Admin Preferences User Guide

Overview

The Admin Preferences page provides a comprehensive interface for configuring all platform-wide settings. This guide explains how to access and use each setting category.

Accessing Admin Preferences

Log in as an admin user
Navigate to the Admin Dashboard
Click on the “Preferenze” tab in the navigation

User Interface

Layout

The preferences page is organized into sections:

Header: Page title and description
Action Bar: Save and Reset buttons
Category Sections: Grouped settings by functionality

Saving Changes

Modify any settings you want to change
Click “Salva Modifiche” (Save Changes) button
A success message will appear when changes are saved
All changes are automatically logged in the audit trail

Resetting Changes

Click “Ripristina” (Reset) to discard unsaved changes and reload current values.

Setting Categories

1. Autenticazione e Sicurezza (Authentication & Security)

Imponi 2FA per Amministratori

Type: Checkbox
Default: Enabled
Description: When enabled, all admin users must set up two-factor authentication
Business Value: Enhances security by requiring an additional verification step for admin access

Timeout Sessione (Session Timeout)

Type: Number (minutes)
Range: 5-43200 minutes
Default: 720 minutes (12 hours)
Description: Maximum duration a user session remains active without activity
Business Value: Balances security and user convenience

Lunghezza Minima Password (Password Minimum Length)

Type: Number
Range: 8-128 characters
Default: 12 characters
Description: Minimum number of characters required for passwords
Business Value: Enforces strong password policies for GDPR compliance

Richiedi Caratteri Speciali (Require Special Characters)

Type: Checkbox
Default: Enabled
Description: Passwords must include at least one special character (!@#$%^&*)
Business Value: Increases password complexity and security

Richiedi Numeri (Require Numbers)

Type: Checkbox
Default: Enabled
Description: Passwords must include at least one numeric digit
Business Value: Prevents dictionary attacks

Richiedi Maiuscole (Require Uppercase)

Type: Checkbox
Default: Enabled
Description: Passwords must include at least one uppercase letter
Business Value: Increases password entropy

Type: Number
Range: 3-20 attempts
Default: 5 attempts
Description: Number of failed login attempts before account lockout
Business Value: Prevents brute force attacks

Durata Blocco Account (Account Lockout Duration)

Type: Number (minutes)
Range: 5-1440 minutes
Default: 30 minutes
Description: How long an account remains locked after max failed attempts
Business Value: Balances security with user accessibility

Ritenzione Log Autenticazione (Auth Log Retention)

Type: Number (months)
Range: 1-120 months
Default: 13 months
Description: How long to keep authentication logs
Business Value: GDPR compliance - meets Italian legal requirements (1 year minimum)
Reference: See backend/db/migrations/log_retention_policy.sql

Ritenzione Log Amministratore (Admin Log Retention)

Type: Number (months)
Range: 1-120 months
Default: 25 months
Description: How long to keep admin action logs
Business Value: GDPR compliance - maintains audit trail (2 year minimum for compliance)

Abilita Logging di Audit (Enable Audit Logging)

Type: Checkbox
Default: Enabled
Description: Record all admin actions for compliance
Business Value: Required for GDPR compliance and traceability

Abilita Pseudonimizzazione (Enable Pseudonymization)

Type: Checkbox
Default: Disabled
Description: Apply pseudonymization to personal data in logs
Business Value: Enhanced GDPR compliance for data privacy

3. Configurazione Ambiente (Environment Configuration)

Ambiente (Environment)

Type: Dropdown
Options: Sviluppo, Staging, Produzione
Default: Produzione
Description: Current runtime environment
Business Value: Environment isolation - prevents cross-environment data leakage
Note: Should match the actual deployment environment

4. Email e Notifiche (Email & Notifications)

Email Mittente (From Email)

Type: Email
Default: noreply@conformo.ai
Description: Sender address for all platform emails
Business Value: Brand consistency and email deliverability

Domini Fidati (Trusted Domains)

Type: Textarea (one per line)
Default: Empty
Description: Allowlist of trusted email domains
Business Value: Security - restricts email-based operations to known domains
Example:
```
conformo.ai
example.com
company.it
```

5. Funzionalità (Feature Flags)

All feature flags control what features are visible/enabled on the platform.

