Enterprise admin overview

You manage TSNC for a diocese, archdiocese, or school district โ€” multiple schools under one umbrella. Here's what changes when you're operating at the enterprise tier.

โœ๏ธ
Enterprise without the enterprise feel
We built TSNC for parishes and small dioceses, not Fortune 500s. The Enterprise features give you cross-school visibility and license control, but the experience is meant to feel like a single competent IT director's view โ€” not an SAP dashboard. If the diocese has 15 schools and one shared IT person, you're who we built this for.

What changes at the Enterprise tier

An Enterprise account is a parent organization. Schools sit underneath it. This unlocks:

  • Cross-school reporting โ€” see trust scores, campaign results, and breach exposure across all your schools at once
  • License pool management โ€” buy a block of seats for the diocese, allocate them across schools as needs change
  • Standardized policies โ€” set baseline campaign cadence, MFA requirements, and password policies that apply diocese-wide (with per-school overrides)
  • Co-approval authority โ€” when a school's admin needs vault recovery escalated, the request can land on the enterprise admin
  • $500 referral payout โ€” for referring an entire diocese, instead of $100 per school

What an Enterprise Admin can do at member schools

You have read access to data across your schools, plus specific powers:

  • View any school's dashboard, campaigns, staff, training compliance
  • Create and manage enterprise-wide phishing campaign templates
  • Push training assignments to any/all schools in the enterprise
  • Co-approve vault recovery requests at member schools (with audit trail)
  • Reassign or recover an org-admin role at a member school if they're unreachable

What an Enterprise Admin cannot do

  • Wipe a vault at any school. Vault wipes are restricted to the school's own org admin โ€” not even platform admins or enterprise admins can do this from above. If a wipe is needed, it goes through the school's principal or IT admin.
  • Initiate vault recovery without a school admin. You can co-approve a recovery request initiated by a school admin, but you can't start one yourself unless you also hold an admin role at that specific school.
  • See plain-text passwords from any vault. All entries are end-to-end encrypted. Even with co-approval and recovery, the decryption happens client-side using a school's private escrow key โ€” not yours.
  • Override another enterprise's data. Your scope ends at your enterprise boundary.

The schools beneath you

Each school under your enterprise is still its own organization. Each has its own org admin (Principal or IT Admin). They run their school day-to-day. You provide the umbrella, the budget, and the strategic view.

๐Ÿ’ก
Don't overstep
The principals running schools beneath you are partners, not subordinates in the TSNC sense. They have local context you don't. They built relationships with their staff. The Enterprise tier is most valuable when you use it for visibility, standards, and support โ€” not to micromanage. The schools you treat with respect will adopt your standards faster than the ones you try to control.

Where to start

  1. 1
    Onboard your largest school first
    The school with the strongest IT/principal partnership becomes your reference site. They figure out the workflow, you copy the pattern to the others.
  2. 2
    Standardize a baseline policy
    Decide your diocese-wide minimums: MFA required for vault, monthly campaign cadence, password manager mandatory for admins. Write it as a one-page policy and share with all member schools.
  3. 3
    Set up cross-school reporting
    The Analytics page at the enterprise tier rolls up all your schools' trust scores, campaign performance, and training compliance in one view. Look at it weekly until you have a sense of the baseline.
  4. 4
    Onboard the rest of your schools
    One school per week is a reasonable pace. Faster than that, the conversations with each principal get rushed.
Next โ†’
Cross-school reporting