# Administrator Guide

**Last reviewed:** 8 July 2026

Administrators should manage users, roles, MFA enforcement, business support, filing visibility and audit review using least-privilege principles.

## Operating principles

- Preserve tenant isolation and user authentication.
- Keep claims truthful and aligned with implemented features.
- Protect secrets and high-sensitivity financial records.
- Review changes before production deployment.

## Verification checklist

- Authentication and admin routes remain protected.
- Private app routes are not indexed.
- No secrets are exposed in logs, client code or documentation.
- HMRC and filing functionality is described by actual release status.
