Help Guide

SharePoint Manager — Help Documentation

This document covers every page across all three web applications that make up the SharePoint Manager system. Use the table of contents below to jump to the relevant section.

System Overview
Admin Portal (port 5000)
Public Content Site (port 8080)
- Landing Page
- Browse
- Search
- Content Detail
- Pages List
- CMS Page
- Login
- Email Gate
Sales Portal (port 8081)

System Overview

Role reference: Throughout this guide, access requirements are shown in Access callouts like this one. For the Admin Portal, all access is controlled by Entra app roles assigned in Azure. For the Sales Portal, roles are assigned per-user within the portal itself.

The SharePoint Manager consists of three separate web applications sharing a single codebase and database:

| App | URL (production) | Dev port | Who uses it | |-----|-----------------|----------|-------------| | Admin Portal | idx-spmanager.intellidocxgroup.com | :5000 | IT administrators managing SharePoint permissions | | Public Content Site | idx-content.intellidocxgroup.com | :8080 | External users browsing published documents | | Sales Portal | idx-salesportal.intellidocxgroup.com | :8081 | Sales team managing curated content collections |

Authentication model:

Admin Portal: Entra SSO via oauth2-proxy (Microsoft organizational login). No separate login page — users are redirected to Microsoft automatically.
Public Content Site: Optional email/password login. Some content is available anonymously; restricted content requires login. Tradeshow landing pages use an email-capture gate instead.
Sales Portal: Email/password login with a self-service registration workflow and admin approval step.

Access control: Both the public site and sales portal use an "access tag" system — content items and CMS pages can be tagged to restrict visibility to specific user groups. Untagged items are visible to all authenticated users (or to anonymous users on the public site, depending on site configuration).

Admin Portal

Access: Requires a valid organizational Microsoft account with the SharePoint.User or Admin Entra app role. Login is handled automatically by oauth2-proxy (Microsoft SSO) — no separate portal login page exists. All pages in this section require this level of access.

The Admin Portal runs behind Entra SSO. You must have a valid organizational account with the SharePoint.User or Admin Entra app role to access it. The sidebar on the left provides navigation between all sections.

Dashboard

URL: /

The dashboard is the first page you see after logging in. It gives you a quick summary of the current SharePoint environment and provides shortcuts to common tasks.

What you'll see:

Stats cards — pulled live from SharePoint and cached for a few minutes:
- Total SharePoint groups
- Total document libraries
- Number of uniquely-permissioned items (broken inheritance count)
Quick links — shortcuts to the most common admin tasks (audit, fix, sync content)
Server status indicator — shown in the sidebar; indicates whether the public content site and sales portal processes are running

Key actions:

Click any stat card to navigate directly to the relevant audit page
Use Clear Cache (in the sidebar or via the server status area) to force-refresh all cached SharePoint data. The cache has a 2–5 minute TTL; use this when you've just made changes in SharePoint and need to see the updated state immediately.

Tips:

The stats cards make a live API call to SharePoint when the page loads. If you see a spinner, it's fetching data. If you see an error, the SharePoint token may have expired — re-authenticate via the CLI (uv run sp-manager auth login).
The server status indicator polls automatically. A red indicator means one of the public apps is not responding on its port.

Groups Management

URL: /groups

Manage SharePoint groups directly — create new groups, browse existing groups, and add or remove members.

What you'll see:

A searchable list of all SharePoint groups in the site, with their description and member count
An Add Member button on each group row to add a user directly
A View Members button to expand and show the group's current membership

Key actions:

Create Group: Fill in the group name and optional description in the form at the top, then click Create. The group is created immediately in SharePoint.
View Members: Click the expand button on any group row to load a live list of current members. Members are fetched directly from SharePoint.
Add Member: Click the Add Member button on a group row, enter the user's email address or display name, and confirm. The user will be added to the SharePoint group immediately.
Remove Member: In the expanded member list, click the remove (×) button next to a member. You'll be asked to confirm before the change is made.

Tips:

Group changes take effect in SharePoint immediately but may take a few minutes to propagate to dependent systems (e.g., access tags, effective access calculations).
If you need to audit group membership across all groups at once, use the Audit → Groups page instead.

User Lookup

URL: /users

Search for any user by email address or display name and view their SharePoint profile and group memberships.

What you'll see:

A search bar. Results appear below as you type (after a short debounce). Each result shows:

Display name and email
User type (Internal / Guest / System)
Entra guest flag (if the user is a B2B guest)
The SharePoint groups they belong to

Key actions:

Type at least 3 characters in the search box to trigger a live search against the Graph API user cache.
Click on a user result to see full details and group membership.
From the user detail popover, you can use the Fix shortcut to jump directly to the Remove Role or Remove From Group fix pages pre-populated with this user.

Tips:

Results are cached for 5 minutes per email/UPN. If you've just invited or removed a user and they don't appear or disappear immediately, wait a few minutes or use the global Clear Cache button.
The search searches both the Microsoft Graph (organizational users) and SharePoint's internal user list. External/guest users who were never added to SharePoint may not appear.

Library Detail

URL: /libraries/<library_id>

View detailed information about a single SharePoint document library, including its permission assignments, items with broken inheritance, content types, and sharing links.

Concept — Broken Inheritance By default, items in a SharePoint library inherit permissions from the library itself. When someone shares an individual file or folder directly (e.g., shares a document link with a specific person), SharePoint "breaks" the item's inheritance and gives it its own unique permission set. Once broken, changes to the library's permissions no longer flow down to that item. High counts of broken-inheritance items indicate permission sprawl — many one-off overrides that are hard to audit and control. Resetting inheritance reverts the item back to the library default, removing any unique permissions it had.

What you'll see:

The page is organized into tabs:

Permissions — all role assignments on the library itself (who has what level of access)
Broken Inheritance — items within the library that have unique permissions (broken from the library default)
Content Types — the content types configured on this library
Sharing Links — any active sharing links on items in this library

Key actions:

Permissions tab: View the full list of principals (users, groups, Entra groups) and their assigned roles on this library. Useful for verifying that the library has the correct access configuration before or after remediation.
Broken Inheritance tab: Shows each item that has unique permissions rather than inheriting from the library. A high count here indicates permission sprawl. You can:
- Reset inheritance on individual items using the Reset button next to each row
- Select multiple items using checkboxes and reset them in bulk with Reset Selected
- Each item row shows who it's uniquely shared with (the distinct principals)
Content Types tab: Lists the content types enabled on this library. Informational only.
Sharing Links tab: Lists all active sharing links (anonymous, organization, specific people) on items in this library. Shows the link type, expiration date (if set), and the resource it's shared from. Use this to identify stale or overly-permissive links.

Tips:

Resetting inheritance on an item reverts it to inheriting from the library. This removes any unique permissions the item had. Always confirm this is intended before proceeding.
For a full cross-library audit of sharing links, use the dedicated Audit → Sharing Links page.

Audit — Groups

URL: /audit/groups

Audit all SharePoint groups: see every group's members, their user types, and whether each member is internal, affiliated, or external.

Concept — SharePoint Groups vs Entra Groups SharePoint groups are created and managed within a SharePoint site (e.g., "Visitors", "Members", "Owners" plus any custom groups you've made). They control who can access SharePoint libraries.
Entra (Azure AD) groups are tenant-wide directory groups — they can be added to a SharePoint group to grant access based on Entra membership. This page audits SharePoint groups and their members, which may include individual users, SharePoint groups nested inside other groups, or Entra security groups.

What you'll see:

A table of all SharePoint groups with:

Group name and description
Total member count
Member breakdown by type (internal / affiliated / external / guest)
An expand button to see individual members

Expand any group row to see:

Each member's display name, email, and user type
Whether the member is an Entra guest (B2B)
Last login date (if available from Graph)

Key actions:

Expand group: Click the expand button on any row to load the member list for that group. Members are fetched live from SharePoint.
Filter by type: Use the filter options at the top to show only groups that contain external or guest members.
Export: The table can be printed or selected and pasted into Excel for offline review.

Tips:

Use this page before offboarding a contractor or vendor to find all the groups they belong to. Then use Fix → Remove From Group (accessible from the User Lookup page) to remove them.
"Affiliated" users are those with email domains listed in the KNOWN_DOMAINS environment variable. They are treated as trusted external partners but still tracked separately from internal users.

Audit — Libraries

URL: /audit/libraries

The most comprehensive audit view: shows all document libraries with their full permission assignments in a matrix format, including detection of inconsistencies.

Concept — Permission Matrix & Inconsistency Detection SharePoint permission assignments are not always tidy: a user might have access to the same library through both a direct assignment and through a group they belong to, resulting in redundant or conflicting access levels. This audit fetches every library's full permission set from SharePoint and builds a matrix — one row per library, one column per principal — so you can see at a glance who has what. Cells highlighted in amber or red indicate a detected inconsistency, such as redundant assignments, unexpected principals, or access levels that don't match the expected baseline.

Concept — Live SSE Stream Because this audit contacts SharePoint for every library in sequence, it can take 30–90 seconds. The progress is delivered via a Server-Sent Events (SSE) stream — the browser receives updates in real time as each library is processed. If your network is unstable or the browser tab is throttled (background tab on some browsers), the stream may stall. Simply reload the page to restart.

What you'll see:

This audit takes longer to complete because it fetches live data from SharePoint for every library. A progress stream is shown while data loads.

