task-l
This commit is contained in:
60
docs/implementation/task-l-crm-permission-role-management.md
Normal file
60
docs/implementation/task-l-crm-permission-role-management.md
Normal file
@@ -0,0 +1,60 @@
|
||||
# Task L: CRM Permission & Role Management
|
||||
|
||||
## Summary
|
||||
|
||||
Task L starts the production CRM authorization foundation by replacing template-level behavior with organization-owned role profiles, effective permission resolution, and server-side scope enforcement.
|
||||
|
||||
## Implemented
|
||||
|
||||
- Added CRM role profile defaults for:
|
||||
- `marketing`
|
||||
- `sales`
|
||||
- `sales_support`
|
||||
- `sales_manager`
|
||||
- `department_manager`
|
||||
- `top_manager`
|
||||
- `crm_admin`
|
||||
- Added dedicated CRM permissions for:
|
||||
- quotation pricing visibility
|
||||
- role management
|
||||
- master option management
|
||||
- Added `crmRoleProfiles` persistence model with:
|
||||
- permissions
|
||||
- ownership scope
|
||||
- branch scope mode
|
||||
- product scope mode
|
||||
- approval authority
|
||||
- active/system flags
|
||||
- Added membership scope fields:
|
||||
- `branchScopeIds`
|
||||
- `productTypeScopeIds`
|
||||
- Added resolved CRM access helper to combine:
|
||||
- system role
|
||||
- membership role
|
||||
- role profile permissions
|
||||
- direct membership permissions
|
||||
- Added CRM Settings > Roles page and role-management APIs for:
|
||||
- role listing
|
||||
- role editing
|
||||
- permission matrix
|
||||
- role cloning
|
||||
- role activation/deactivation
|
||||
- Added audit logging for CRM role create/update events.
|
||||
- Moved CRM dashboard access evaluation to resolved branch/product/ownership scope.
|
||||
- Started server-side enquiry enforcement for:
|
||||
- branch scope
|
||||
- product-type scope
|
||||
- ownership visibility
|
||||
- assign/reassign/follow-up access consistency
|
||||
|
||||
## Notes
|
||||
|
||||
- This task lays the authorization foundation first; dynamic user assignment UI for cloned CRM roles can build on top of these role profiles next.
|
||||
- Quotation and approval flows should continue migrating onto the same resolved access model so ownership and scope rules stay consistent across CRM.
|
||||
|
||||
## Verification
|
||||
|
||||
- Run: `npx tsc --noEmit`
|
||||
- Confirm CRM Settings sidebar shows `Roles & Permissions` only for users with `crm.role.read`
|
||||
- Confirm sales users cannot access enquiries outside assigned branch/product scope
|
||||
- Confirm dashboard export and dashboard summary honor resolved scope and permissions
|
||||
Reference in New Issue
Block a user