First-User-Is-Admin Bootstrap

When a new system needs an initial administrator but has no user management UI yet, making the first OAuth user automatically an admin solves the bootstrap problem without hardcoded credentials or manual database edits.

Tags

First-User-Is-Admin Bootstrap

The Lesson

When a new system needs an initial administrator but has no user management UI yet, making the first OAuth user automatically an admin solves the bootstrap problem without hardcoded credentials or manual database edits.

Context

A medical portal used Google OAuth for authentication. The system needed an admin role to manage users, configure AI providers, and control access. But the admin management UI didn't exist yet — it was planned for a later phase. Someone had to be admin before the admin tools existed.

What Happened

  1. The AuthService checked SELECT count(*) FROM user during OAuth callback.
  2. If the count was zero, the new user was assigned the admin role. Otherwise, user role.
  3. The first person to sign in after deployment became the system administrator.
  4. No seed data, environment variables, or manual SQL was needed to bootstrap the admin.
  5. The pattern was simple enough to implement in the OAuth callback (5 lines) and test with a single unit test.

Key Insights

Applicability

Works for internal tools, development portals, and small-team products where the deployer is the first admin. Not suitable for multi-tenant SaaS where tenant admins are provisioned programmatically, or for systems requiring auditable admin provisioning workflows.

Related Lessons

Related Lessons