Once loaded, you'll see:

Each library as a row
Each principal (user or group) as a column
The permission level at each intersection (e.g., Full Control, Contribute, Read)
Libraries with inconsistencies highlighted (e.g., a user has access via both a group and a direct assignment, or a library has an unexpected principal)

Key actions:

Inconsistency badges: Click on a highlighted library to see the specific inconsistency — for example, "User X has direct assignment AND group membership giving them redundant access."
Fix shortcuts: Inconsistency descriptions include links to the relevant Fix page pre-populated for remediation.
Filter view: Use the column filter to narrow the matrix to specific principals or libraries.

Tips:

This page is resource-intensive. Use it for periodic audits, not for quick checks. For a single library's permissions, use the Library Detail page instead.
A Server-Sent Events (SSE) stream powers the progress display. If the browser tab goes to sleep or the network times out, the stream may stop. Refresh the page and try again.

Audit — Guests

URL: /audit/guests

Audit all guest users (B2B external users) in the SharePoint tenant, with stale access detection.

What you'll see:

A table of every Entra guest user who has SharePoint access, showing:

Display name and email
Invitation status (accepted / pending)
Last sign-in date (from Graph, if available)
A "Stale" indicator for guests who have not signed in within 90 days or whose invitation has never been accepted
The SharePoint groups each guest belongs to

Key actions:

Filter stale guests: Click the Stale Only toggle to narrow to guests who are likely no longer active.
Remove guest: Use the Remove button next to any guest to navigate to the Fix page pre-filled to remove them from their groups.
Sort by last sign-in: Click the column header to sort guests by activity, making it easy to identify the most dormant accounts.

Tips:

"Last sign-in" data comes from the Microsoft Graph and requires the service account to have sufficient Graph permissions. If the column shows "Unknown," the permission is missing.
Removing a guest from all SharePoint groups does not delete their Entra guest account. Contact an Entra administrator to fully remove a guest from the tenant.

Audit — Identity Map

URL: /audit/identities

Cross-reference every SharePoint identity (user, group, security principal) against the Microsoft Graph to identify orphaned identities, name mismatches, and accounts that exist in SharePoint but not in Entra.

What you'll see:

A filterable table of all identities found in SharePoint, enriched with Graph data:

SharePoint display name vs. Graph display name (highlights mismatches)
Account type (user / group / unknown)
Whether the account is found in Graph (orphaned flag)
The email and login name as known to SharePoint
User classification: internal / affiliated / external / system

Key actions:

Filter orphaned: Toggle to show only identities not found in Graph. These are accounts that have been deleted from Entra but still have SharePoint permissions. They should be removed.
Filter by type: Show only guests, external users, or system accounts.
Sort: Click any column header to sort the table.

Tips:

Orphaned identities are common after employee offboarding if the SharePoint permissions weren't cleaned up at the same time. Use the Fix pages to remove them.
System accounts (crawl accounts, app service accounts) are expected to appear here. They are classified as "system" and should be ignored.

Audit — Effective Access

URL: /audit/effective-access

Calculate exactly what level of access a specific user has to a specific library or item, accounting for all group memberships and direct assignments.

What you'll see:

A two-step form:

Select a user (search by email or name)
Select a library (populated from the known libraries)

After submitting, you see the computed effective access result:

The highest permission level the user has on that library
The source(s) of that permission (direct assignment, group membership, or both)
Any item-level overrides (unique permissions on specific files)

Key actions:

Use the search fields to find the user and library you want to check.
Click Calculate to run the effective access computation. Results appear below the form.
If the user has access from multiple sources (e.g., both a group and a direct assignment), all sources are listed.

Tips:

This is the fastest way to answer "Does user X have access to library Y and why?" without digging through the full libraries audit matrix.
If the result shows "No Access," double-check that the user exists in SharePoint (use User Lookup first) — SharePoint may not know about users who have never been added to any group or library.

URL: /audit/sharing-links

Audit all sharing links across all document libraries in the SharePoint site.

What you'll see:

Like the libraries audit, this page streams results as they are fetched. Once complete, a table shows:

The shared item (file or folder name and library)
Link type: Anonymous (anyone with the link), Organization (org-wide), Specific People
Expiration date (blank if the link never expires)
Who created the link and when
A direct link to the shared item in SharePoint

Key actions:

Filter by type: Filter to anonymous or organization-wide links to find the highest-risk sharing.
Filter expired: Show links that have passed their expiration date (these may still be active if SharePoint hasn't cleaned them up).
Open in SharePoint: Click the link icon to navigate directly to the shared item in SharePoint, where you can manually revoke the link.

Tips:

Anonymous links (type: "Anyone with the link") are the highest security risk and should be reviewed most closely.
There is no bulk-revoke feature in this tool — revocation must be done in SharePoint directly. This is intentional to prevent accidental mass-revocation.

Fix — Apply Role

URL: /fix/apply-role

Add a SharePoint permission role (e.g., Contribute, Read) to a user or group on a specific library.

Concept — SharePoint Role Definitions SharePoint controls access through role definitions (also called permission levels). Built-in levels include Full Control (create, edit, delete, manage permissions), Design (edit pages and structure), Contribute (add and edit items), Read (view-only), and View Only (view without download). Sites may also define custom permission levels. When you apply a role, you're creating a role assignment — a direct link from a principal (user or group) to a library at a specific permission level. Prefer group-based access over direct user assignments for easier long-term management.

What you'll see:

A three-step form:

Select the target library
Select (or enter) the user or group to receive the permission
Select the permission level (Read, Contribute, Full Control, etc.)

A Preview step shows exactly what change will be made before you commit it.

Key actions:

Fill in all three fields and click Preview. A confirmation panel appears showing the exact SharePoint API call that will be made.
Review the preview carefully, then click Apply to execute.
A success or error message appears after execution.

Tips:

Apply Role is for direct permission assignments on the library. To grant access through a group instead (preferred for manageability), use Groups Management to add the user to a group that already has the desired permission.
Direct assignments (user → library) are harder to audit and maintain. Prefer group-based access.
You cannot assign a permission level that doesn't exist in the SharePoint site. The permission level dropdown is populated from SharePoint's configured role definitions.

Fix — Remove Role

URL: /fix/remove-role

Remove a SharePoint permission assignment from a user or group on a specific library.

What you'll see:

A form to select:

The target library
The user or group to remove from
The specific role assignment to remove (populated after selecting user/library)

A Preview step shows the change before execution.

Key actions:

Select the library and user/group to populate the role dropdown with their current assignments.
Review the preview carefully — this action removes the role assignment from SharePoint immediately.
Click Execute to commit the change.

Tips:

If a user has access via both a direct assignment and a group, removing the direct assignment alone will not remove their access — the group still grants it. Check the Effective Access audit to understand all sources before removing.
Removing the last Full Control assignment from a library can lock everyone out. The system does not prevent this; use caution.

Fix — Reset Inheritance

URL: /fix/reset-inheritance

Reset a document library (or all uniquely-permissioned items within it) back to inherit permissions from the parent site.

Reminder — What Resetting Inheritance Does When a library or item has broken inheritance, it has its own standalone permission set. Resetting inheritance removes that standalone set and tells SharePoint "use whatever the parent has." For a library, the parent is the site. For items within a library, the parent is the library. This operation permanently removes the unique permissions — they are not preserved anywhere. Take a Snapshot before resetting if you need a record of the previous permission state.

What you'll see:

A form to:

Select the target library
Choose scope: reset the library itself, or reset all uniquely-permissioned items within it
Preview, then execute

Key actions:

Library-level reset: Removes any unique permissions on the library and restores inheritance from the site. All direct assignments to that library will be lost.
Item-level reset: Finds all items within the library that have broken inheritance and resets them to inherit from the library. Use this to clean up after bulk sharing operations.

Tips:

Reset Inheritance is irreversible once executed. All unique permissions on the target are permanently removed — make sure you have a Snapshot taken before proceeding if you need a record of what was in place.
For resetting individual items (rather than all items in a library), use the Library Detail → Broken Inheritance tab where you can select specific items.

Content — Library Picker

URL: /content

The entry point for content management. Lists all SharePoint document libraries that have been enabled for content publishing.

Concept — The Content Pipeline Content goes through a pipeline before it appears on the public or sales sites:

Author in SharePoint — content editors add files to a SharePoint document library and set the Status (Draft/Published/Archived) and Visibility (Internal/External/Partner) fields.

Sync to cache — the admin triggers a sync (manual or scheduled). Only items with Status = "Published" and Visibility = "External" are downloaded to the server's local cache.

Serve from cache — the public site and sales portal serve files from the local cache, not directly from SharePoint. This means SharePoint throttling and authentication don't affect end-user download speed.

Changes in SharePoint are only reflected on the live sites after a sync. If a file doesn't appear on the site, check this picker to verify the library has been synced recently.

What you'll see:

A card for each enabled library showing:

Library name and description
Last sync date and time
Number of items in the cache
Sync status (synced / syncing / error)
Quick links to browse items or trigger a sync

Key actions:

Browse: Click Browse on any library card to navigate to the Content Browser for that library.
Sync: Click the Sync button on a library card to sync that library's published content to the local cache. A progress stream shows download progress in real time.
Sync All: Use the Sync All button at the top to sync every enabled library in sequence.
Settings: Click the Settings link to go to the Content Settings page where you configure which libraries are enabled for publishing.

Tips:

Content is only served to users (on the public site and sales portal) after it has been synced to the local cache. Syncing downloads files from SharePoint to the server's disk.
Only items with Status = "Published" and Visibility = "External" are synced. Items with other status/visibility values remain in SharePoint but are not served publicly.

