Flow: Admin Blacklist Management (CSV Import & CRUD Operations)

Actor

Security Administrator / Admin with blacklist management permissions (BLACKADMIN role)

Preconditions

• Admin has valid credentials with blacklist management permissions
• Access to BLACKADMIN section in admin portal
• CSV file prepared (for bulk import) with OIB (required), first name and last name (optional)
• Security team has provided list of banned individuals (approximately 200-300 records)

Flow Steps

Part 1: Pre-Match Blacklist Refresh Workflow

Standard Workflow Before Each Match:

Before each match, admin performs a complete blacklist refresh:

1. Clear Existing Blacklist

   • Admin logs into admin portal with MFA authentication
   • Navigates to "BLACKADMIN" section
   • Clicks "Clear All Entries" button
   • System prompts: "This will remove all current blacklist entries. Are you sure?"
   • Admin confirms
   • All entries marked as "Cleared - Pre-match refresh"
   • Audit log records: date, admin

2. Import Fresh Blacklist

   • Admin clicks "Import Blacklist" button
   • All files use same predefined format
   • System skips duplicated OIBs
   • For multiple files he repeats the process import multiple files (from different police stations)

Part 2: CSV Bulk Import

1. Access Blacklist Management Section

   • Admin logs into admin portal with MFA authentication
   • Navigates to "BLACKADMIN" section from main navigation
   • Dashboard displays:
     • Total active bans
     • Recent violation attempts
   • Clicks "Import Blacklist" button

2. Upload CSV File

   • System displays CSV import interface
   • Admin clicks "Choose File" and selects CSV file(s)
   • CSV format requirements shown:
     • Required columns: OIB (11 digits)
     • Optional columns: First Name, Last Name
   • Admin uploads CSV file(s) (200-300 individuals from security team)
   • System begins validation process

3. CSV Validation and Preview

   • System validates each row:
     • OIB format (11 digits, valid checksum)
     • Duplicate OIB detection in file and in database (skips row if exists)
     • Required field completeness
   • Validation results displayed:
     • Total rows: 287
     • Valid rows: 283
     • Invalid rows: 4 (with detailed error descriptions)
   • Invalid rows highlighted with specific errors:
     • Row 45: "Invalid OIB checksum"
     • Row 231: "Duplicate OIB already in system"
   • Admin can:
     • See error report with line numbers
     • Fix CSV and re-upload

4. Review and Confirm Import

   • Preview table shows first 20 valid records
   • Summary statistics:
     • New bans to be created: 283
     • Duplicate OIBs (skipped): 4
   • Admin reviews preview data
   • Admin enters import confirmation note: "Initial security team blacklist import - November 2025"
   • Admin clicks "Confirm Import" button

5. Process Import

   • System creates blacklist entries in batch
   • Progress bar shows import status
   • Each entry receives:
     • Unique blacklist ID
     • Status: "Active"
     • Created by: Admin user ID
     • Created timestamp
     • Audit log entry
   • Success confirmation displayed:
     • "Successfully imported 283 blacklist entries"
     • "4 rows skipped due to errors"
   • Admin can view import summary report

6. Post-Import Verification

   • Admin redirected to blacklist dashboard
   • Recently imported entries visible in list
   • Filter set to "Created Today"
   • Admin can spot-check imported records for accuracy

Part 2: Ongoing CRUD Operations

Create Individual Blacklist Entry

1. Initiate New Ban

   • Admin clicks "Add Blacklist Entry" button
   • New entry form displayed with fields:
     • OIB (required, 11 digits with validation)
     • First Name (optional)
     • Last Name (optional)

2. Enter Ban Details

   • Admin enters individual's information
   • System performs real-time validation:
     • OIB checksum validation
     • Duplicate OIB check (shows warning if exists)

3. Submit and Confirm

   • Admin clicks "Create Blacklist Entry"
   • System creates entry and logs in audit trail
   • Success message: "Blacklist entry created successfully. User [Name] is now banned from purchasing tickets."

Read/Search Blacklist Entries

1. Search and Filter

   • Admin accesses blacklist dashboard
   • Search bar with options:
     • Search by OIB (partial or full)
     • Search by name (first or last)
   • Results displayed in sortable table

2. View Details

   • Table columns:
     • OIB (partially masked: *****34)
     • Full Name (if available)
     • Effective Date (date of creation)
     • Actions (View, Remove)
   • Admin clicks "View" on any entry
   • Detailed view displays:
     • OIB and name (if available)
     • Audit trail (created, modified, accessed)
     • Violation attempt history (if any)

Delete/Remove Blacklist Entry

1. Initiate Removal

   • Admin searches for and locates entry
   • Clicks "Remove" button on entry row
   • System displays warning dialog:
     • "Are you sure you want to remove this ban?"
     • "Individual [Name] will be able to purchase tickets immediately"
     • "This action will be logged in audit trail"

2. Confirm Removal

   • Admin confirms removal action

3. Process Removal

   • System changes entry status to "Removed"
   • Entry remains in database (soft delete) for audit purposes
   • Ban no longer enforced in purchase flow
   • Audit log entry created with admin ID, timestamp, and reason
   • Success message: "Blacklist entry removed. Individual can now purchase tickets."
   • Notification sent to security team

Part 3: Violation Monitoring

1. View Violation Attempts

   • Admin navigates to "Violation Attempts" tab
   • Report title: "Popis Kupaca Koji imaju aktivnu zabranu i Pokusali su kupiti ulaznicu"
   • Table displays blocked purchase attempts:
     • DATUM POKUSAJA (Date of Attempt): DD.MM.YYYY HH:MM:SS
     • IME (First Name)
     • PREZIME (Surname)
     • OIB (partially masked)
     • Event (match attempted to purchase)
     • IP Address
     • HNS mobile app User account ID
     • Session Information
     • Attempt Count (for repeat attempts)
   • Filter options:
     • Date range
     • Individual (by OIB or name)
     • Event

