Security Dashboard

Security visibility is a prerequisite for operating a multi-tenant platform that handles sensitive personal data including encrypted assignments and expense claims. Without a consolidated security view, administrators must manually correlate logs across systems to detect breaches or misuse, which is impractical at scale. For organizations such as NHF and Blindeforbundet whose users include vulnerable individuals, demonstrable security controls are also a procurement and compliance requirement. The dashboard reduces mean time to detect incidents, supports GDPR accountability obligations, and builds trust with onboarding organizations who need assurance that their data is protected.

The dashboard is a server-side rendered Next.js page that queries aggregated metrics from the PostgreSQL database via the shared REST API. Security metrics should be computed server-side and cached with short TTLs to avoid query overhead on every page load. The SecurityMetricsService queries the audit_logs, sessions, and refresh_tokens tables and applies tenant scoping so org admins see only their organization's data while global admins see cross-tenant summaries. Charts should use a lightweight client-side library compatible with Next.js SSR. Role-gating must be enforced at the API layer, not just the UI. Anomaly thresholds (e.g. N failed logins in T minutes) should be configurable per tenant via the organization config system.