Content — Settings

URL: /content/settings

Configure which SharePoint libraries are enabled for content publishing and manage the global tag vocabulary.

What you'll see:

Two sections:

Libraries section:

A list of all document libraries discovered in SharePoint
A toggle on each to enable or disable it for content publishing
A note on each showing whether the required SharePoint content fields are set up

Tag vocabulary section:

All currently defined tags (used to categorize content)
Controls to add new tags, rename existing ones, delete unused tags, and mark tags as "filterable" (visible in the tag filter sidebar on the public and sales sites)

Key actions:

Libraries:

Enable/disable: Toggle a library's publishing on or off. Disabling a library removes it from future syncs but does not delete already-cached files.
Setup Fields: If a library doesn't have the required SharePoint content fields (Status, Visibility, Content Description, etc.), click Setup Fields to create them. This is a one-time operation per library.
Configure View: Click to apply a standard column view to the library in SharePoint, making it easier for content editors to manage the metadata fields.

Tags:

Add tag: Enter a label in the new tag form and click Add. The tag slug is generated automatically from the label.
Rename tag: Click the edit icon next to any tag to rename its label. The slug stays the same so existing tag assignments are preserved.
Delete tag: Click the delete icon to remove a tag. Tags that are currently assigned to content items cannot be deleted — remove the assignments first.
Filterable toggle: Tags marked as filterable appear in the tag filter sidebar on the public and sales sites. Non-filterable tags can be used internally for organization but don't appear to users.

Tips:

The content fields in SharePoint must be set up on each library before content editors can set Status and Visibility on documents. Run Setup Fields once when adding a new library.
Tags are global — they are shared across all libraries and both the public and sales sites.

Content — Browse Library

URL: /content/<library_id>/browse

Browse and manage individual content items within a specific SharePoint library.

What you'll see:

A table of all items in the library (fetched from SharePoint's content index), with:

File name and title
Status (Published / Draft / Archived)
Visibility (External / Internal / Partner)
File size
Tags (both admin-assigned and local overrides)
Thumbnail indicator (whether a preview image exists)
Cached indicator (whether the file is in the local content cache)
A folder path column showing where in the library the file lives
Action buttons: Edit, Thumb, Sync

Key actions:

Search: Use the search bar at the top to filter items by name, title, description, keywords, or tags. Results update via HTMX without a full page reload.
Toggle folder view: Switch between flat list (all items) and folder tree view using the toggle button.
Edit item: Click the Edit button (pencil icon) on any row to open the metadata editor for that item. You can set the title, description, tags, keywords, and local overrides.
Generate thumbnail: Click the Thumb button (image icon) to generate a preview thumbnail for that item. Thumbnails are generated server-side using LibreOffice (for Office files) or pdf2image (for PDFs). This may take several seconds.
Sync item: Click the Sync button to re-download just this item from SharePoint, updating the local cache immediately without running a full library sync.
Toggle Status/Visibility: Click the Status or Visibility badges on any row to cycle the item's value in SharePoint (e.g., Draft → Published, Internal → External). The row updates immediately via an OOB HTMX swap.
Bulk update: Select multiple rows using the checkboxes and use the bulk action toolbar to set status or visibility on all selected items at once.

Tips:

Items with Status ≠ "Published" or Visibility ≠ "External" appear in this table (they're in the SharePoint content index) but will not be synced to the public cache and will not appear on the public or sales sites.
Thumbnail generation can be slow for large Office files. The Thumb button is per-item intentionally — there is no bulk backfill to avoid overloading the server.
The "Cached" badge shows whether the file currently exists in the local content cache. An item can be in SharePoint but not cached if it hasn't been synced yet, or if it doesn't meet the Published/External criteria.

Content — Published Items

URL: /content/published

View all content currently in the local cache (i.e., items that are actually being served to users on the public and sales sites).

What you'll see:

A searchable table of all cached items, showing:

File name, title, and display name override (if set)
File type and size
Sync date (when the file was last downloaded from SharePoint)
Tags and keywords
Thumbnail indicator
Action buttons: Edit metadata, Edit local overrides

Key actions:

Search: Filter the list by any text field.
Edit metadata (pencil icon): Opens the admin metadata editor. Here you can set the global title, description, tags, and keywords for this item. These values are visible to all users on both the public and sales sites.
Edit local overrides (layers icon): Opens the local override editor. Local overrides let you set a different display name, description, or tags for specific user groups (e.g., show a different title to the "Enterprise" group than to the "SMB" group).

Tips:

The Published Items view is the best place to do a final check before content goes live. If a file you expect to see is missing here, check the Browse view for that library and verify its Status and Visibility in SharePoint.
Local overrides are applied per group at render time — they do not change the file in SharePoint or the global metadata.

Snapshots

URL: /snapshots

Take point-in-time snapshots of the entire SharePoint permission state and compare snapshots to identify changes over time.

What you'll see:

Two sections:

Snapshot history:

A chronological list of all saved snapshots with their date, description, and size
Actions: Load (view the snapshot data), Compare (diff against another snapshot), Delete

Take snapshot:

A form to start a new snapshot with an optional description
Once submitted, a real-time progress stream shows the capture progress (groups → libraries → items → sharing links)

Key actions:

Take Snapshot: Enter a description (e.g., "Pre-migration baseline" or "After Q1 audit remediation") and click Take Snapshot. The process fetches all permission data from SharePoint concurrently (6 workers) and can take several minutes for large environments.
Load Snapshot: Click Load next to any historical snapshot to view a full read of the permission state at that point in time. Useful for answering "what did the permissions look like on date X?"
Compare Snapshots: Select two snapshots and click Compare to see a structured diff. The diff shows:
- Groups added or removed
- Members added or removed from groups
- Libraries added or removed
- Role assignments added or removed
- Items with new, changed, or removed unique permissions
Delete Snapshot: Remove a snapshot you no longer need. This is permanent.

Tips:

Take a snapshot before any significant permission change (migrations, offboarding, restructuring). This gives you a baseline to roll back to mentally or audit against.
Snapshots capture state at a moment in time — they are not live views. If you take a snapshot and immediately make changes, those changes won't appear in the snapshot.
The compare feature is most useful when snapshots are taken at consistent intervals (e.g., weekly) so you can track who gained or lost access between review cycles.

Access — Users & Groups

URL: /access

Manage users and groups in the sales portal access control system. This is distinct from SharePoint groups — these are users and groups for the public content site and sales portal (email/password users).

Concept — Access Tags (Portal Access Control) The public content site and sales portal use a tag-based visibility system that is separate from SharePoint permissions. Each content item and CMS page can have one or more access tags assigned. Each portal group also has access tags. A user can see an item if:

the item has no access tags (visible to all, including anonymous), or

the user belongs to a group whose access tags overlap with the item's access tags.

This means the same file can be visible to one sales group ("Enterprise") but hidden from another ("SMB") — without changing anything in SharePoint. Access tags are managed here (on groups) and in the Admin → Content and Admin → Pages sections.

What you'll see:

Two tabs:

Users tab:

All registered users in the system, with their email, display name, role, and status
Status values: active, disabled, invited (password not yet set)
Role values: viewer, manager, super_admin

Groups tab:

All access control groups
Each group's name, description, and member count
The group owner (manager who manages this group)

Key actions:

Users:

Create user: Fill in the email and display name, select a role, and click Create. The user is created with "invited" status. Use this to manually add a user without going through the registration workflow.
Edit user: Click a user row to open the detail view where you can change their role, status, display name, or reset their password.
Disable user: Set a user's status to "disabled" to prevent them from logging in without deleting their account. Their content access and group memberships are preserved.

Groups:

Create group: Enter a group name and optional description, assign an owner manager, and click Create.
Edit group: Click a group row to view its members, add members, remove members, and update the group's access tags (what content this group can see).
Access tags: Each group can have access tags that define which content items and pages the group's members can access. Items tagged with a specific group's tag are only visible to members of that group (and to admins).

Tips:

Access tags are the primary mechanism for restricting content visibility. An item with no access tags is visible to all authenticated users (and potentially anonymous users on the public site). Tag it to restrict it.
Groups are scoped to the portal — they do not correspond to SharePoint groups. They exist purely to control what users can see on the public content site and sales portal.

Access — User Detail

URL: /access/users/<user_id>

View and edit a single portal user's profile, group memberships, and access configuration.

What you'll see:

User's email, display name, role, status, and creation date
A form to update any of these fields
The groups this user belongs to, with an option to remove them from each group
An Add to Group form to add the user to additional groups

Key actions:

Edit profile: Change the user's display name, role, or status using the form. Click Save to apply.
Change role: Roles control what the user can do in the sales admin:
- viewer — can browse content and create collections, no admin access
- manager — can manage their own pages, groups, and group members in the sales admin
- super_admin — full admin access including settings and all users/pages
Disable/enable: Toggle the user's status between "active" and "disabled." Disabled users cannot log in.
Remove from group: Click the × button next to any group membership to remove the user from that group.
Add to group: Select a group from the dropdown and click Add to enroll the user.

Tips:

Changing a user's role takes effect on their next request — they don't need to log out and back in.
There is no "delete user" option from this page — use the Users & Groups list page for deletion.

Access — Group Detail

URL: /access/groups/<group_id>

View and manage a single access control group's metadata, members, and access tags.

