Site settings reference¶
The Settings screen (/settings) is the site (tenant) configuration
editor. Every control binds into one in-memory object, site.siteConfig,
and Save Settings writes the whole object at once. This page is the
field reference: what each setting is called, its siteConfig key, and
what it controls.
Access and save behavior¶
- Who: the only entry point is the header cog → Site Config, which
is shown only to
superusers(header.html:69). There is no sidebar link. - Save: the button PUTs the entire
siteConfigto/api/site/saveSettings(site:59), which blind-writes the JSON to thesite.siteConfigcolumn with no validation or key whitelist (siteService:127), flushes the site-config caches, and queues aconfigChangerow to propagate to other servers. There is no per-field save and no diff — the posted object replaces the stored one.
Because the whole blob round-trips, keys with no UI control (or no code that reads them) are still preserved once present — see Config-only keys at the end.
The served screen has 11 tabs: General, Agreements, Categories, PIM,
Tender, Companies, Upload Wizard, Integrations, Account Details, Search,
Questionnaires. (An older non-versioned settings.html with only 7 tabs
exists in the tree but is not what the app loads.)
Agreements tab (the high-value one)¶
Deal, security, and rebate behavior. These keys are read across the platform; the load-bearing ones are cross-linked.
| Setting | siteConfig key |
Controls |
|---|---|---|
| Agreement name | dealName |
The label used for "deal/agreement" in the UI |
| Electronic signoffs | signOffMethod (electronic/manual) |
Whether sign-off is the electronic workflow; gates the email templates below |
| Signoff workflow type | signoffType (standard/group) |
Supplier→negotiator→all, or with a category-director stage |
| Signoff BCC | signOffBCC |
BCC on sign-off/email sends |
| Email / Negotiator templates | supplierEmailTemplate, negotiatorEmailTemplate |
Bodies for emailing a deal |
| Company spend charts | spendCharts (annual/12month) |
Spend chart period basis |
| Category security | categorySecurity |
When on, rebate visibility is decided by deal-category role membership — and bypasses element permissions on the dashboard and in document search. See the permissions matrix. |
| Extra deal security | extraDealSecurity |
Enables the extra participation-based deal security check |
| Deal reviews / feed / news / notes | dealReview, dealFeed, dealNews, dealNotes |
Toggle the corresponding tabs on the full deal view (Notes attaches to the supplier company) |
| Advanced rebate projections | advancedRebateProjections |
Gates the Projections toggles on the spend and rebates views and the rebate calendar |
| Minimum projection months | projections.minimumProjectionMonth |
Floor before projections are shown |
| Projection permissions | projections.permissions (default figures) |
Which role may see projections |
| Rebate projection percentile | rebateProjectionPercentile |
Percentile used in projection maths |
| RFP name | rfpName |
Label for requests for payment (recording payments) |
| Rebate part payments | rebatepartPayments |
Allow partial rebate payments |
| Multi-line RFPs | rebateMultiLine, rebateMultiLinePeriods |
Default to multi-line RFPs; group by period end |
| RFP / chasing templates | supplierRFPTemplate, paymentChasingTemplate, supplierRFPInfo |
Email bodies; the chasing template feeds the chase dialog |
| Rebate dashboard default | rebateDashboardDefault (''/group/member) |
Default payable-to filter on the rebate dashboard |
| Input stream decoration | decorateTurnoverStreams |
Adds rebateable/stock markers to turnover stream labels |
| In & out rebates | inoutRebates |
Enables the in/out (member payable) columns across the rebate views |
| Rebate VAT rate | RFPVATRate |
VAT applied to remittances |
| Turnover cutoff days | turnoverCutOffDays (default 15) |
Grace window for figures entry |
| Comment retention window | commentRetentionWindow (months, default 0) |
How long deal-review comments are kept |
General tab¶
Environment, branding, and the suspicious-activity monitor.
- Versions —
version.client,version.api,version.elasticSearchVersionselect which front-end bundle, API branch, and search backend load. The3.7.3options areebiz-role only. - Staging —
serverMode.mode(debug/dev/production),serverMode.emails,serverMode.notificationsgate whether emails/notifications actually send. - Emails —
siteAdministrator.email/replyEmail/name/siteName(the SES sender identity). - Labels —
labels.merchant/supplier/other(display relabelling of company types). - Support —
bugs.supportEmails(fallback alert recipients),bugs.ccAll(stored as the string'true'/'false'). - Servers —
loggingServer,searchServer,memcachedServer,dbServer. - Group settings —
htmlTitle,groupAddress,groupPostcode,groupTelephone,blogStickyTime,groupCompanyID,groupDMSRoot(DMS root folder),defaultPSA(deal template id),primaryCurrency(stores the symbol£/$/€). - Usage terms —
usageTerms(Markdown shown on the login page). - System mode —
systemMode(group/merchant/supplier). This is the single most load-bearing key on the screen — it branches search, rebate, figures, and company behavior throughout the API. Defaultmerchant.
