sb-iam role claim) so SSO'd users land with the right role.