What you'll see:

Group name, description, and owner manager
A form to update group metadata
The current member list
The group's access tags (which content this group can see)
A form to add or remove access tags

Key actions:

Edit group: Update the group name, description, or owner manager.
Add member: Type an email or name in the member search and click Add. The user must already exist in the portal user database.
Remove member: Click the × button next to any member.
Access tags: The access tags panel shows which resources (content items, CMS pages) this group has been granted access to. You can:
- Remove all tags — revoke this group's special access to all tagged resources (they'll only see untagged content)
- Add tag for a specific resource — navigate to the content item or page and use its access tag editor to add this group

Tips:

A group's access tags are set on individual resources, not on the group itself. To control what a group can see, go to the specific content item or CMS page and edit its access tags to include or exclude this group.
Removing a user from a group immediately removes their access to anything that group's tag was protecting. The change takes effect on their next page load.

Public Content Site

Access: Most pages are publicly accessible without login. Content restricted by access tags requires an active login (email/password). Tradeshow landing pages flagged with the email gate require visitors to submit their contact information before viewing. Login accounts are created by administrators — there is no self-service registration on the public site.

The public content site serves published SharePoint documents and CMS landing pages to external users. Some content is available without logging in; content tagged with access-restricted groups requires login.

Landing Page

URL: /

The home page of the public content site. Shows recently synced content items as a grid of cards.

What you'll see:

A hero/banner section (configured via CMS)
A grid of the 6 most recently synced content items (cards with thumbnail, title, file type, and size)
A count of total available items
Navigation links to Browse and Search

Key actions:

Click a card: Navigate to the Content Detail page for that item.
Browse all: Click the Browse link in the navigation to see all available content.
Search: Use the search bar in the navigation to search by keyword.
Login: If you have an account, click Login in the navigation to access restricted content.

Tips:

"Recently synced" means the files were most recently downloaded from SharePoint — it does not necessarily mean they are the most recently modified files in SharePoint.
Content cards show a thumbnail if one has been generated by an admin. If no thumbnail exists, a file-type icon is shown instead.
Only items accessible to your current session are shown. If you are not logged in, only publicly accessible items appear. Log in to see restricted content you have access to.

Browse

URL: /browse

Browse all available content items with optional keyword filtering.

What you'll see:

A search/filter bar at the top
A grid of all content items accessible to your session
Each card shows: thumbnail or icon, title, file type, file size, and sync date

Key actions:

Filter: Type in the search box and press Enter (or click Search). The grid updates to show only items matching your query in the file name, title, description, tags, or keywords.
Clear filter: Delete the search text and press Enter to return to the full list.
Open item: Click any card to navigate to the Content Detail page.
Download: From a card, you can directly download the file by clicking the download icon.

Tips:

Search is performed across: filename, title (from SharePoint), description, keywords, tags, and local display name overrides. A document tagged with "pricing" will appear when you search "pricing."
Items with access restrictions that you don't meet are silently excluded from results. You won't see "Access Denied" errors in the browse grid.

Search

URL: /search?q=<query>

Full-text search across all accessible content.

What you'll see:

A search input pre-filled with your query
Search results as cards (same format as Browse)
A result count

Key actions:

Modify the query in the search input and press Enter to search again.
Click any result card to go to the Content Detail page.

Tips:

If your search returns no results, try a broader term. The search matches against stored metadata — if a document's content hasn't been indexed with the right keywords by an admin, it may not appear.
The search box in the navigation bar on every page also performs a search and takes you to this results page.

Content Detail

URL: /landing-files/<filename>/preview

The detail page for a single content item. Shows a preview (if available) and download options.

What you'll see:

Document title and display name
File type, size, and sync date
PDF preview: If the item is a PDF or if an admin has generated a PDF preview for an Office document (via thumbnail generation), an inline PDF viewer is shown.
Image preview: If the item is an image, it is displayed inline.
No preview: If no preview is available, a placeholder is shown with a message.
A Download button to download the original file
File metadata: visibility, tags (if any are shown to users)

Key actions:

Inline preview: Scroll through the PDF in the embedded viewer. Use the viewer controls to zoom, rotate, or go full-screen.
Download: Click the Download button to download the original file (PDF, PPTX, DOCX, etc.) to your device.
Back: Use the browser back button or the breadcrumb navigation to return to the browse/search page.

Tips:

Office document previews (PPTX, DOCX, XLSX) require that an admin has generated a thumbnail for the item using the Admin Portal. The thumbnail process converts the document to PDF via LibreOffice, and that PDF is what's shown in the preview.
Access is checked on every file serve request. If you lose access to a restricted item between sessions, the file download will be blocked with a redirect to login.

Pages List

URL: /pages

A directory of all published CMS landing pages.

What you'll see:

A list or grid of all published CMS pages that you have access to
Each page shows its title, description (if set), and a link to open it
Pages may be grouped by category or shown as a flat list depending on configuration

Key actions:

Click a page title: Navigate to the full CMS page view.

Tips:

Pages with access restrictions you don't meet are hidden from this list.
If a page you expect to see is missing, it may be unpublished or restricted to a group you don't belong to. Contact the site administrator.

CMS Page

URL: /landing/<slug>

A single CMS landing page, which can contain multiple sections of content items arranged by the admin.

What you'll see:

The layout varies by page design, but typical elements include:

A page title and optional header/banner
Multiple content sections, each of which can be:
- Featured: A prominent single-item showcase
- Grid: A multi-column grid of content cards
- List: A vertical list of content items with descriptions

Each content card within a section links to the Content Detail page for that item.

If the page has a tag filter sidebar configured, you'll see a list of tags on the left (or top on mobile). Clicking a tag filters the page's content to show only items with that tag.

Key actions:

Navigate content: Click any content card to open the detail page for that item.
Tag filter: If a tag filter sidebar is shown, click tag names to filter content. Click again to deselect. Multiple tags narrow the results (intersection filtering).
Download: Some section layouts include a direct download button on each card in addition to the detail page link.

Tips:

Tag filtering is applied client-side on the current page only. It does not search the full content library — only the items that the admin has added to this specific page.
If a section appears empty after filtering, no items in that section have the selected tag. Try a different tag or clear the filter.

URL: /login

Email/password login for the public content site.

What you'll see:

A simple login form with email and password fields.

Key actions:

Login: Enter your email and password and click Login. If credentials are correct and the account is active, you are redirected to the page you were trying to access (or the home page).
Error messages:
- "Invalid email or password" — credentials don't match
- "This account has been disabled" — contact the administrator
- "Please check your email for an invitation link" — your account was created by an admin but you haven't set a password yet

Tips:

The public site uses the same user database as the sales portal. If you have a sales portal account, you can log in here with the same credentials.
There is no self-service registration on the public site. Accounts must be created by an administrator.
After logging in, restricted content you have access to becomes visible throughout the site without needing to log in again.

Email Gate

URL: /gate

An email-capture form shown to visitors attempting to access tradeshow landing pages. These are special landing pages configured to collect visitor contact information before granting access.

Concept — Gated Landing Pages Some CMS pages on the public site are configured as "gated" — they require visitors to enter their email before viewing the page. This is used for tradeshow and event scenarios: a QR code on a booth sign leads to a gated page, and anyone who scans it provides their contact info. The admin can later review these Leads in the Sales Portal admin to see who visited and when. A gated page is a regular CMS page with the Gated flag enabled in the Page Editor.

What you'll see:

A simple form requesting:

Your email address (required)
Your name (optional)
A consent checkbox (for contact preferences)

Key actions:

Fill in your email and optionally your name, check the consent box if shown, and click Continue.
You are redirected to the landing page you were trying to access.
Your session is now "gated" — your page views and document interactions on the landing page will be tracked for the event organizers.

Tips:

The email gate is for tradeshow and event contexts. Your information is used by the event organizers to follow up. The consent checkbox controls whether they may contact you for marketing purposes.
Once you have entered your email in a session, the gate won't prompt again — you can navigate freely within the gated landing page.
Rate limiting is in place: you can submit the form at most 5 times per minute to prevent abuse.

Sales Portal

Access: The portal home page and login/register pages are publicly accessible. All content browsing, library, search, folders, pages, and collection features require login with a viewer role or higher. The Admin section (/admin/*) requires the manager, organizer, or super_admin role. See the individual admin section callouts for granular role requirements.

Role summary: | Role | What they can do | |------|-----------------| | viewer | Browse content, search, view pages, manage their own collections | | manager | Everything a viewer can do, plus: manage their own CMS pages, groups, and group members in admin | | organizer | Manage global content metadata (tags, descriptions) and the portal home page | | super_admin | Full admin access: all pages, all users, all groups, settings, leads, registrations |

The Sales Portal is a curated content portal for the sales team. It provides access to the same underlying document library as the public content site but with a more organized, team-focused interface including CMS pages, collections, and team-based access control.

Portal Home

URL: /

The landing page for the sales portal. What you see depends on whether you are logged in.

Logged-out visitors:

A welcome/login prompt
A brief description of the portal
A login button and registration link

Logged-in users:

Your default landing page (configured by an admin), or the portal home page if no specific page is set
Featured content sections
Quick links to recently accessed items (if configured)
Your collections (if you have any)

Key actions:

Login: Click the login button to go to the login page.
Register: Click Register to request an account (requires admin approval).
Browse content: Use the navigation bar to access Library, Browse, Search, Pages, or Folders.
Admin panel: If your role is manager, organizer, or super_admin, an Admin link appears in the navigation bar.

