task-l.3
This commit is contained in:
41
docs/security/crm-access-enforcement-inventory.md
Normal file
41
docs/security/crm-access-enforcement-inventory.md
Normal file
@@ -0,0 +1,41 @@
|
||||
# CRM Access Enforcement Inventory
|
||||
|
||||
## Status Key
|
||||
|
||||
- `Protected`: route already passes through resolved CRM access or explicit permission/scope enforcement
|
||||
- `Partially Protected`: route requires auth/permission but still has legacy or coarse organization-wide behavior
|
||||
- `Legacy Protected`: route depends on role string or legacy membership behavior instead of resolved union access
|
||||
- `Not Protected`: no meaningful CRM scope enforcement beyond organization lookup
|
||||
|
||||
## Inventory
|
||||
|
||||
| Area | Route / Module | Status | Notes |
|
||||
| --- | --- | --- | --- |
|
||||
| Customers | `/api/crm/customers` | `Partially Protected` | Permission-gated, but service is still mostly organization-wide and not yet ownership-scoped |
|
||||
| Contacts | `/api/crm/customers/[id]/contacts` | `Partially Protected` | Bound to customer org, but no dedicated resolved ownership/contact-sharing policy yet |
|
||||
| Leads / Enquiries | `/api/crm/enquiries` and child routes | `Partially Protected` | Uses branch/product/own-scope logic already, but still passes legacy `businessRole` fields through route/service seams |
|
||||
| Quotations | `/api/crm/quotations` and `[id]` | `Protected` | List/detail/create/update/delete now pass resolved CRM scope context and enforce branch/product/own visibility |
|
||||
| Quotation pricing surfaces | document data, preview, PDF preview/download, approved PDF | `Protected` | Pricing-bearing outputs now require pricing visibility and emit `crm_security_access` audit events when denied |
|
||||
| Document artifacts | `/api/crm/document-artifacts/[id]/download` | `Protected` | Approved quotation artifacts now require artifact permission plus pricing visibility guard |
|
||||
| Approvals | `/api/crm/approvals`, approve/reject/return | `Legacy Protected` | Permission-gated; step actor resolution now uses resolved CRM access union, but request listing is still organization-wide |
|
||||
| Dashboard | `/api/crm/dashboard` | `Protected` | Route uses resolved context; revenue widgets are hidden unless quotation pricing is visible |
|
||||
| Dashboard export | `/api/crm/dashboard/export` | `Protected` | Revenue export explicitly blocked without pricing visibility |
|
||||
| CRM settings: roles | `/api/crm/settings/roles*` | `Partially Protected` | Permission-gated, but inventory still needs full pass for every mutation route |
|
||||
| CRM settings: user assignments | `/api/crm/settings/user-role-assignments*` | `Protected` | Explicit permission-gated through CRM role-assignment permissions |
|
||||
| CRM settings: approval workflows | `/api/crm/settings/approval-workflows*` | `Partially Protected` | Permission-gated at route layer; deeper union-based workflow visibility still pending |
|
||||
| CRM settings: document templates / sequences | `/api/crm/settings/document-templates*`, `/document-sequences*` | `Partially Protected` | Permission-gated, but not yet audited against the full L.3 export/artifact matrix |
|
||||
| Master options | `/api/foundation/master-options` | `Partially Protected` | Admin-oriented and permission-gated, but outside resolved CRM scope model |
|
||||
|
||||
## High-Risk Findings
|
||||
|
||||
1. Customer/contact services still need full ownership-scope enforcement rather than organization-only reads.
|
||||
2. Approval request listing and detail visibility are still broader than the final resolved-ownership model.
|
||||
3. Enquiry services already enforce meaningful scope, but several route files still pass legacy role-shaped context instead of a dedicated security context object.
|
||||
4. Team-scope semantics are still coarse because the current model does not yet carry a first-class subordinate/team graph.
|
||||
|
||||
## Follow-up Focus
|
||||
|
||||
- Finish customer/contact ownership enforcement.
|
||||
- Convert approval list/detail visibility from organization scope to resolved quotation visibility.
|
||||
- Normalize remaining enquiry routes onto the same security-context builder used by quotations and dashboard.
|
||||
- Add runtime scenario tests once seeded multi-role fixtures are available.
|
||||
84
docs/security/crm-authorization-boundaries.md
Normal file
84
docs/security/crm-authorization-boundaries.md
Normal file
@@ -0,0 +1,84 @@
|
||||
# CRM Authorization Boundaries
|
||||
|
||||
## Source of Truth
|
||||
|
||||
Resolved CRM access is the source of truth for CRM authorization.
|
||||
|
||||
The effective model is:
|
||||
|
||||
1. Authenticated user
|
||||
2. Active organization membership
|
||||
3. CRM role assignments
|
||||
4. Resolved permission union
|
||||
5. Resolved branch scope
|
||||
6. Resolved product scope
|
||||
7. Resolved ownership scope
|
||||
8. Resolved approval authority
|
||||
|
||||
`memberships.businessRole` remains a compatibility fallback only inside the resolver path.
|
||||
|
||||
## Enforcement Layers
|
||||
|
||||
### Route permission gates
|
||||
|
||||
Every CRM route must first require organization access plus at least one explicit permission.
|
||||
|
||||
### Service-level scope enforcement
|
||||
|
||||
Sensitive list/detail/mutation services must additionally enforce:
|
||||
|
||||
- branch scope
|
||||
- product scope
|
||||
- ownership visibility
|
||||
|
||||
This is required because UI filtering is not a security boundary.
|
||||
|
||||
### Pricing visibility
|
||||
|
||||
Pricing-bearing outputs require quotation pricing visibility:
|
||||
|
||||
- quotation PDF preview/download
|
||||
- approved PDF
|
||||
- document preview/data
|
||||
- revenue dashboard/export
|
||||
- approved artifact download
|
||||
|
||||
Denied pricing access is logged as `crm_security_access` with action `pricing_hidden`.
|
||||
|
||||
### Approval authority
|
||||
|
||||
Approval step handling must use resolved CRM role unions instead of a single legacy business-role string.
|
||||
|
||||
## Current Ownership Model
|
||||
|
||||
- `own`: creator or assigned owner/salesman
|
||||
- `team`: currently treated as broader-than-own, but still requires future team graph formalization
|
||||
- `organization`: organization-wide inside active tenant
|
||||
- `monitor`: read-oriented role with limited commercial visibility
|
||||
|
||||
## Artifact Boundary
|
||||
|
||||
Artifact permission alone is not enough for approved quotation PDFs.
|
||||
|
||||
The caller must satisfy:
|
||||
|
||||
1. artifact download permission
|
||||
2. quotation pricing visibility when the artifact is an approved quotation PDF
|
||||
|
||||
## Dashboard Boundary
|
||||
|
||||
Dashboard access is split:
|
||||
|
||||
- base dashboard visibility: `crm.dashboard.read`
|
||||
- revenue/commercial visibility: quotation pricing visibility
|
||||
- approval widgets: approval read permission
|
||||
- export visibility: same scope as dashboard, with extra revenue export restriction
|
||||
|
||||
## Audit Events
|
||||
|
||||
Security-sensitive denials are recorded under entity type `crm_security_access` with actions:
|
||||
|
||||
- `access_denied`
|
||||
- `scope_violation`
|
||||
- `permission_violation`
|
||||
- `pricing_hidden`
|
||||
Reference in New Issue
Block a user