Platform Operators
The control plane at platform.veonahealth.com is where Veona staff run the business of the product: provisioning customer organisations, granting the modules they’ve bought, issuing and monitoring licences, billing, migrating legacy data, and managing the fleet of deployments.
It is entirely separate from the clinical app that hospitals use. Operators sign in with email and password plus a second factor; access is governed by your platform role.
The six operator roles
Section titled “The six operator roles”Access is capability-based and deny-by-default — read and write are distinct, so a read-only role can open a screen but is blocked on changes. The roles are defined in apps/platform-api/src/auth/rbac.ts.
| Role | What it does | Cannot do |
|---|---|---|
| super_admin | Everything — the root role. Holds every capability, including revealing secrets and managing signing keys. | (no restriction) |
| onboarding | White-glove tenant provisioning: create organisations/tenants, run onboarding, edit the registry and entitlements, issue licences, manage tenant admins, run migrations. Reads billing. | Edit billing, reveal secrets, manage signing keys, edit migration templates/credentials |
| billing | Commercial operations: invoices, charges, dunning, refunds and credit notes (approve). | Provisioning, licensing, config, secrets |
| support | Operator support: edit config and API keys, grant entitlements, issue/revoke licences, manage maintenance windows. | Billing writes, secrets, signing keys, releases, migrations |
| migration_engineer | The data-migration tool: run dry-run/commit/reconcile/rollback, edit mapping templates, manage sealed legacy-source credentials. Reads clients to pick a target. | Billing, licensing, secrets, onboarding |
| release_manager | CI/CD: manage releases, maintenance windows and feature flags. | Billing, licensing, provisioning, secrets |
Secrets reveal and signing key management are always super_admin only, at every layer.
Operator guides
Section titled “Operator guides”- Onboarding a tenant — provision an organisation, facility and tenant; assign an edition; project entitlements.
- Licensing — issue, activate, heartbeat and revoke licences; on-prem grace and lockdown.
- Billing operations — subscriptions, invoices, dunning, suspension (Paystack).
- Entitlements and editions — grant and adjust module entitlements.
- Migration — the data-migration tool for legacy sources.
- Fleet and releases — fleet/heartbeat monitoring, maintenance windows, feature flags.