URL: /login

Email/password login for the sales portal.

What you'll see:

A login form with email and password fields.

Key actions:

Login: Enter your credentials and click Sign In. You are redirected to the page you were trying to access, or the portal home.
Forgot password: Click the "Forgot password?" link to request a password reset email.
Register: Click the "Request access" link to go to the registration page.

Error messages:

"Invalid email or password" — credentials don't match
"Your account is pending approval" — your registration request hasn't been approved yet
"Your account has been disabled" — contact an administrator

Tips:

Accounts require admin approval before you can set a password and log in for the first time.
If you registered but haven't received an invitation email, your request may be pending review. Contact a sales admin.

Register

URL: /register

Request a new account on the sales portal.

What you'll see:

A registration form with:

Email address
Display name (how your name will appear)
Company/organization (optional)
A message to the admin (optional — use this to explain why you need access)

Key actions:

Fill in the required fields and click Submit Request.
A confirmation message tells you that your request has been received.
A sales admin will review your request and either approve or deny it.
If approved, you will receive an email with a link to set your password.

Tips:

Registration requests are reviewed manually by sales admins. Response times vary.
If you already have an account, go to the Login page instead.
The email address you register with must be unique — you cannot create two accounts with the same email.

Set Password

URL: /set-password/<token>

Set your password for the first time after your registration has been approved. This link is sent via email after admin approval.

What you'll see:

A form with two password fields (new password and confirm password).

Key actions:

Enter your desired password in both fields. Passwords must meet the minimum length requirement (shown on the form).
Click Set Password to save. You are redirected to the login page.
Log in with your email and the password you just set.

Tips:

The set-password link is single-use and expires after 1 hour. If yours has expired, use the Forgot Password flow to request a new one.
After setting your password, you can change it at any time via the Forgot Password flow.

Forgot Password

URL: /forgot-password

Request a password reset link for your sales portal account.

What you'll see:

A form with a single email field.

Key actions:

Enter the email address associated with your account and click Send Reset Link.
If the email matches an account, a reset link is sent to that address.
Check your email and click the link within 1 hour.

Tips:

For security, the form shows the same confirmation message whether or not the email matches an account. This prevents email enumeration.
If you don't receive an email, check your spam folder. If still not received, contact a sales admin — the email service may be misconfigured.

Reset Password

URL: /reset-password/<token>

Set a new password using the link sent by the Forgot Password flow.

What you'll see:

A form with two password fields.

Key actions:

Enter your new password in both fields and click Reset Password.
You are redirected to the login page on success.

Tips:

Reset links expire after 1 hour. If yours has expired, request a new one via Forgot Password.
Reset links are single-use.

Sales Search

URL: /search?q=<query>

Search for content items and CMS pages across the sales portal.

What you'll see:

A search bar pre-filled with your query
Results in two sections: Documents and Pages
Document results as cards (file type, title, description)
Page results as list items (page title, description, slug)

Key actions:

Modify your query and search again.
Click any document card to go to the content preview page.
Click any page result to navigate to that CMS page.

Tips:

Search respects your access permissions — items and pages you don't have access to are excluded from results.
The search covers: filename, title, description, tags, and keywords. It does not perform full-text search inside document content.

Library

URL: /library

Browse all content accessible to you with a tag filter sidebar.

What you'll see:

A sidebar with all filterable tags
A content grid showing all accessible items
Each card shows: thumbnail or icon, title, file type, size
A count of total visible items

Key actions:

Filter by tag: Click one or more tags in the sidebar to filter the grid to items with those tags. Clicking multiple tags narrows the results (AND logic — item must have all selected tags).
Clear filter: Click a selected tag again to deselect it, or click "Clear all" to remove all filters.
Open item: Click any card to go to the content preview page.
Download: Some cards have a direct download button.

Tips:

The Library shows all content you have access to regardless of what CMS pages it's been placed on. Use Library when you want to find a specific document rather than browse curated pages.
Tags shown in the sidebar are only "filterable" tags — tags that a content admin has marked as suitable for user-facing filtering. There may be additional internal tags not shown here.

Browse by Tag

URL: /browse?tag=<slug>

A focused browse view filtered to a single tag category.

What you'll see:

Content items with the specified tag
The active tag displayed prominently

Key actions:

Browse items and click to preview or download.
Click a different tag in the navigation to switch to that category.

Folders

URL: /folders

Browse content organized by folder structure, mirroring the SharePoint document library's folder hierarchy.

What you'll see:

A folder tree on the left (or top on mobile)
Content items in the currently selected folder on the right
Breadcrumb navigation showing your current folder path

Key actions:

Navigate folders: Click any folder name in the tree to see its contents. The content panel updates via HTMX without a full page reload.
Open item: Click any content item to go to the preview page.
Download: Use the download button on any item card for direct download.

Tips:

The folder structure mirrors SharePoint. If the structure changed in SharePoint since the last sync, the folders here may be out of date until the next content sync.
Some items may appear in multiple locations if they belong to multiple folders (not common in SharePoint flat library structures).

Sales CMS Page

URL: /pages/<slug>

View a curated CMS page assembled by a sales admin. Pages contain sections of selected content items.

What you'll see:

The page title and optional description/banner
Multiple content sections (featured, grid, or list layouts)
Each section may have its own title
Content cards within sections link to the preview page

If the page has a tag filter sidebar configured, you'll see tags on the side. Filtering applies only to items on this page.

Key actions:

Navigate content: Click cards to preview or download items.
Tag filter: If visible, click tags to filter items on this page.

Tips:

CMS pages are curated by sales admins. If a document you expected to see isn't on a page, check the Library for the full catalog.
Access to pages is controlled by access tags. If you can't see a page, you may not have access — contact your admin.

Content Preview

URL: /content/<path>/preview

The detail/preview page for a single content item in the sales portal. Shows a preview and download options.

What you'll see:

Document title and description
An inline PDF viewer (if the item is a PDF or has a PDF preview generated)
An image viewer (if the item is an image)
File metadata: type, size, tags
A Download button
An "Add to Collection" button if you are logged in

Key actions:

Preview: View the document inline using the PDF viewer.
Download: Click Download to save the file to your device.
Add to Collection: Click this button to add the item to one of your personal collections. A modal/dropdown lets you select an existing collection or create a new one.

Tips:

Office document previews (PPTX, DOCX, XLSX) require prior thumbnail generation by an admin. If no preview is shown, the preview hasn't been generated yet.

Collections

URL: /collections

Manage your personal content collections. Collections let you save and organize sets of content items for later reference or sharing.

Concept — Collections & Sharing A collection is a personal curated list of content items from the sales portal. Think of it like a playlist or a saved search — you pick the items you want, name the collection, and optionally share it. Shared collections generate a unique link that anyone can visit (no login required), optionally protected by a password you set. This makes it easy to send a curated bundle of resources to a prospect or customer without giving them full portal access.

What you'll see:

A list of all your collections with their name, item count, and sharing status
A button to create a new collection

Key actions:

Create collection: Click New Collection, enter a name and optional description, and click Create.
View collection: Click any collection name to go to the Collection Detail page.
Delete collection: Use the delete button on any collection. This only removes your collection record — it does not affect the underlying content items.

Tips:

Collections are personal — other users cannot see your collections unless you share them.
You can share a collection with anyone (including people without a portal account) via a share link. See Collection Detail for sharing options.

Collection Detail

URL: /collections/<id>

View and manage a single collection's items and sharing settings.

What you'll see:

Collection name and description (editable)
A list of items in the collection with thumbnail, title, and remove buttons
Sharing settings panel
A button to view the public share link (if sharing is enabled)

Key actions:

Edit name/description: Click the edit icon to update the collection's name or description inline.
Remove item: Click the × button next to any item to remove it from the collection.
Add items: Use the "Add content" button or add items from the preview page while browsing.
Share collection:
- Click Share to open the sharing settings.
- Toggle sharing on to generate a share link.
- Optionally set a password that recipients must enter to view the collection.
- Copy the share link and send it to anyone.
- Set an expiration date to automatically revoke the link after a certain date.
Download as ZIP: If sharing is enabled, recipients can download all items in the collection as a ZIP file. You can also use this button yourself.
Revoke sharing: Toggle sharing off to immediately invalidate the share link. Anyone with the old link will no longer be able to access the collection.

Tips:

Password-protected sharing requires recipients to enter the password before viewing collection contents. The password is not stored in plain text.
Expired share links show an "Expired" message to the visitor. Re-enable sharing with a new expiry to restore access.

Shared Collection

URL: /collections/shared/<token>

The public view of a shared collection, accessible to anyone with the link (no login required).

What you'll see:

The collection name and description
A grid of items in the collection with thumbnails
A Download All (ZIP) button
If password-protected: a password entry form before items are shown

Key actions:

View items: Browse the items in the collection.
Download individual item: Click any item card to download that file.
Download all: Click the ZIP download button to download all items in the collection as a single ZIP archive.
Enter password: If prompted, enter the password provided by the collection owner.

Tips:

No login is required to view a shared collection. The share link is the access control.
If the collection has expired, you'll see a message and no items will be shown. Contact the collection owner to have them refresh the share link.

Sales Portal — Admin

Access: Requires login with role manager, organizer, or super_admin. Viewers cannot access the admin area.

The Sales Admin is accessible to users with the manager, organizer, or super_admin role. A tab bar at the top of the admin area provides navigation between all admin sections.

