How Xessone separates superadmin, member center, SaaS dashboards, SSO, and tenant security
SaaS Dashboard Architecture
Core Principle
SaaS users should stay inside each product dashboard. OpenWA users use the OpenWA dashboard, Bidtara users use the Bidtara dashboard, and SyncCAD users use the SyncCAD dashboard. Xessone centralizes identity, membership, billing, and internal superadmin operations.
| Layer | Purpose |
|---|---|
| xessone.com | Public website for brand, SaaS ecosystem, product details, and contact |
| portal.xessone.com | Internal Xessone superadmin for all clients, products, billing, finance, costs, roadmap, support, and audit |
| app.xessone.com | Member/client center for organization, subscription, invoice, team, and product access |
| app.xessone.com/openwa | Client dashboard for OpenWA |
| app.xessone.com/bidtara | Client dashboard for Bidtara |
| openwa.id / bidtara.com | Public product website, landing, docs, and login redirect; no internal superadmin |
Recommended Roles
| Role | Where | Scope |
|---|---|---|
| Xessone Super Admin | portal.xessone.com | Access to all products, clients, billing, finance, permissions, and audit logs |
| Product Operator | portal.xessone.com | Internal team scoped to a specific product, such as OpenWA only |
| Client Owner | app.xessone.com | Organization owner: subscription, invoice, team invites, and product access |
| Client Product Admin | app.xessone.com/{product} | Product admin for their own organization |
| Member / Viewer | app.xessone.com/{product} | Client team user with limited permission |
Safe Across Different VPS
- Central SSO or identity for users, organizations, product access, and roles.
- Every product record must include tenant_id, organization_id, or workspace_id.
- Cross-VPS API calls should use signed tokens, service tokens, IP allowlists, and rate limits.
- Product databases can be separate: openwa_db, bidtara_db, synccad_db, identity_db, portal_db.
- Internal superadmin should not be mixed into client dashboards.
- Client support impersonation should require audit logs and a recorded reason.
Conclusion
Keep one superadmin in portal.xessone.com. SaaS users stay in their product dashboards. Different VPS is safe when identity, tenant isolation, service tokens, and audit logs are designed correctly.