From 521a7c4f2fd3632072f7e9fd6789c51722182143 Mon Sep 17 00:00:00 2001
From: nrios14 <44674816+nrios14@users.noreply.github.com>
Date: Thu, 22 Aug 2024 17:30:10 -0400
Subject: [PATCH 1/3] Create support-admin-tool.md

---
 user/enterprise/support-admin-tool.md | 32 +++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 user/enterprise/support-admin-tool.md

diff --git a/user/enterprise/support-admin-tool.md b/user/enterprise/support-admin-tool.md
new file mode 100644
index 00000000000..93cbabfba04
--- /dev/null
+++ b/user/enterprise/support-admin-tool.md
@@ -0,0 +1,32 @@
+---
+title: Support Admin Tool
+layout: en_enterprise
+
+---
+
+> The tool is only visible to Platform maintainers from TCIE 3.x as **Admin-v2**. The tool must be configured with a list of GitHub handles that allow **admin** access.
+
+> The tool is only accessible via web browser.
+
+## Forcefully logging out users from Travis
+To increase security and prevent unauthorized access, Travis CI introduces the new **“Log out user and revoke all tokens”** option, which allows admin users to manually log out of any unwanted user. 
+
+### Log out Users
+Travis CI admin users can now click the **“Logout”** button next to the **“Log out user and revoke all tokens”** option in the User view to log out specific users manually.
+
+By clicking the **“Logout”** button, Travis CI invalidates all Travis authentication tokens and logs out the selected user from all Travis CI platforms. This prevents access via web browser, public API, and travis cli. 
+
+Logged-out users cannot access Travis CI via the web browser or travis-cli tool without re-accessing the system. Any build automation based on an API token associated with such a user will cease to work.
+
+### Why must I log out of my user and revoke all tokens?
+
+Consider the following: The user gets suspended, e.g., in the GHE server (3rd-party app), and Travis CI is not notified of the action; therefore, no action is taken on Travis CI's side. At the same time, such users may still have a valid Travis Web UI browser, travis-cli access tokens, and a working Travis API authentication token.
+
+Such a situation may be valid and desired. However, there are cases, like a person leaving a company or team, when it is simply a security matter to revoke all accesses for such users. Travis CI cannot react automatically since no automated notification has been sent out, e.g., the GHE server account is suspended. If you are considering a less drastic approach, you may consider manually [suspending a user](/user/enterprise/user-management/) instead of logging out and revoking all tokens. 
+
+Suspended users still have access to Travis CI via browser or travis-cli (assuming they have valid Travis access tokens present in these tools) but cannot trigger builds. 
+
+## Re-accessing Travis CI
+To re-access Travis CI, users must log in using a 3rd-party authenticator such as GitHub (browser, travis-cli), GitLab, or  BitBucket (browser). Only with access can users see the private repositories, build history, build job logs, and obtain new Travis API tokens.
+
+Please note: if such users (logged out and tokens revoked) are, e.g., suspended in the GHE server, they will be unable to successfully use their GHE server account to log into Travis CI UI or travis-cli.

From a4998de98f5dbf5c9a5df91bccf445e704c5a976 Mon Sep 17 00:00:00 2001
From: nrios14 <44674816+nrios14@users.noreply.github.com>
Date: Thu, 22 Aug 2024 18:27:05 -0400
Subject: [PATCH 2/3] Update enterprise_sidebar.html

Adding new page for Support Admin tool
---
 _includes/enterprise_sidebar.html | 1 +
 1 file changed, 1 insertion(+)

diff --git a/_includes/enterprise_sidebar.html b/_includes/enterprise_sidebar.html
index 31db71c48f4..882d51cab3b 100644
--- a/_includes/enterprise_sidebar.html
+++ b/_includes/enterprise_sidebar.html
@@ -63,6 +63,7 @@ <h3>Enterprise Operations Manual</h3>
         <li><a href="/user/enterprise/troubleshooting-guide/">Troubleshooting Guide</a></li>
         <li><a href="/user/enterprise/user-management/">User Management</a></li>
         <li><a href="/user/enterprise/user-role-management/">User Role Management</a></li>
+        <li><a href="/user/enterprise/support-admin-tool/">Support Admin Tool</a></li>
         <li><a href="/user/enterprise/Multi-CPU-Builds/">Multi CPU builds</a></li>
         <li><a href="/user/enterprise/workspaces-eom/">Workspaces & Cache</a></li>
       </ul>

From c85293285a9304cab832374c29e85ba02ceb79e0 Mon Sep 17 00:00:00 2001
From: piccadilly-circus <134370605+piccadilly-circus@users.noreply.github.com>
Date: Mon, 4 Nov 2024 13:10:41 +0500
Subject: [PATCH 3/3] Where to add the auth tokens

---
 user/enterprise/support-admin-tool.md | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/user/enterprise/support-admin-tool.md b/user/enterprise/support-admin-tool.md
index 93cbabfba04..bf288f42dfd 100644
--- a/user/enterprise/support-admin-tool.md
+++ b/user/enterprise/support-admin-tool.md
@@ -24,9 +24,20 @@ Consider the following: The user gets suspended, e.g., in the GHE server (3rd-pa
 
 Such a situation may be valid and desired. However, there are cases, like a person leaving a company or team, when it is simply a security matter to revoke all accesses for such users. Travis CI cannot react automatically since no automated notification has been sent out, e.g., the GHE server account is suspended. If you are considering a less drastic approach, you may consider manually [suspending a user](/user/enterprise/user-management/) instead of logging out and revoking all tokens. 
 
-Suspended users still have access to Travis CI via browser or travis-cli (assuming they have valid Travis access tokens present in these tools) but cannot trigger builds. 
+Suspended users still have access to Travis CI via browser or travis-cli (assuming they have valid Travis access tokens present in these tools) but cannot trigger builds.
+
+### Auth tokens
+
+Following environment variables are used to manage the life of token.
+
+- `WEB_TOKEN_EXPIRES_IN_HOURS`
+- `AUTH_TOKEN_EXPIRES_IN_DAYS`
+- `AUTH_CLI_TOKEN_EXPIRES_IN_DAYS`
+
+These tokens can be set using the admin console `kubectl kots admin-console -n tci-enterprise-kots` under the "Advanced Setting" menu.
 
 ## Re-accessing Travis CI
 To re-access Travis CI, users must log in using a 3rd-party authenticator such as GitHub (browser, travis-cli), GitLab, or  BitBucket (browser). Only with access can users see the private repositories, build history, build job logs, and obtain new Travis API tokens.
 
 Please note: if such users (logged out and tokens revoked) are, e.g., suspended in the GHE server, they will be unable to successfully use their GHE server account to log into Travis CI UI or travis-cli.
+