Role capabilities:

manager — can manage their own CMS pages, their own groups, and the members of their groups
organizer — can manage global content metadata (tags, descriptions) and the portal home page
super_admin — full access to all pages, users, groups, settings, leads, and registrations

Admin — Pages

URL: /admin/

Access: manager (own sales pages only) · organizer (home page only) · super_admin (all pages)

The default admin view: a list of CMS pages you are authorized to manage.

What you'll see:

A table of CMS pages with: title, slug, target app (public / sales / both), publish status, and section count
For super_admins: all pages in the system
For organizers: only the home page
For managers: only sales pages they own

Key actions:

Create page: Click New Page, enter a title and slug, choose a target app, and click Create. You are taken directly to the page editor.
Edit page: Click the Edit button (pencil icon) on any page row to go to the Page Editor.
Duplicate page: Click the copy icon to create a copy of a page with a new slug.
Delete page: Click the delete (trash) icon. You are prompted to confirm. Deleting a page removes it and all its sections from the CMS. This cannot be undone.
Toggle published: Click the published/draft badge to toggle a page's publish status. Unpublished pages are not visible to portal users.

Tips:

"Slug" is the URL-friendly identifier for the page (e.g., product-overview → accessible at /pages/product-overview). Slugs must be unique and can only contain lowercase letters, numbers, and hyphens.
Target app controls where the page appears: "sales" = sales portal only, "public" = public content site only, "both" = appears in both.
The email gate option (for pages targeted at "public") makes the page require email capture before viewing. This is for tradeshow/event scenarios.

Admin — Page Editor

URL: /admin/pages/<page_id>/edit

Access: manager (own sales pages only) · organizer (home page only) · super_admin (all pages)

The full page editor for building and curating a CMS page.

What you'll see:

The editor is divided into two panels:

Left panel — Page settings:

Page title
Slug (URL identifier)
Target app (public / sales / both)
Owner manager (manager-owned pages only)
Publish status toggle
Access tags (which user groups can see this page)
Email gate toggle (public pages only)
Tag filter sidebar configuration (which tags to show as filter options on this page)

Right panel — Sections:

All sections currently on this page, in order
A drag handle for reordering sections
Section type (featured / grid / list)
Section title
Items assigned to each section
Controls to add, edit, remove sections and manage their items

Key actions:

Page settings:

Edit title/slug: Click any field and type to edit. Changes are saved automatically on blur (or when you click Save).
Toggle published: Click the Publish/Unpublish button to control visibility.
Set access tags: Use the access tag panel to restrict this page to specific user groups. Untagged pages are visible to all.
Configure tag filter: Select which tags appear in the sidebar filter on this page. Only filterable tags can be selected.

Sections:

Add section: Click Add Section, choose the section type (featured / grid / list) and enter a title. The section is added at the bottom.
Reorder sections: Drag sections up or down using the drag handle on the left. The new order is saved immediately via HTMX.
Edit section: Click the edit icon on any section to change its title or type.
Delete section: Click the delete (trash) icon on a section. The section and all its item assignments are removed.
Add items to section: Click Add Content on any section to open the item picker. Search for content by name, tag, or folder. Click items to add them. Added items appear in the section immediately.
Remove item from section: Click the × button next to any item within a section.
Reorder items: Drag items within a section to reorder them. The new order is saved immediately.
Edit item tags/description: Click the item's edit icon within a section to open an inline editor where you can set per-item overrides (display name, description, tags) that apply specifically when this item appears in this page context.

Tips:

The "featured" section type is best for a single highlighted item (e.g., a hero document). Grid and list types work well for multiple items.
Access tags on a page work independently from access tags on items. A user needs to have access to both the page and the individual item to see it.
If you add an item that you don't have access to view (e.g., a restricted item from another manager's library), it will appear in the editor but will be filtered out for users who don't have access to that item.

Admin — Content

URL: /admin/content

Access: manager · organizer · super_admin Managers see only content from libraries their groups have access to. Organizers and super_admins see all content.

The Content area has two views, switchable with the pill toggle at the top:

Organize (/admin/content) — the curated portal layer: thumbnails, display names, descriptions, tags, group restrictions. Only items that are eligible (Published + External in SharePoint) and synced to the local cache appear here.
SharePoint (/admin/content/sharepoint) — a live mirror of the SharePoint library, including drafts and internal-only items. This is where you flip files into the eligible state.

Concept — Two Layers of Metadata Each content item has two metadata layers that work together:

1. SharePoint fields (Status, Visibility, Content Description) — set by content editors directly in SharePoint, or via the SharePoint view here. These control whether the item is eligible for the portal at all. Eligibility = Status = Published and Visibility = External.

2. Portal metadata (Display name, Tags, Keywords, Access tags, Thumbnails) — set in the Organize view. This overlay enriches how the item appears in the portal without touching SharePoint. Display names and descriptions can also have per-group overrides, letting managers show different content cards to their own user group.

Both layers must be correct for an item to appear correctly: the SharePoint fields must be Published+External (so it's eligible and syncs), and the portal metadata should have a display name and tags so it's searchable and categorized.

Organize view

What you'll see:

A search bar and filter controls at the top
A content grid showing all eligible/cached items
For each item:
- Thumbnail (if generated)
- File name and title
- Visibility and Status badges (clickable to toggle a single item)
- Access (group restrictions) and tag badges
- Cached indicator (green = in the local cache, gray = not cached)
A bulk action bar that appears when one or more rows are selected

Bulk action bar (Organize view):

All bulk-action dropdowns share the same UX — click the action, set your choices in the dropdown, then click Apply. Revert restores the dropdown to the state it had when you opened it; Clear unchecks everything.

| Action | Behavior | |---|---| | Visibility / Status | Two radio groups (Status: Publish/Draft, Visibility: External/Internal). Pre-fills from the shared state of selected rows. Apply only fires the field(s) you actually changed. | | Add Tags | Checkboxes for each tag, plus an inline "create new tag" form. Apply assigns all checked tags to the selected items. | | Remove Tags | Checkboxes filtered to only the tags currently present on at least one selected item. Apply removes all checked tags. | | Manage Groups | Stateful — checkboxes pre-fill from each row's current access. All Users = unrestricted. Mixed states are shown as indeterminate. Apply replaces (not adds) when you started from a non-empty state, so unchecks become removals. | | Remove Groups | Checkboxes for any group; Apply removes the checked groups from the selected items' access. Includes a "Make Unrestricted (all)" shortcut. |

Other key actions:

Search: Type in the search box to filter by name, title, description, keywords, or tags.
Folder view toggle: Click the folder icon to switch between flat list and folder-tree view.
Filter portal items: Click "Portal Items Only" to show only items currently visible to portal users.
Edit metadata: Click the Edit (pencil) icon on a row to open the per-item editor.
Generate thumbnail: Click the Thumb button to generate a preview thumbnail. Uses LibreOffice for Office files and pdf2image for PDFs — can take several seconds.
Single-row toggle: Clicking a Visibility or Status badge on a single row also flips the value in SharePoint immediately (no Apply needed).

Tips:

Toggling Status/Visibility writes to SharePoint directly. After setting an item to Published+External, you still need to wait for the next content sync (or trigger one) before it appears on the portal.
Thumbnail generation is intentionally manual — there's no bulk backfill, to keep the server responsive.
For super_admins and organizers, this page shows all eligible/cached items. For managers, it shows only items from libraries their managed groups have access to.

SharePoint view (Live Mirror)

URL: /admin/content/sharepoint

Access: super_admin · organizer (bulk actions); all admins can browse.

A live, unfiltered view of every file in the connected SharePoint library — drafts, internal-only items, and published items alike. Use this view to bring files into the eligible state so the organizer can curate them in the Organize view.

Eligibility rule: A file is only eligible to appear in the portal once Visibility = External and Status = Published. Until both are set, the file is invisible to the Organize view and to all portal users.

What you'll see:

A search bar plus Visibility and Status filters
A Portal visible toggle that filters the list down to Published+External items in one click
Folder breadcrumbs and folder navigation
For each row: filename, optional Title, Visibility + Status badges, Size, Modified date
A bulk action bar when one or more rows are selected

Bulk action bar (SharePoint view):

A single Visibility / Status dropdown — same Apply/Revert/Clear pattern as the Organize view. Pick a Status radio (Publish/Draft) and/or a Visibility radio (External/Internal); Apply only fires the field(s) you actually changed. Pre-fills from the shared state of the selected rows.

Key actions:

Single-row toggle: Click the Visibility or Status badge on any row to flip that field in SharePoint.
Bulk publish: Select multiple rows, open Visibility / Status, set Status = Publish and Visibility = External, click Apply. The items become eligible and will appear in the Organize view after the next sync.
Filter to portal-visible: Click the Portal visible toggle to see only the items that are currently eligible.
Rename folder: Hover a folder row and click the rename icon (super_admin / organizer only).

Tips:

Editing here does not add portal metadata (display name, tags, group restrictions, thumbnail) — for that, switch to the Organize view after the file syncs.
After a bulk publish, the next scheduled content sync downloads the files into the local cache; only then do they appear on the portal.

Admin — Content Edit

URL: /admin/content/<item_id>/edit

Access: manager · organizer · super_admin Managers can set per-group override metadata (display name, description, tags) for their own groups. Organizers and super_admins set global metadata visible to all users.

Edit the metadata for a single content item — title, description, tags, keywords, and access restrictions.