Mostra Landing Page

Default: Enabled
Business Value: Control public-facing landing page visibility

Raccogli Email

Default: Enabled
Business Value: Enable/disable email collection on landing page

Mostra Prezzi

Default: Enabled
Business Value: Control pricing page visibility

Registrazione Utenti

Default: Enabled
Business Value: Enable/disable new user registrations

Default: Disabled (production)
Business Value: Enable GDPR questionnaire feature

Risk Scoring

Default: Disabled (production)
Business Value: Enable risk assessment functionality

Abbonamenti (Subscriptions)

Default: Disabled (production)
Business Value: Enable subscription management system

6. Localizzazione e Timezone (Localization & Timezone)

Locale Predefinita (Default Locale)

Type: Dropdown
Options: Italiano (Italia), Inglese (US), Inglese (UK)
Default: it-IT
Description: Default language/region for the platform
Business Value: Localization for Italian SMEs

Timezone Predefinito (Default Timezone)

Type: Text
Default: Europe/Rome
Description: Default timezone for all timestamps (IANA timezone)
Business Value: Ensures all times display in CET for Italian users
Format: Use IANA timezone database names (e.g., Europe/Rome, America/New_York)

Formato Timestamp (Timestamp Format)

Type: Text
Default: dd/MM/yyyy HH:mm
Description: Display format for dates and times
Business Value: Italian date format convention (day/month/year)

7. Export e Reporting (Export/Reporting)

Righe Massime Export (Max Export Rows)

Type: Number
Range: 100-1,000,000 rows
Default: 10,000 rows
Description: Maximum number of rows in a single export
Business Value: Performance - prevents large exports from overwhelming the system

Prefisso Nome File Export (Export Filename Prefix)

Type: Text
Default: conformo_export
Description: Prefix for exported filenames
Business Value: Consistent file naming for organization

Abilita Export CSV

Default: Enabled
Business Value: Allow administrators to export data in CSV format

Abilita Export PDF

Default: Disabled
Business Value: Allow administrators to export reports in PDF format

Abilita Diritto alla Cancellazione (Right to Erasure)

Default: Enabled
Description: Allow users to request data deletion
Business Value: GDPR Article 17 compliance - right to be forgotten

Applica Politica di Ritenzione (Retention Enforcement)

Default: Enabled
Description: Automatically enforce data retention policies
Business Value: GDPR compliance - automatic data lifecycle management

Pulizia Automatica Abilitata (Auto Cleanup)

Default: Enabled
Description: Automatically delete logs older than retention period
Business Value: GDPR compliance - prevents indefinite data retention
Note: Requires scheduled task (cron job) to be configured

Giorno Pulizia Programmata (Cleanup Schedule Day)

Type: Number
Range: 0-6 (0=Domenica, 6=Sabato)
Default: 0 (Sunday)
Description: Day of week for automatic cleanup
Business Value: Schedules maintenance during low-traffic periods

Ora Pulizia Programmata (Cleanup Schedule Hour)

Type: Number
Range: 0-23
Default: 2 (2 AM)
Description: Hour of day for automatic cleanup (24-hour format)
Business Value: Runs during off-peak hours

9. Impostazioni Avanzate (Advanced/Operational)

Abilita Rate Limiting

Default: Enabled
Description: Limit number of API requests per time window
Business Value: Security - prevents abuse and DoS attacks

Finestra Rate Limiting (Rate Limit Window)

Type: Number (minutes)
Range: 1-60 minutes
Default: 15 minutes
Description: Time window for rate limiting
Business Value: Balances security and legitimate usage

Richieste Massime (Max Requests)