Suspicious activity monitor¶
Under security.suspiciousActivity.* (read/merged in auditService).
Master Enabled plus detection thresholds: recipients, windowHours
(24), baselineDays (30), multiplier (4), minDealViews (30),
minDocDownloads (15), cooldownDays (3), minHistoryDays (14),
minActiveDays (5), maxAlertsPerRun (10); and a bot sub-detector
(botDetection, botMinEvents 300, botPeakPerMinute 40,
botSignalsRequired 2).
Companies tab¶
Self-service company management, under companyManager.*.
- Enabled (
companyManager.enabled) — master switch; everything else is disabled without it. -
Merchant / Supplier management —
companyManager.memberPermissions.*andsupplierPermissions.*:moderation,canadd,canedit,candelete,canpermissions. -
Roles (
companyManager.roles[]) — the definitions that seed a newly created company contact. Each role's Name is a role token:contactService.setupRolematches it and applies the role's tags, permission group, and the digest/figures-reminder/turnover-digest email flags to the new contact. These names become the role tokens described in the permissions matrix.
Upload Wizard tab¶
Document upload routing, under uploadWizard.* — see
uploading documents and
approving documents.
- Enabled (
uploadWizard.enabled). -
Three notification templates (
approvedEmailTemplate,rejectedEmailTemplate,negotiatorEmailTemplate). -
Folders (
uploadWizard.folders[]) — each folder's config is snapshotted onto every document uploaded through it (asmetaData.folder) and drives approval routing. Per-folder fields:folderName(category path;/nests),filePrefix,folderLabel,folderDesc,askDates/requireDates,permissions(view roles granted on upload),approvalpermissions(view roles granted on approval),emailAdministrator/emailNegotiator/notifications(approval-email recipients),pushAdministrator/pushNegotiator/pushnotifications(push recipients),doDigest(publish a news post),autoImport, andapproveAction(publish/approve).
PIM, Tender, Categories, Questionnaires tabs¶
Module enable switches plus a little config each:
- PIM —
products.enabled,products.sssrow(import header row),products.datastatuslabel,APIdatalimit,products.autoImport, andproducts.defaultProductMapping(a JSON editor; no validation, so malformed JSON breaks the parse). - Tender —
tender.enabledandtender.tenderQuestions(JSON editor). - Categories —
cmt.enabled(the panel body is otherwise empty). - Questionnaires —
surveys.enabled(panel body otherwise empty).
Integrations tab¶
Accounting/ERP connections.
- Invoicing —
invoicingSystem(quickbooks/xero). QuickBooks connects via an OAuth flow (Connect button → Intuit → thesettings.quickbookscallback state →/api/quickbooks/oauth2); its tokens are obtained server-side, not typed here. - Intact IQ ERP —
ERP.system(Intact),ERP.domain,ERP.port,ERP.apiKey(an unmasked secret field),ERP.purchaseledger,ERP.products. - Other —
jiraTag,merchantEnabled,additionalMemberIDs(multi-site integration).
Account Details tab¶
Company/bank identity fields — but these bind to site.*, not
siteConfig (name, address lines, town, county, postcode, telephone,
email, web, company reg no., bank name/account/sort code).
Search tab¶
A sortable searchItems list bound to searchSettingsCtrl. It has no
siteConfig binding in the template, so any ordering set here is not
persisted through the settings save.
Config-only keys (no UI)¶
Some siteConfig keys are read by the platform but have no control on
this screen, so they can only be changed by editing the config record
directly. Known examples: defaultSecurity (per-object ACL fallbacks,
see the permissions matrix), the four
suspicious-activity bot-tuning keys above, and openGroup (gates group
figures visibility on the spend view).
Related pages¶
- Permissions matrix — role tokens and ACLs that several settings feed
- The rebate management dashboard, rebates view — consumers of the rebate settings
- Uploading documents, approving documents — consumers of the upload-wizard folders