What you'll see:

The editor has several panels:

Document info:

SharePoint-sourced title (read-only, shown for reference)
Display name override (what users see instead of the filename)
Description override (shown in content cards and detail pages)

Tags & keywords:

Admin tags (global tags assigned by organizers/super_admins) — visible to all users
Your tags (tags you've added as a manager override) — visible to your group members
Keywords (search terms, not visible to users but used for search matching)

Thumbnail:

Current thumbnail preview (or a placeholder if none generated)
Generate button to create/regenerate the thumbnail
Upload custom thumbnail button (upload a PNG to use instead of the auto-generated one)

Access control:

Access tags: which user groups can see this item (empty = visible to all)

Key actions:

Set display name: Enter a human-friendly title that overrides the filename in all portal views.
Set description: Write a brief description shown in content cards and on the detail page.
Add tags: Type in the tag field and select from the autocomplete dropdown. Press Enter or click to add.
Remove tags: Click the × on any tag badge to remove it.
Set keywords: Add search keywords (not visible to users). Separate multiple keywords with commas or Enter.
Generate thumbnail: Click the Generate Thumbnail button. Status updates in real time.
Upload custom thumbnail: Click Upload Thumbnail to choose a PNG file. The custom thumbnail replaces the auto-generated one.
Set access tags: Add or remove the user groups that can access this item. An empty access tag list means the item is accessible to all authenticated users.
Save: Changes to display name, description, tags, keywords, and access tags are saved immediately via HTMX (no explicit Save button needed for most fields). The generate/upload thumbnail actions have their own buttons.

Tips:

Display name and description changes take effect immediately in the portal (no sync required).
Tags must exist in the tag vocabulary before they can be assigned. Go to the Tags admin page to create new tags.
Manager-level overrides (your tags, your display name/description) are applied per-group — they show the manager's version to that manager's group members, while other users see the default metadata.

Admin — Tags

URL: /admin/tags

Access: manager · organizer · super_admin All admin roles can create and assign tags within their scope. Only super_admin and organizer can manage global tags. Managers can create and manage local tags scoped to the groups they own.

Manage the tag vocabulary used to categorize content for filtering, search, and per-group visibility.

Two kinds of tags

The page is split into two collapsible sections — both start collapsed; click a section header to expand it.

Global tags (blue globe icon) — Visible to every group across the whole site. Use them for shared, site-wide categories like "Datasheet", "Pricing", or "Case Study". Created and renamed by super admins and organizers.
Local tags (amber bookmark icon) — Scoped to one or more specific groups. Only members of those groups see the tag in filter sidebars and search results; other users don't see it at all. Use them for group-specific categorization that you don't want polluting everyone else's filters (e.g., a "Sapphire Partners — Onboarding" tag for one partner program). Managers create local tags pre-scoped to all the groups they own; super admins can scope a local tag to any combination of groups.

Both kinds work the same way for search and content tagging — the only difference is who sees the tag.

What you'll see in each section:

The list of tags in that scope (collapsed until you open it)
An inline "New tag…" input at the top of each section — type a label and press Enter (no Add button)
Per tag: the label (click to rename), the slug, a Filter toggle, an item count, a gear icon (group-scope editor, local tags only), a trash icon, and a drag handle for reorder

Key actions:

Create tag: Open the section (Global or Local), type a label into the inline input, and press Enter. The slug is generated automatically. For local tags created by a super admin, the row's group-scope editor opens automatically so you can pick the groups; for local tags created by a manager, the tag is automatically scoped to all the manager's owned groups.
Rename tag: Click the tag label, edit, and submit. The slug does not change so existing assignments are preserved.
Edit group scope (local tags only): Click the gear icon on a row to open the inline scope editor; pick groups and Save.
Toggle Filter: Click the Filter switch on a row. Filterable tags appear in tag filter sidebars on the public and sales sites; non-filterable tags still work for search and access control but aren't shown to users in filter UIs.
Reorder: Drag the grip handle to reorder tags within a section. Order is saved automatically.
Delete tag: Click the trash icon and confirm. Deleting a tag also removes it from any content items it was assigned to.

Tips:

Tag labels should be user-friendly and specific — users see filterable tag labels in the sidebar.
Slugs are permanent. Renaming a tag preserves the slug, so existing assignments and URLs keep working. This is intentional.
Promoting/demoting between global and local: open a tag's gear panel and change its scope. Switching to global clears the group scopes; switching to local requires picking at least one group.
If you need to split a tag into two (e.g., "Product" into "Product A" and "Product B"), create the new tags, re-assign items, then delete the old tag.

Admin — Users & Groups

URL: /admin/access

Access: manager (own groups and their members only) · organizer · super_admin (all users and groups) Managers can add/remove members from groups they own and view members of those groups. They cannot create groups, change user roles, or see users outside their groups. Organizers and super_admins have full access.

Manage portal users and access control groups from within the sales portal admin.

What you'll see:

Two tabs:

Users tab:

All users visible to your role (super_admin/organizer sees all; managers see members of their groups)
Display name, email, role, status, and group memberships
Action buttons: Edit, Delete

Groups tab:

All groups visible to your role
Group name, description, owner manager, and member count
Action buttons: Edit, View Members, Delete

Key actions:

Users:

Invite user: Click Invite User to create a new user account. Enter email, display name, and role. The user gets an "invited" status — they can set their password via the Forgot Password flow or via the invitation link.
Edit user: Click the edit icon to open the user detail panel inline. Change name, role, or status. Click Save.
Change status: Toggle between active and disabled using the status badge in the edit panel.
Delete user: Click the trash icon and confirm. Deleted users cannot be recovered — their access tag assignments and group memberships are also removed.

Groups:

Create group: Click New Group, enter a name and description, and assign an owner manager (for super_admin/organizer) or leave as yourself (for managers). Click Create.
Edit group: Click the edit icon to update the group's name, description, or owner.
View members: Click the members count or the expand icon to load the group's current members list. From here you can remove members.
Add member to group: In the member panel, type an email or name in the Add Member form and click Add.
Delete group: Click the trash icon and confirm. Removing a group removes all its members' group-based access but does not delete the users.

Tips:

A user's role controls their admin access. viewer users have no admin access. manager users can manage their own pages and groups. organizer can manage global content metadata. super_admin has full control.
Group access tags are set on individual resources (content items and pages), not on the group itself. To control what a group can see, go to the specific item's edit page and update its access tags.

Admin — Registrations

URL: /admin/registrations

Access: manager · super_admin only — organizer cannot see this tab.

Review and act on pending registration requests from users who have requested portal access.

What you'll see:

A list of registration requests with:

Requester's email and display name
Company/organization (if provided)
Message to admin (if provided)
Request date
Status (pending / approved / denied)
Action buttons: Approve, Deny, View Details

Pending registrations are shown first. A badge on the Registrations tab in the navigation shows the count of pending requests.

Key actions:

View details: Click the expand button to see the full registration request including the message the user wrote.
Approve: Click Approve to create an active user account for the requester. An invitation email is sent with a link to set their password. The registration moves to the "approved" list.
Deny: Click Deny and optionally enter a reason. The registration is marked as denied. No email is currently sent (manual notification may be needed).
Filter by status: Use the tabs or filter to view only pending, approved, or denied requests.

Tips:

Approving a registration creates the user with the viewer role by default. Upgrade to manager or super_admin on the Users page if needed.
The invitation link sent after approval is valid for 1 hour. If the user misses it, they can use the Forgot Password flow to get a new link.
Currently, denied registrations do not automatically send a rejection email. Notify the requester manually if needed.

Admin — Leads

URL: /admin/leads

Access: manager · super_admin only — organizer cannot see this tab.

View and manage tradeshow visitor leads — visitors who submitted their contact information via the email gate on public landing pages.

What you'll see:

A table of all captured leads with:

Email address and display name
First seen date (when they first submitted the gate form)
Last seen date (most recent activity)
Event count (total page views and document interactions)
Consent status (whether they consented to marketing contact)
IP address and user agent (for de-duplication)

Key actions:

Search/filter: Use the search box to find a specific lead by email or name.
View detail: Click any lead row to go to the Lead Detail page.
Export: Select leads and use the export button to download a CSV for CRM import.

Tips:

Leads are captured when a visitor submits the email gate form on a gated public landing page.
The same visitor can appear multiple times if they submit the form from different browsers or devices. The system deduplicates by email — the same email address always resolves to the same lead record.
Consent status is important for GDPR/CAN-SPAM compliance. Only contact leads who have given consent unless you have another legal basis.

Admin — Lead Detail

URL: /admin/leads/<visitor_id>

Access: manager · super_admin only.

View the full activity history for a single tradeshow lead.

What you'll see:

Lead's contact information (email, name, consent status)
First and last activity timestamps
IP address and user agent from first visit
A chronological event timeline showing:
- page_view events: Which gated pages the visitor viewed and when
- document_view events: Which documents the visitor clicked on and when
- Timestamp, IP, and referrer for each event

Key actions:

Review activity: Scroll through the timeline to understand what content this lead engaged with.
Export lead: Use the export button to copy this lead's data (suitable for CRM import).
Delete lead: If a visitor requests data deletion (GDPR right to erasure), use the Delete button to permanently remove their record and all associated events.

Tips:

Document view events are only recorded when the visitor clicks a document link that originates from a gated landing page. Direct downloads from the public browse page are not tracked.
The event timeline is useful for sales outreach — knowing which product pages and documents a lead engaged with helps tailor follow-up conversations.

