A tawqi3 tenant is shaped differently from most software-as-a-service products. Only the people who configure the platform have an account here; your end users keep using the tools they already use, and tawqi3 delivers the configured content into those tools. This article explains who can sign in, what each role can do, and how end users receive a choice of pre-approved content.
The three administrators
Your tenant has at most three administrative accounts. That is the platform’s design, not a paid-tier limit.
- Two global administrators, sometimes called super-admins. They have full access to every page and every setting in your tenant portal. They are the only role that can change billing, change the data region, manage other administrators, or modify security policy. Both global administrators can do everything; either one alone can take any action.
- One additional administrator, scoped by the two global administrators. By default they have full access to the People and Audit pages and read-only access to everything else. The two global administrators can broaden or narrow this scope at any time from the People page.
Two global administrators is a deliberate choice. One is too fragile (if they leave the organisation, you are locked out); three or more start to make accountability fuzzy. Two means there is always a second pair of eyes on any change, and there is always a backup if one global administrator is unavailable.
What the third administrator can do
When a global administrator adds the third administrator, they choose from a small menu of capability bundles:
- People and audit only (the default). The third administrator can invite users, deactivate them, reset their multi-factor enrolment, and read the audit feed. They cannot change product settings, billing, branding, or security policy.
- Product administrator (per product). The third administrator gains full access to one product’s surfaces (for example, full access to Email Signature, while everything else stays locked). The two global administrators choose which product.
- Read-only auditor. The third administrator can view every page and download every report, but cannot change anything.
- Custom. The two global administrators tick exactly which pages the third administrator can view, edit, or invite into. A live preview shows what their navigation will look like before the change takes effect.
The scope can change at any time. The change takes effect immediately; the third administrator does not need to sign out and back in.
End users do not sign in to the tenant portal
By design, the people who use the products your organisation has subscribed to never need a tawqi3 account. Their experience lives entirely inside the tools they already use:
- For Email Signature, the signature appears on outgoing mail through their existing mail client. They do not pick it; the administrators picked it.
- For Agreement and E-Sign, the document arrives in their inbox to be signed; signing happens on a one-time signing surface that does not require an account.
- For Document and Template, the letter or contract is generated for them based on the template the administrators published; they receive the output, not the editor.
This is what makes tawqi3 different from competing platforms: your everyday employees never log in to a new tool, and you never pay a per-seat tawqi3 fee for every employee.
The “office tools add-on”: giving end users a choice
The default is that administrators decide everything centrally and end users receive a single piece of content (one signature, one template). For organisations that want to give end users a curated choice, the two global administrators can enable the optional office tools add-on for any of the three products from the Settings page.
When the add-on is enabled for a product:
- For Email Signature, end users see a small picker inside their mail client that lets them pick from the signatures the administrators have approved. A common policy is two signatures: the standard corporate one, and a longer one with social links for sales staff.
- For Agreement and E-Sign, end users with permission to send envelopes see a picker of pre-built envelope formats (for example, “vendor NDA”, “offer letter”) rather than building one from scratch.
- For Document and Template, end users see a picker of approved templates inside their everyday document tool and can render one against their own data.
The pickers only ever show options the administrators have approved. End users cannot author new content; they choose from the curated list. The administrators control which options each end user (or each department, or each location) sees from the same Rules page that drives the default-without-the-add-on behaviour.
Why this model
This shape exists because the configuration of an e-signature, a brand signature, or a document template is not the kind of decision an everyday employee should make in isolation. Signatures carry brand and legal weight; e-sign formats carry contract language; document templates encode approved clauses. Centralising the authoring and decentralising only the choice keeps governance intact while giving end users enough flexibility to do their work.
It is also a sane safety posture: tawqi3 is a high-impact surface (every outbound message, every contract, every letter), so reducing the number of accounts that can change anything reduces the surface area for a credential compromise.
Changing the model
A future tawqi3 release may offer a larger administrative team for organisations that need it. If your organisation has a genuine need for more than three administrative accounts today, contact your tawqi3 account owner; we will work with you on a structured exception.
Where to set this up
- Add or change administrators: People page in the tenant portal.
- Change the third administrator’s scope: People page, then the administrator’s profile.
- Turn on the office tools add-on for a product: Settings page in the tenant portal, then the relevant product’s section.
- Decide which options each end user sees inside the picker: Rules page inside the relevant product.