NShop
Multi-tenancy

Superadmin

The global, read-only operator role.

A superadmin is a person who operates the platform itself — usually one or two people at the company that owns NShop. The role is:

  • Global — sees all tenants.
  • Read-mostly — can create tenants and inspect data, but cannot edit catalogs or change order statuses on a tenant's behalf.
  • Always logged. Audit-able server-only collections track changes made to team membership and tenant settings.

What superadmins do

  • Onboard a new tenant: create the /tenants/{slug} doc, hand off admin access to the customer.
  • Help debug a tenant's issue: view their orders, products, and settings without needing access to their admin account.
  • Watch platform-wide metrics: total tenants, total orders, total revenue (sum across tenants).

How superadmin is granted

Same as tenant admin — via the seed script (--superadmin <UID>) or by another superadmin running an internal tool that writes the claim through the Admin SDK. There is no client-facing UI to grant superadmin.

Why not just give superadmins write access?

Two reasons:

  1. Accountability. A tenant admin is the only person who edits their tenant's data; if something goes wrong, the audit trail points at one person.
  2. Blast radius. A bug in the superadmin UI could theoretically affect every tenant at once. Keeping superadmin read-only contains the impact of any mistake.

When a superadmin genuinely needs to write — onboarding a new tenant, running a manual data migration — they use scripts with explicit confirmation, not a UI.

Isolation

Exactly which data is shared across tenants and which isn&apos;t.

Reference

Glossary and FAQ.

On this page

What superadmins doHow superadmin is grantedWhy not just give superadmins write access?