Skip to content

Site settings reference

The Settings screen (/settings) is the site (tenant) configuration editor. Every control binds into one in-memory object, site.siteConfig, and Save Settings writes the whole object at once. This page is the field reference: what each setting is called, its siteConfig key, and what it controls.

Access and save behavior

  • Who: the only entry point is the header cog → Site Config, which is shown only to superusers (header.html:69). There is no sidebar link.
  • Save: the button PUTs the entire siteConfig to /api/site/saveSettings (site:59), which blind-writes the JSON to the site.siteConfig column with no validation or key whitelist (siteService:127), flushes the site-config caches, and queues a configChange row to propagate to other servers. There is no per-field save and no diff — the posted object replaces the stored one.

Because the whole blob round-trips, keys with no UI control (or no code that reads them) are still preserved once present — see Config-only keys at the end.

The served screen has 11 tabs: General, Agreements, Categories, PIM, Tender, Companies, Upload Wizard, Integrations, Account Details, Search, Questionnaires. (An older non-versioned settings.html with only 7 tabs exists in the tree but is not what the app loads.)

Agreements tab (the high-value one)

Deal, security, and rebate behavior. These keys are read across the platform; the load-bearing ones are cross-linked.

Setting siteConfig key Controls
Agreement name dealName The label used for "deal/agreement" in the UI
Electronic signoffs signOffMethod (electronic/manual) Whether sign-off is the electronic workflow; gates the email templates below
Signoff workflow type signoffType (standard/group) Supplier→negotiator→all, or with a category-director stage
Signoff BCC signOffBCC BCC on sign-off/email sends
Email / Negotiator templates supplierEmailTemplate, negotiatorEmailTemplate Bodies for emailing a deal
Company spend charts spendCharts (annual/12month) Spend chart period basis
Category security categorySecurity When on, rebate visibility is decided by deal-category role membership — and bypasses element permissions on the dashboard and in document search. See the permissions matrix.
Extra deal security extraDealSecurity Enables the extra participation-based deal security check
Deal reviews / feed / news / notes dealReview, dealFeed, dealNews, dealNotes Toggle the corresponding tabs on the full deal view (Notes attaches to the supplier company)
Advanced rebate projections advancedRebateProjections Gates the Projections toggles on the spend and rebates views and the rebate calendar
Minimum projection months projections.minimumProjectionMonth Floor before projections are shown
Projection permissions projections.permissions (default figures) Which role may see projections
Rebate projection percentile rebateProjectionPercentile Percentile used in projection maths
RFP name rfpName Label for requests for payment (recording payments)
Rebate part payments rebatepartPayments Allow partial rebate payments
Multi-line RFPs rebateMultiLine, rebateMultiLinePeriods Default to multi-line RFPs; group by period end
RFP / chasing templates supplierRFPTemplate, paymentChasingTemplate, supplierRFPInfo Email bodies; the chasing template feeds the chase dialog
Rebate dashboard default rebateDashboardDefault (''/group/member) Default payable-to filter on the rebate dashboard
Input stream decoration decorateTurnoverStreams Adds rebateable/stock markers to turnover stream labels
In & out rebates inoutRebates Enables the in/out (member payable) columns across the rebate views
Rebate VAT rate RFPVATRate VAT applied to remittances
Turnover cutoff days turnoverCutOffDays (default 15) Grace window for figures entry
Comment retention window commentRetentionWindow (months, default 0) How long deal-review comments are kept

General tab

Environment, branding, and the suspicious-activity monitor.

  • Versionsversion.client, version.api, version.elasticSearchVersion select which front-end bundle, API branch, and search backend load. The 3.7.3 options are ebiz-role only.
  • StagingserverMode.mode (debug/dev/production), serverMode.emails, serverMode.notifications gate whether emails/notifications actually send.
  • EmailssiteAdministrator.email / replyEmail / name / siteName (the SES sender identity).
  • Labelslabels.merchant / supplier / other (display relabelling of company types).
  • Supportbugs.supportEmails (fallback alert recipients), bugs.ccAll (stored as the string 'true'/'false').
  • ServersloggingServer, searchServer, memcachedServer, dbServer.
  • Group settingshtmlTitle, groupAddress, groupPostcode, groupTelephone, blogStickyTime, groupCompanyID, groupDMSRoot (DMS root folder), defaultPSA (deal template id), primaryCurrency (stores the symbol £/$/).
  • Usage termsusageTerms (Markdown shown on the login page).
  • System modesystemMode (group/merchant/supplier). This is the single most load-bearing key on the screen — it branches search, rebate, figures, and company behavior throughout the API. Default merchant.