2. Investigate Violations

   • Admin clicks on violation record
   • Detailed view shows:
     • Complete attempt details
     • User session information
     • Geographic location (from IP)
     • Multiple attempts (if repeat violator)
     • Linked blacklist entry
   • Admin can:
     • Add investigation notes
     • Block HNS mobile app user account

3. Pattern Detection Alerts

   • System automatically detects:
     • Multiple attempts by same individual (> 3 in 24 hours)
     • Attempts to bypass with modified personal data
   • Admin receives dashboard notifications for patterns
   • Escalation alerts sent for high-priority violations

Alternative Flows

A1: CSV Import Validation Failure

• If more rows are invalid
• System rejects entire import
• Admin must correct CSV and re-upload
• Detailed error report provided for all issues

A2: Duplicate Ban Attempt

• During individual entry creation, OIB already exists in active bans
• System displays error: "This OIB is already on the blacklist"
• Shows existing entry details
• Admin can:
  • Ignore since entry already exists

A3: Blacklist Entry Conflict During Checkout

• Customer attempts purchase
• System checks OIB against blacklist at multiple checkpoints:
  • Cart creation
  • Checkout initiation
  • Payment submission
• If match found:
  • Purchase blocked immediately
  • User sees specific legal message: "HNS is prevented from selling you a ticket pursuant to [Law/Regulation Reference]. For all information regarding this restriction, please contact MUP (Ministry of Interior)."
  • Message includes:
    • Reference to applicable law/regulation
    • Direction to contact MUP (police), NOT HNS customer support
    • MUP contact information or website link
  • Purpose: Redirect inquiries to appropriate authority (MUP) rather than HNS support
  • System logs violation attempt with full details
  • Silent notification sent to security team

A4: Blacklist Entry with Existing Tickets (Automatic Cancellation - No Refund)

A4a: Individual Entry Creation

• Admin creates new blacklist entry via individual entry form
• System performs automatic check for existing tickets associated with the OIB
• If existing tickets found for upcoming matches:
  • System displays warning dialog to admin:
    • "Warning: This individual has [X] active ticket(s) for upcoming matches"
    • List of affected tickets:
      • Match name and date
      • Seat information
      • Order ID
      • Purchase date
      • Role: BUYER or TICKET HOLDER (important for cancellation scope)
    • Confirmation prompt: "Do you want to proceed with blacklist entry and cancel tickets?"
    • Options: "Cancel Blacklist Entry" / "Proceed with Ban and Cancel Tickets"
• If admin confirms "Proceed with Ban and Cancel Tickets":
  • System creates blacklist entry and cancels affected tickets (see cancellation rules below)

A4b: CSV Import — Automatic Batch Ticket Cancellation

• Admin imports CSV file (as described in Part 2)
• System first completes the full import of all valid blacklist entries
• After import is complete, system automatically scans all tickets for upcoming matches against the entire imported batch:
  • For each newly imported OIB, system checks if the individual holds any active tickets (as buyer or ticket holder) for any upcoming match
  • All matching tickets are collected for automatic cancellation
• Automatic cancellation proceeds without admin confirmation:
  • System processes all cancellations in bulk (see cancellation rules below)
  • Progress bar shows cancellation status
• System displays final import summary to admin:
  • "Import complete: [X] blacklist entries created. [Z] tickets cancelled across [Y] individuals for [N] upcoming matches."
  • Summary table:
    • OIB (masked)
    • Name (if available)
    • Number of cancelled tickets
    • Matches affected

Cancellation Rules (applies to both A4a and A4b)

• Automatic Ticket Cancellation Rules:
  • If blacklisted person is the BUYER (purchaser):
    • System cancels ALL tickets in the order (all ticket holders affected)
    • Reasoning: Buyer facilitated the purchase, entire order is invalidated
  • If blacklisted person is only a TICKET HOLDER (someone else bought for them):
    • System cancels ONLY that specific ticket
    • Other tickets in the same order remain valid
    • Buyer is notified of partial cancellation
• Cancelled tickets:
  • Ticket status changed to "CANCELLED_BLACKLIST"
  • Seats returned to available inventory immediately
  • QR codes invalidated
• No Refund: Blacklisted individuals (whether buyer or ticket holder) do not receive refunds for cancelled tickets. This applies to both the blacklisted person and any tickets in their order.
• System sends notification to affected parties:
  • To Buyer (if their order affected):
    • Email subject: "Ticket Cancellation Notice - [Match Name]"
    • Email body: "Your ticket order [Order ID] for [Match Name] on [Date] has been cancelled. For questions regarding this restriction, please contact MUP (Ministry of Interior)."
    • Push notification: "Your tickets for [Match Name] have been cancelled. Check email for details."
  • To Ticket Holder (if different from buyer and their ticket cancelled):
    • Email: "Your ticket for [Match Name] on [Date] has been cancelled. For questions regarding this restriction, please contact MUP (Ministry of Interior)."
• System sends notification to security team:
  • Email to security admin with full details
  • Summary: "Blacklist entry created for [Name] - [X] existing tickets cancelled"
  • List of cancelled orders and ticket holders affected
• Audit log entries created:
  • Blacklist entry creation
  • Ticket cancellations (each ticket logged separately with BUYER/HOLDER role)
  • Notifications sent
  • Admin ID, timestamps, and reasons documented
• Success message to admin: "Blacklist entry created successfully. [X] existing ticket(s) cancelled."

---

Last Updated: January 2026