Skip to main content

1.5 First platform admin

Outcome

You have a real security.platform_user row with PLATFORM_ADMIN role and you can sign in to admin.rcm.medsuite.com.

Prerequisites

Why bootstrap is special

The Admin UI requires a logged-in platform admin to create other platform admins. The very first admin therefore can't be created through the UI — it must be inserted directly via a one-time bootstrap script.

Steps

  1. Run the bootstrap script

    export MASTER_DATABASE_URL="postgresql://rcm_master_admin:<password>@pg-rcm-master-prod.postgres.database.azure.com:5432/rcm_master?sslmode=require"

    pnpm tsx scripts/bootstrap-platform-admin.ts \
      --email you@medsuite.com \
      --full-name "Your Full Name"

    The script:

    1. Generates a 24-byte random password (printed once to stdout — capture it).
    2. Inserts a row into security.platform_user with bcrypt-hashed password and auth_source = 'PASSWORD'.
    3. Inserts a security.platform_role_assignment row binding the user to the PLATFORM_ADMIN role.
    4. Writes a BOOTSTRAP_PLATFORM_USER_CREATED audit row to identity.tenant_audit.

  2. Sign in to the Admin UI

    Open https://admin.rcm.medsuite.com and sign in with the email and printed password.

    You'll be required to change the password on first sign-in.

  3. Verify the audit trail

    SELECT event_type, ts, details
    FROM identity.tenant_audit
    WHERE event_type IN ('BOOTSTRAP_PLATFORM_USER_CREATED', 'PLATFORM_LOGIN_SUCCESS')
    ORDER BY ts DESC LIMIT 5;

    You should see the bootstrap row, the password-change event, and your login.

  4. Optionally: provision additional platform admins via the UI

    Admin → Platform Users → Add user. For internal team members, follow the same flow.

Security notes

  • The bootstrap script must be run from a workstation that has temporary access to the master DB (firewall rule from 1.2 Infrastructure step 6).
  • After the first admin is created, disable the firewall rule so master DB is only reachable from the deployed services.
  • The bootstrap-generated password is shown only once — paste it into a password manager or send to the user via your org's secure channel.

Validation

CheckExpected
security.platform_user count1 row
security.platform_role_assignment for that user1 row, code = 'PLATFORM_ADMIN'
Login at admin.rcm.medsuite.comsucceeds, lands on tenant picker (will be empty)
AuditBOOTSTRAP_PLATFORM_USER_CREATED followed by PLATFORM_LOGIN_SUCCESS

Troubleshooting

SymptomLikely causeFix
Bootstrap script: "duplicate key value violates unique constraint" on emailAlready ran onceIf lost the password, run with --reset-password flag (script supports this for the first admin only).
Login returns 401 "Invalid credentials"Typo or wrong emailVerify with SELECT email FROM security.platform_user;.
Login succeeds but tenant picker is emptyExpected — no tenants yetContinue to Phase 2.

Next

1.6 — DNS and TLS