A peer-reviewable record of every modifying admin action at your org, with the ability for another admin to undo a reversible action. The single most important guard against rogue or mistaken admin behavior.
The Activity Log โ Recent admin actions, with Undo buttons on the reversible ones
Why this exists
Most security-policy talk is about "preventing bad actors from outside." But in real schools, most admin disasters come from inside: a frustrated IT director on their last day, a misclick that deactivates the wrong teacher, a well-intentioned change that breaks something three weeks later.
The Activity Log makes those scenarios survivable. Anything you do that modifies organizational state shows up here. Any peer admin at your org can review and undo a reversible action with one click.
What gets logged
Currently, the Activity Log captures these actions:
We're instrumenting more endpoints in each release. The roadmap includes role changes, sending domain operations, share-request approvals, kindness-toggle settings, and so on. If you do something that's NOT in the log and you wish it were, let us know via thumbs-down.
Reversible vs. irreversible
Each entry is tagged. Reversible actions can be undone with one click โ the system has enough information to restore the prior state. Irreversibleactions are logged for transparency, but can't be undone because the data they affected was destroyed (e.g., vault wipe).
How undo works
1
Open Activity Log from the sidebar
It's under the Security group. You can also reach it from the "?" help icon on most admin pages.
2
Find the action
Most recent at the top. The "Show already-reverted" toggle reveals history.
3
Click Details (optional)
See the before-state and after-state JSON. Useful for understanding exactly what changed.
4
Click Undo
Confirm the action. The system reverses the change and logs the undo as a new entry. Both rows now reference each other.
5
The original actor gets emailed
If the actor isn't you, they'll receive an email saying their action was reverted. Self-undo (you reverting your own action) doesn't trigger a self-email.
โ ๏ธ
Self-undo is gated
If YOU made the original action, the system asks for confirmation before letting you undo your own work. The point of the Activity Log is peer accountability โ usually a different admin should review and undo. You can override the gate with a checkbox if you really need to (e.g., you noticed your own typo immediately).
Authorization
Any org admin (Principal or IT Admin) at the same org can undo any other org admin's action at that org
Platform admins can see all activity logs across all orgs (in the platform admin view)
Non-admin users (teachers, staff) can't see the Activity Log at all
FAQ
Can I undo something from a year ago?+
Technically yes โ there's no time limit. Practically, the longer you wait, the more likely the world has moved on (the deactivated teacher took a different job, the org settings change has been built upon). The system will still let you undo, but think about whether you should.
What if undo conflicts with newer changes?+
For settings updates, undo only reverts the specific fields that the original action changed โ it won't trample work other admins did on different fields. For deactivations, undo restores the active flag; if the user was re-invited and re-deactivated since, it gets weird. We recommend reading the after-state column carefully before undoing actions older than a few days.
Can I disable the Activity Log?+
No. It's a core safety feature, like an aircraft black box. The point would be defeated if rogue admins could turn it off.
What's the difference between Activity Log and Audit Log?+
Audit Log is broader and read-only โ it captures EVERY action including non-modifying ones (logins, page views, API calls). Activity Log is a focused subset of audit entries that capture before/after data needed for undo. Audit log is forever; Activity log gets undo features.