Type: Number
Range: 10-10,000 requests
Default: 100 requests
Description: Maximum requests allowed in the time window
Business Value: Prevents system overload

Abilita Integrazioni Webhook

Default: Disabled
Description: Enable webhook notifications
Business Value: Integration with external systems

URL Webhook

Type: Textarea (one per line)
Default: Empty
Description: Webhook endpoint URLs
Business Value: Send notifications to external services

Example:

https://webhook1.example.com/conformo
https://webhook2.example.com/events

Common Tasks

Setting Up for Production

Environment: Set to “Produzione”
2FA Enforcement: Enable for all admins
Session Timeout: Set to 720 minutes (12 hours)
Password Policy: Keep defaults (min 12 chars, special chars, numbers, uppercase)
Log Retention: 13 months (auth), 25 months (admin)
Rate Limiting: Enable with defaults
Feature Flags: Enable only production-ready features

Audit Logging: Must be enabled
Log Retention:
- Auth logs: 13 months minimum
- Admin logs: 25 months minimum
Right to Erasure: Enable
Retention Enforcement: Enable
Auto Cleanup: Enable
Cleanup Schedule: Sunday at 2 AM (default)
Pseudonymization: Consider enabling for enhanced privacy

Localization for Italian Users

Default Locale: it-IT
Timezone: Europe/Rome
Timestamp Format: dd/MM/yyyy HH:mm
From Email: Use Italian domain if possible

Security Hardening

2FA Enforcement: Enable
Password Min Length: 14+ characters recommended
Max Login Attempts: 5 or less
Account Lockout: 30 minutes minimum
Session Timeout: 720 minutes or less
Rate Limiting: Enable
Trusted Domains: Configure allowlist

Audit Trail

All preference changes are logged with:

Admin user who made the change
Timestamp of change
IP address
Which fields were modified
Previous and new values (in metadata)

To view audit logs:

Navigate to “Log di Audit” tab
Filter by action_type: SETTINGS_CHANGE
Filter by resource_type: admin_preferences

Validation and Error Handling

The system validates all inputs:

Range checks: Numeric values must be within allowed ranges
Format checks: Emails must be valid format
Required values: Some fields cannot be empty
Enum validation: Dropdowns must select valid options

If validation fails, you’ll see an error message in Italian explaining the issue.

Best Practices

Test Changes: Test preference changes in staging before production
Document Custom Values: Keep notes on why non-default values were chosen
Regular Review: Periodically review preferences for optimization
Backup Before Changes: Export preferences before major changes
Monitor Impact: Watch logs and metrics after preference changes
Security First: Prioritize security settings over convenience
Compliance: Ensure GDPR settings meet legal requirements

Troubleshooting

Changes Not Saving

Check for validation errors (red error message)
Ensure you have admin role
Check browser console for errors
Verify network connection

Settings Not Taking Effect

Some settings require application restart
Feature flags may be overridden in code
Check audit logs to confirm change was saved
Clear browser cache and reload

Unexpected Behavior

Review audit logs for recent changes
Compare with default values
Reset to defaults and reapply changes one by one
Contact support if issue persists

Security Considerations

Access Control: Only admins can view/modify preferences
Audit Trail: All changes are logged and cannot be deleted
Validation: All inputs are validated server-side
Rate Limiting: Preferences API is rate-limited
HTTPS Required: Always access over HTTPS in production

API Integration

Developers can integrate with the preferences API:

// Get current preferences
const prefs = await getAdminPreferences(accessToken);

// Update specific preferences
await updateAdminPreferences(accessToken, {
  password_min_length: 14,
  admin_2fa_enforcement: true
});

See ADMIN_PREFERENCES_API.md for full API documentation.

Support

For issues or questions:

GitHub Issues: https://github.com/GrewingM/conformo/issues
Admin Dashboard Guide: ADMIN_DASHBOARD.md
API Documentation: ADMIN_PREFERENCES_API.md