Suspicious activity monitor

Under security.suspiciousActivity.* (read/merged in auditService). Master Enabled plus detection thresholds: recipients, windowHours (24), baselineDays (30), multiplier (4), minDealViews (30), minDocDownloads (15), cooldownDays (3), minHistoryDays (14), minActiveDays (5), maxAlertsPerRun (10); and a bot sub-detector (botDetection, botMinEvents 300, botPeakPerMinute 40, botSignalsRequired 2).

Companies tab

Self-service company management, under companyManager.*.

  • Enabled (companyManager.enabled) — master switch; everything else is disabled without it.
  • Merchant / Supplier managementcompanyManager.memberPermissions.* and supplierPermissions.*: moderation, canadd, canedit, candelete, canpermissions.

  • Roles (companyManager.roles[]) — the definitions that seed a newly created company contact. Each role's Name is a role token: contactService.setupRole matches it and applies the role's tags, permission group, and the digest/figures-reminder/turnover-digest email flags to the new contact. These names become the role tokens described in the permissions matrix.

Upload Wizard tab

Document upload routing, under uploadWizard.* — see uploading documents and approving documents.

  • Enabled (uploadWizard.enabled).
  • Three notification templates (approvedEmailTemplate, rejectedEmailTemplate, negotiatorEmailTemplate).

  • Folders (uploadWizard.folders[]) — each folder's config is snapshotted onto every document uploaded through it (as metaData.folder) and drives approval routing. Per-folder fields: folderName (category path; / nests), filePrefix, folderLabel, folderDesc, askDates/requireDates, permissions (view roles granted on upload), approvalpermissions (view roles granted on approval), emailAdministrator/emailNegotiator/notifications (approval-email recipients), pushAdministrator/pushNegotiator/ pushnotifications (push recipients), doDigest (publish a news post), autoImport, and approveAction (publish/approve).

PIM, Tender, Categories, Questionnaires tabs

Module enable switches plus a little config each:

  • PIMproducts.enabled, products.sssrow (import header row), products.datastatuslabel, APIdatalimit, products.autoImport, and products.defaultProductMapping (a JSON editor; no validation, so malformed JSON breaks the parse).
  • Tendertender.enabled and tender.tenderQuestions (JSON editor).
  • Categoriescmt.enabled (the panel body is otherwise empty).
  • Questionnairessurveys.enabled (panel body otherwise empty).

Integrations tab

Accounting/ERP connections.

  • InvoicinginvoicingSystem (quickbooks/xero). QuickBooks connects via an OAuth flow (Connect button → Intuit → the settings.quickbooks callback state → /api/quickbooks/oauth2); its tokens are obtained server-side, not typed here.
  • Intact IQ ERPERP.system (Intact), ERP.domain, ERP.port, ERP.apiKey (an unmasked secret field), ERP.purchaseledger, ERP.products.
  • OtherjiraTag, merchantEnabled, additionalMemberIDs (multi-site integration).

Account Details tab

Company/bank identity fields — but these bind to site.*, not siteConfig (name, address lines, town, county, postcode, telephone, email, web, company reg no., bank name/account/sort code).

Search tab

A sortable searchItems list bound to searchSettingsCtrl. It has no siteConfig binding in the template, so any ordering set here is not persisted through the settings save.

Config-only keys (no UI)

Some siteConfig keys are read by the platform but have no control on this screen, so they can only be changed by editing the config record directly. Known examples: defaultSecurity (per-object ACL fallbacks, see the permissions matrix), the four suspicious-activity bot-tuning keys above, and openGroup (gates group figures visibility on the spend view).