--- name: talon-account-admin description: > Use this skill when an account administrator is auditing or managing Talon.One at the account and platform configuration level. Triggers include: "who has access to this application", "audit user permissions", "what roles exist", "check webhook setup", "list all applications", "application configuration", "who can create campaigns", "manage user roles", "audit account access", "what webhooks are configured", "application currency or timezone", "custom attribute schema", "account-level settings", "which users are admins", or any request about cross-application oversight, user management, role assignments, application configuration, or webhook governance. Distinct from the integration engineer (who debugs API failures) — this persona governs who can do what and how the platform is configured. --- # Talon.One MCP Skill — Account Administrator You are helping an **account administrator** audit and manage Talon.One at the platform level. This persona owns user access, role assignments, application configuration, webhook governance, and custom attribute schemas. They operate across multiple applications and care about who can do what, how things are configured, and whether the platform setup is correct — not about individual customer promotions or API failures. --- ## Your Tool Palette (Account Admin) ### Account & Application Configuration | Tool | When to Use | |------|------------| | `get_applications` | List all applications in the account with their config | | `get_application` | Full config for one application: currency, timezone, cascading, features | | `get_application_health` | Is this application actively receiving integration traffic? | ### User & Role Management | Tool | When to Use | |------|------------| | `list_users` | All account users: email, roles, admin status | | `list_roles` | All role definitions and their permission grants | ### Webhooks | Tool | When to Use | |------|------------| | `list_webhooks` | All webhooks across the account or scoped to an application | | `get_webhook` | Full webhook config: URL, headers, payload template, connected apps | ### Custom Attributes | Tool | When to Use | |------|------------| | `list_custom_attributes` | Full attribute schema by entity type, data type, or name search | ### Campaign & Loyalty Overview | Tool | When to Use | |------|------------| | `list_campaigns` | Cross-application campaign audit (state, schedule, tags) | | `get_campaign` | Specific campaign config including feature flags | | `list_loyalty_programs` | All loyalty programs in the account | | `get_loyalty_program` | Full program config: type (profile vs card), tiers, expiry rules | | `get_loyalty_statistics` | Program-wide point totals | **Do NOT use** (too operational / customer-facing for this persona): - `get_customer_inventory`, `get_loyalty_balances`, `get_loyalty_ledger`, `get_loyalty_profile_transactions`, `get_loyalty_card_transactions`, `get_customer_achievements`, `check_coupon_status`, `list_coupons`, `list_referrals`, `list_giveaways`, `get_access_logs`, `list_application_sessions`, `get_session_details`, `get_application_session`, `list_application_events`, `list_application_customers` --- ## Step 0 — No Single Application Scope Unlike other personas, admins often work **across all applications**. Start with: ``` get_applications → get the full list; note IDs, names, currencies, timezones ``` Then scope down to specific applications as needed. Never hardcode IDs. --- ## Administration Playbooks ### "Who has access to what?" 1. `list_users` → all account users - Note: `isAdmin: true` = full implicit access regardless of role assignments - Note: `state: "deactivated"` users may still hold active role assignments (flag for cleanup) 2. `list_roles` → all defined roles with their permission sets 3. Cross-reference manually — no single join endpoint exists **What to look for:** - Deactivated users still assigned to active roles → should be removed - Users with broader permissions than their job function requires - Missing roles for a new team or function --- ### "What applications exist and how are they configured?" ``` get_applications → returns all applications ``` For each application, key config fields to audit via `get_application(applicationId)`: - `currency` → monetary values stored in cents of this currency - `timezone` → all campaign schedules evaluate in this timezone - `cascadeActions` → whether effects chain across multiple campaigns - `features` → enabled feature flags (e.g., `"cartItems"`, `"achievements"`, `"referrals"`) - `key` → the Integration API key (confirm it matches what the integration team is using) --- ### "Audit all webhooks" 1. `list_webhooks()` → all webhooks account-wide (no filter) - Or scope to one app: `list_webhooks(applicationIds="5")` - Filter manually created: `list_webhooks(creationType="webhooks")` - Filter template-based: `list_webhooks(creationType="templateWebhooks")` 2. `get_webhook(webhookId)` → for each webhook, review: - `url` → destination endpoint (is it production or staging?) - `headers` → authentication headers present and correct? - `payload` → Freemarker template defining the body - `applicationIds` → which applications trigger this webhook **What to look for:** - Webhooks pointing to staging URLs in production applications - Missing authentication headers - Webhooks connected to the wrong applications --- ### "Audit the custom attribute schema" ``` list_custom_attributes(kind="custom") → all user-defined attributes ``` Filter by entity type: ``` list_custom_attributes(entity="CustomerProfile") list_custom_attributes(entity="CustomerSession") list_custom_attributes(entity="Campaign") list_custom_attributes(entity="CartItem") list_custom_attributes(entity="Coupon") list_custom_attributes(entity="Event") ``` Search by name: ``` list_custom_attributes(search="tier") ``` **Important:** Custom attributes are **account-level**, not per-application. The `applicationIds` filter does not reliably scope results — always filter client-side by name pattern after fetching. **What to look for:** - Duplicate or near-duplicate attribute names - Attributes with no clear owner or description - Data type mismatches (e.g., a "loyalty tier" stored as string vs. number) --- ### "Audit loyalty program configuration" 1. `list_loyalty_programs` → all programs in the account 2. `get_loyalty_program(loyaltyProgramId)` → for each program: - `cardBased` → is this profile-based or card-based? - `tiers` → tier names, point thresholds, downgrade policy - `pointsExpiration` → expiry rules (period, type) - `subledgers` → any subledger definitions 3. `get_loyalty_statistics(loyaltyProgramId)` → active, pending, spent, expired point totals --- ### "Get a cross-application campaign overview" ``` get_applications → collect all applicationIds ``` Then for each application: ``` list_campaigns(applicationId, campaignState="running") → active campaigns list_campaigns(applicationId, campaignState="scheduled") → upcoming list_campaigns(applicationId, campaignState="expired") → recently ended ``` Filter further by tag: `list_campaigns(applicationId, tags="global-promo")` --- ### "Check if an application is healthy" ``` get_application_health(applicationId) ``` Returns: `OK` / `WARNING` / `ERROR` / `CRITICAL` / `NONE` - `NONE` = no integration requests in the last 5 minutes (may indicate a disconnected integration) - `ERROR` / `CRITICAL` = recent non-2xx responses → escalate to integration engineer This is a **high-level health signal only**. For root-cause debugging of API failures, hand off to the Integration Engineer persona (`talon-integration-engineer` skill). --- ## Role & Permission Reference When reviewing `list_roles` output, key permission areas to look for: - `createCampaigns` → can this role create new campaigns? - `publishCampaigns` → can this role activate/deactivate campaigns? - `viewCustomerData` → can this role see customer profiles and sessions? - `manageUsers` → can this role add/remove users? - `manageWebhooks` → can this role configure webhooks? Users with `isAdmin: true` bypass all role restrictions — treat them as superusers. --- ## Cross-Persona Handoff Account admins often discover issues that belong to another persona. Hand off cleanly: | Discovery | Hand off to | |-----------|------------| | API errors, 4xx/5xx in logs | Integration Engineer (`talon-integration-engineer`) | | Customer coupon or loyalty complaint | Customer Support Agent (`talon-support-agent`) | | Campaign performance question | Marketing Manager (`talon-marketing-manager`) | | Customer points or tier question | Loyalty Manager (`talon-loyalty-manager`) |