Admin — Impersonate

URL: /admin/impersonate

Access: manager · super_admin only — organizer cannot use impersonation.

Test the portal as a different user to verify their access configuration, see what content they can view, and troubleshoot access issues.

What you'll see:

A search box to find a user by email or name
A list of matching users
A button to start impersonation for any user

When impersonating:

A banner at the top of the admin shows "Impersonating: [username]"
All portal views (library, pages, folders, collections) reflect what the impersonated user would see
The admin tab in the navigation remains accessible so you can switch back
All write operations (downloads, collection changes) are blocked during impersonation

Key actions:

Start impersonation: Search for a user and click Impersonate. You are redirected to the portal home as that user.
Stop impersonation: Click Stop Impersonating in the banner at the top, or click the Impersonate tab in admin (which shows your current impersonation target) and click Stop.

Tips:

Impersonation is read-only — you cannot make changes on behalf of the impersonated user. It is purely for testing and verification.
Use impersonation to verify that access tags are configured correctly — if a user should see a certain page or document, impersonate them and confirm it appears.
Impersonation state is stored in your session. If you close the browser without stopping, your next session will be back to your own identity.

Admin — Settings

URL: /admin/settings

Access: super_admin only. This tab is not visible to manager or organizer roles.

Configure global portal settings including landing page content, contact information, email templates, and content visibility filters.

What you'll see:

Four tabs:

Landing Page:

Portal welcome title and subtitle
Hero text shown to anonymous visitors on the home page
Call-to-action button text and target URL

Email Templates:

The email templates used for system emails:
- Registration approved (sent when an admin approves a registration)
- Password reset (sent via Forgot Password)
- Invitation (sent when an admin manually creates a user)
Each template has a subject and a body. The body supports a small set of template variables (shown below each editor)

Content Libraries:

Which content libraries are visible in the Library view
Trigger a manual content sync

Filters:

Hidden File Types — a checkbox list of every file extension present in the content index (including Draft and Internal items). Check an extension to hide all files of that type from every portal and organizer view.
Hidden Folders — a freeform text area (one folder name per line) to hide the contents of specific SharePoint folders by name. Uses exact match on the folder name segment anywhere in the path, so Z_Archived hides /Library/Z_Archived/ wherever it appears regardless of nesting level.

Key actions:

Edit any field: Click on the field and type. Most fields auto-save on blur.
Save section: Some sections have an explicit Save button — click it after making changes.
Edit email template: Click the template name to expand it. Update the subject and body. Click Save Template.
Preview template: After saving, the preview (shown below the editor) updates to show the rendered email with example data substituted for template variables.
Hide file types: On the Filters tab, check one or more extensions and click Save Filters. Affected files disappear immediately from the Library, Search, Folders, Browse, and all admin content views.
Hide folders: On the Filters tab, enter folder names (one per line) in the Hidden Folders box and click Save Filters. Files inside those folders are hidden from all views; the folder itself no longer appears in folder browser listings or the item picker.

Tips:

Email templates use {{variable_name}} syntax for substitution. The available variables are listed below each template editor. Do not remove the {{set_password_url}} variable from the registration approved template — users need that link to set their password.
Landing page text is shown to anonymous users (not logged in). Keep it welcoming but concise.
Content filters take effect immediately on save — no sync or server restart needed. Files are not deleted from the cache; they are simply excluded from all views. Unchecking an extension or removing a folder name restores visibility immediately.
The file extension list on the Filters tab is built from the full content index, so extensions that only appear on Draft or Internal items are included. This lets you hide file types before they are published.
Folder name matching is case-sensitive and matches on the exact folder name segment (not a substring). Archive does not hide Z_Archived — they must match exactly.

Admin — Sync Activity

URL: /admin/sync

Access: super_admin only. The tab is hidden from manager and organizer roles.

Structured history of every content-cache sync run — scheduled, manual, and webhook-triggered. Replaces tailing the raw log file. Rows are retained for 30 days, then pruned automatically.

What you'll see:

Five summary tiles for the last 7 days:

Runs (7d) — total number of sync runs in the window. The smaller line shows when the most recent run started (UTC).
Success Rate — percentage of runs that finished cleanly. Green ≥ 95%, amber 75–95%, red below 75%. The smaller line breaks out success vs. partial counts.
Files Changed — added/updated plus removed. Click the tile to open a flat cross-run list of every file that changed in the current filter window.
Errors — runs that aborted outright (not per-file failures within an otherwise-OK run).
Duplicates (7d) — the number of duplicate groups flagged by the library-consolidation refresh, plus the count of redundant copies (group size minus one). Click the tile to open the most recent consolidation run with its dup table expanded.

Below the tiles, three filters narrow the runs table:

Library — the libraries seen in the last 30 days, plus an "All libraries" choice. The synthetic (consolidation → <target>) row appears here too.
Status — success (clean), partial (completed with per-file errors), error (aborted), running.
Window — 6h, 24h, 72h (default), 7d, or all (last 30d).

Runs table columns:

| Column | Meaning | |--------|---------| | Started | UTC timestamp, also shown in the viewer's local timezone via a <time> element. | | Library | The library that was synced, or (consolidation → <target>) for refresh-script runs. | | Trigger | scheduled (in-process scheduler — disabled in prod), cli (the idx-sharepoint-sync.timer systemd unit, the production driver), manual (admin-portal Sync button), auto_debounce (webhook-triggered after a SharePoint change). | | Duration | Wall-clock time the run took. | | Changed | Files added or updated in the cache this run. | | Skipped | Files already in the cache with a matching etag (no work needed). | | Removed | Files previously cached that no longer match Published + External (unpublished, made Internal, deleted). | | Errors | Per-file failures inside an otherwise-OK run. | | Status | success / partial / error / running. Consolidation rows additionally show an amber "N dup" chip when duplicates were flagged. |

Every row has a Details button that toggles an inline panel showing:

Started / Finished / Duration with both UTC and local time.
A 5-card breakdown (Published, Changed, Skipped, Removed, Errors).
Cache footprint after the sync.
Duplicate groups (consolidation runs only): a table of the first 20 groups, the per-file action chip (copied, copied_renamed, unchanged, failed), and a Download .xlsx button for the full report.
Files changed: per-file added / updated / removed rows from this run.
The full traceback when status='error'.

Key actions:

Open the most recent consolidation: Click the Duplicates (7d) tile — it scrolls to and expands the matching run.
Download the duplicates report: Open any consolidation run's details and click Download .xlsx. The workbook contains every duplicate group, one row per file, with action and renamed-to columns. Manual review and pruning happens in SharePoint, not in this tool.
See every file that changed in the window: Click the Files Changed tile. The cross-run event stream honours the current Library and Window filters.
Filter: Pick a library, status, or window from the dropdowns. The page updates inline (HTMX) and the filter state stays in the URL so it can be bookmarked or shared.
Clear filters: Use the "Clear filters" link in the empty-state when no rows match.

About duplicates:

The library-consolidation refresh combines source libraries (e.g. Shareable Content Library, Product & Engineering Library) into the target (IntelliDocX Document Library). Files with identical SHA256 hashes are kept verbatim — every copy lands in the target — and the group is recorded for review. When two files would land at the same target path, the second-and-subsequent copies are renamed with a [<source library>] <filename> prefix so nothing is overwritten. The team prunes duplicates manually in SharePoint after reviewing the .xlsx report; the sync tool never deletes a file as part of dedup.

Tips:

A partial status means the run completed but at least one file errored out — open Details to see which.
The cli trigger row is the production driver. scheduled rows only appear in development; in prod the in-process scheduler is disabled (SYNC_INTERVAL_MINUTES=0) and the systemd timer takes over.
auto_debounce runs come from SharePoint webhooks via the idx-sharepoint change handler. Multiple changes in quick succession debounce into one run.
A consolidation row may show Changed=0 and still flag dozens of duplicate groups — duplicates are detected during planning, not during copy. The per-file Changed count reflects what actually moved this run.
Sync only mirrors files flagged Publish Status = Published AND Visibility = External. Draft or Internal items are invisible to sync — they will not appear in the Files changed table even if they exist in SharePoint.
The .xlsx is generated on demand from the stored JSON report, so it stays available for the full 30-day retention window.

Help Guide

SharePoint Manager — Help Documentation

Table of Contents

System Overview

Admin Portal

Dashboard

Groups Management

User Lookup

Library Detail

Audit — Groups

Audit — Libraries

Audit — Guests

Audit — Identity Map

Audit — Effective Access

Audit — Sharing Links

Fix — Apply Role

Fix — Remove Role

Fix — Reset Inheritance

Content — Library Picker

Content — Settings

Content — Browse Library

Content — Published Items

Snapshots

Access — Users & Groups

Access — User Detail

Access — Group Detail

Public Content Site

Landing Page

Browse

Search

Content Detail

Pages List

CMS Page

Public Login

Email Gate

Sales Portal

Portal Home

Sales Login

Register

Set Password

Forgot Password

Reset Password

Sales Search

Library

Browse by Tag

Folders

Sales CMS Page

Content Preview

Collections

Collection Detail

Shared Collection

Sales Portal — Admin

Admin — Pages

Admin — Page Editor

Admin — Content

Organize view

SharePoint view (Live Mirror)

Admin — Content Edit

Admin — Tags

Admin — Users & Groups

Admin — Registrations

Admin — Leads

Admin — Lead Detail

Admin — Impersonate

Admin — Settings

Admin — Sync Activity