This commit is contained in:
phaichayon
2026-06-22 10:22:45 +07:00
parent 51d67ef7c2
commit b154a8de33
37 changed files with 5952 additions and 332 deletions

507
plans/task-l.md Normal file
View File

@@ -0,0 +1,507 @@
# Task L: CRM Permission & Role Management Center
## Objective
Replace remaining template-level role behavior with a production CRM authorization model.
Task L establishes:
* CRM business roles
* role-based permissions
* branch scope
* product-type scope
* ownership visibility
* approval authority
* menu visibility
* configuration security
This task becomes the authorization foundation for all future CRM modules.
---
# Current Problems
The system currently has:
```txt
Users
Memberships
Roles
Permissions
```
but still relies partly on template behavior.
Examples:
* users cannot manage permissions directly
* role assignment is incomplete
* branch visibility is not enforced everywhere
* product-type visibility is not enforced everywhere
* dashboard visibility still depends on broad organization access
* approval authority is role-driven but not centrally configurable
---
# Business Roles (Frozen)
## Marketing
Responsibilities:
```txt
Lead creation
Lead follow-up
Lead assignment
Lead monitoring
```
Can:
```txt
View Leads
Create Leads
Assign Leads
View Enquiries
View Follow-Ups
```
Cannot:
```txt
View quotation pricing
View revenue dashboard
Approve quotations
Edit quotations
```
---
## Sales
Responsibilities:
```txt
Manage enquiries
Manage quotations
Manage follow-ups
```
Can:
```txt
View assigned enquiries
Create quotations
Edit own quotations
Manage own follow-ups
```
Cannot:
```txt
View other sales data
Approve quotations
Manage CRM settings
```
---
## Sales Support
Can:
```txt
Create quotations
Edit quotations
Support sales operations
```
Cannot:
```txt
Approve quotations
View management analytics
```
---
## Sales Manager
Can:
```txt
View team enquiries
Assign sales
Approve quotations
View team dashboard
```
Visibility:
```txt
Branch scope
Product-type scope
```
---
## Department Manager
Can:
```txt
Approve quotations
View department analytics
View department pipeline
```
---
## Top Manager
Can:
```txt
Approve final quotations
View all CRM analytics
```
---
## CRM Admin
Can:
```txt
Manage templates
Manage workflows
Manage document sequences
Manage master options
Manage CRM configuration
```
Cannot:
```txt
Override system security
```
---
## System Admin
Can:
```txt
Everything
```
---
# Scope L.1 Role Management UI
Add:
```txt
CRM Settings
└─ Roles & Permissions
```
Features:
```txt
Role list
Role detail
Permission matrix
Role cloning
Role activation
Role deactivation
```
---
# Scope L.2 Permission Assignment
Allow administrators to assign permissions to roles.
Support:
```txt
read
create
update
delete
approve
assign
export
manage
```
Examples:
```txt
crm.lead.read
crm.lead.create
crm.enquiry.read
crm.enquiry.assign
crm.quotation.approve
crm.dashboard.export
```
---
# Scope L.3 User Permission Resolution
Effective permission:
```txt
System Role
+
Membership Role
+
Direct Permissions
```
Evaluation order:
```txt
System Admin
Role Permissions
User Overrides
```
---
# Scope L.4 Branch Scope
User can be assigned:
```txt
Bangkok
Rayong
Chiang Mai
```
Visibility enforced server-side.
Examples:
```txt
Sales Bangkok
cannot view
Rayong enquiries
```
---
# Scope L.5 Product Type Scope
Supported:
```txt
Crane
Dock Door
Solar Cell
Service
Spare Part
```
Example:
```txt
Sales Crane
cannot see
Solar quotations
```
---
# Scope L.6 Ownership Enforcement
Server-side rules.
Sales:
```txt
Own records only
```
Manager:
```txt
Team records
```
Admin:
```txt
Organization records
```
Marketing:
```txt
Lead monitoring only
```
---
# Scope L.7 Menu Security
Navigation generated from permissions.
Examples:
```txt
Lead
Enquiry
Quotation
Approval
Dashboard
Settings
```
Menus disappear automatically when permission is absent.
---
# Scope L.8 Dashboard Security
Enforce:
```txt
Lead KPI
Enquiry KPI
Revenue KPI
Approval KPI
```
according to permission.
No UI-only hiding.
Server-side enforcement required.
---
# Scope L.9 CRM Settings Security
Protect:
```txt
Document Templates
Approval Workflows
Document Sequences
Master Options
```
using dedicated CRM permissions.
---
# Scope L.10 Permission Audit
Audit:
```txt
Role Created
Role Updated
Role Deleted
Permission Added
Permission Removed
Scope Changed
```
Entity Types:
```txt
crm_role
crm_permission
crm_scope
```
---
# Scope L.11 Migration Strategy
Convert legacy roles:
```txt
admin
user
```
into CRM-aligned business roles.
Backfill:
```txt
sales
marketing
sales_manager
crm_admin
```
where possible.
Retain historical records.
---
# Scope L.12 Verification
Verify:
```txt
Marketing cannot see quotation price
Sales cannot see other sales enquiries
Managers can see team data
Dashboard respects permissions
Menus respect permissions
CRM settings respect permissions
```
Run:
```txt
npx tsc --noEmit
```
---
# Deliverables
1. Role Management Center
2. Permission Matrix
3. Branch Scope Enforcement
4. Product Type Scope Enforcement
5. Ownership Visibility Enforcement
6. Dashboard Security Enforcement
7. CRM Settings Security
8. Audit Logging
9. Legacy Role Migration
---
# Definition of Done
Task L is complete when:
* permissions are assignable
* role matrix exists
* branch scope enforced
* product scope enforced
* ownership enforced
* dashboard secured
* settings secured
* menus secured
* audits recorded
This becomes the final authorization foundation before Report Center and Notification Center work begins.