task-l
This commit is contained in:
507
plans/task-l.md
Normal file
507
plans/task-l.md
Normal file
@@ -0,0 +1,507 @@
|
||||
# Task L: CRM Permission & Role Management Center
|
||||
|
||||
## Objective
|
||||
|
||||
Replace remaining template-level role behavior with a production CRM authorization model.
|
||||
|
||||
Task L establishes:
|
||||
|
||||
* CRM business roles
|
||||
* role-based permissions
|
||||
* branch scope
|
||||
* product-type scope
|
||||
* ownership visibility
|
||||
* approval authority
|
||||
* menu visibility
|
||||
* configuration security
|
||||
|
||||
This task becomes the authorization foundation for all future CRM modules.
|
||||
|
||||
---
|
||||
|
||||
# Current Problems
|
||||
|
||||
The system currently has:
|
||||
|
||||
```txt
|
||||
Users
|
||||
Memberships
|
||||
Roles
|
||||
Permissions
|
||||
```
|
||||
|
||||
but still relies partly on template behavior.
|
||||
|
||||
Examples:
|
||||
|
||||
* users cannot manage permissions directly
|
||||
* role assignment is incomplete
|
||||
* branch visibility is not enforced everywhere
|
||||
* product-type visibility is not enforced everywhere
|
||||
* dashboard visibility still depends on broad organization access
|
||||
* approval authority is role-driven but not centrally configurable
|
||||
|
||||
---
|
||||
|
||||
# Business Roles (Frozen)
|
||||
|
||||
## Marketing
|
||||
|
||||
Responsibilities:
|
||||
|
||||
```txt
|
||||
Lead creation
|
||||
Lead follow-up
|
||||
Lead assignment
|
||||
Lead monitoring
|
||||
```
|
||||
|
||||
Can:
|
||||
|
||||
```txt
|
||||
View Leads
|
||||
Create Leads
|
||||
Assign Leads
|
||||
View Enquiries
|
||||
View Follow-Ups
|
||||
```
|
||||
|
||||
Cannot:
|
||||
|
||||
```txt
|
||||
View quotation pricing
|
||||
View revenue dashboard
|
||||
Approve quotations
|
||||
Edit quotations
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Sales
|
||||
|
||||
Responsibilities:
|
||||
|
||||
```txt
|
||||
Manage enquiries
|
||||
Manage quotations
|
||||
Manage follow-ups
|
||||
```
|
||||
|
||||
Can:
|
||||
|
||||
```txt
|
||||
View assigned enquiries
|
||||
Create quotations
|
||||
Edit own quotations
|
||||
Manage own follow-ups
|
||||
```
|
||||
|
||||
Cannot:
|
||||
|
||||
```txt
|
||||
View other sales data
|
||||
Approve quotations
|
||||
Manage CRM settings
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Sales Support
|
||||
|
||||
Can:
|
||||
|
||||
```txt
|
||||
Create quotations
|
||||
Edit quotations
|
||||
Support sales operations
|
||||
```
|
||||
|
||||
Cannot:
|
||||
|
||||
```txt
|
||||
Approve quotations
|
||||
View management analytics
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Sales Manager
|
||||
|
||||
Can:
|
||||
|
||||
```txt
|
||||
View team enquiries
|
||||
Assign sales
|
||||
Approve quotations
|
||||
View team dashboard
|
||||
```
|
||||
|
||||
Visibility:
|
||||
|
||||
```txt
|
||||
Branch scope
|
||||
Product-type scope
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Department Manager
|
||||
|
||||
Can:
|
||||
|
||||
```txt
|
||||
Approve quotations
|
||||
View department analytics
|
||||
View department pipeline
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Top Manager
|
||||
|
||||
Can:
|
||||
|
||||
```txt
|
||||
Approve final quotations
|
||||
View all CRM analytics
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## CRM Admin
|
||||
|
||||
Can:
|
||||
|
||||
```txt
|
||||
Manage templates
|
||||
Manage workflows
|
||||
Manage document sequences
|
||||
Manage master options
|
||||
Manage CRM configuration
|
||||
```
|
||||
|
||||
Cannot:
|
||||
|
||||
```txt
|
||||
Override system security
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## System Admin
|
||||
|
||||
Can:
|
||||
|
||||
```txt
|
||||
Everything
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
# Scope L.1 Role Management UI
|
||||
|
||||
Add:
|
||||
|
||||
```txt
|
||||
CRM Settings
|
||||
└─ Roles & Permissions
|
||||
```
|
||||
|
||||
Features:
|
||||
|
||||
```txt
|
||||
Role list
|
||||
Role detail
|
||||
Permission matrix
|
||||
Role cloning
|
||||
Role activation
|
||||
Role deactivation
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
# Scope L.2 Permission Assignment
|
||||
|
||||
Allow administrators to assign permissions to roles.
|
||||
|
||||
Support:
|
||||
|
||||
```txt
|
||||
read
|
||||
create
|
||||
update
|
||||
delete
|
||||
approve
|
||||
assign
|
||||
export
|
||||
manage
|
||||
```
|
||||
|
||||
Examples:
|
||||
|
||||
```txt
|
||||
crm.lead.read
|
||||
crm.lead.create
|
||||
|
||||
crm.enquiry.read
|
||||
crm.enquiry.assign
|
||||
|
||||
crm.quotation.approve
|
||||
|
||||
crm.dashboard.export
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
# Scope L.3 User Permission Resolution
|
||||
|
||||
Effective permission:
|
||||
|
||||
```txt
|
||||
System Role
|
||||
+
|
||||
Membership Role
|
||||
+
|
||||
Direct Permissions
|
||||
```
|
||||
|
||||
Evaluation order:
|
||||
|
||||
```txt
|
||||
System Admin
|
||||
↓
|
||||
Role Permissions
|
||||
↓
|
||||
User Overrides
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
# Scope L.4 Branch Scope
|
||||
|
||||
User can be assigned:
|
||||
|
||||
```txt
|
||||
Bangkok
|
||||
Rayong
|
||||
Chiang Mai
|
||||
```
|
||||
|
||||
Visibility enforced server-side.
|
||||
|
||||
Examples:
|
||||
|
||||
```txt
|
||||
Sales Bangkok
|
||||
cannot view
|
||||
Rayong enquiries
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
# Scope L.5 Product Type Scope
|
||||
|
||||
Supported:
|
||||
|
||||
```txt
|
||||
Crane
|
||||
Dock Door
|
||||
Solar Cell
|
||||
Service
|
||||
Spare Part
|
||||
```
|
||||
|
||||
Example:
|
||||
|
||||
```txt
|
||||
Sales Crane
|
||||
cannot see
|
||||
Solar quotations
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
# Scope L.6 Ownership Enforcement
|
||||
|
||||
Server-side rules.
|
||||
|
||||
Sales:
|
||||
|
||||
```txt
|
||||
Own records only
|
||||
```
|
||||
|
||||
Manager:
|
||||
|
||||
```txt
|
||||
Team records
|
||||
```
|
||||
|
||||
Admin:
|
||||
|
||||
```txt
|
||||
Organization records
|
||||
```
|
||||
|
||||
Marketing:
|
||||
|
||||
```txt
|
||||
Lead monitoring only
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
# Scope L.7 Menu Security
|
||||
|
||||
Navigation generated from permissions.
|
||||
|
||||
Examples:
|
||||
|
||||
```txt
|
||||
Lead
|
||||
Enquiry
|
||||
Quotation
|
||||
Approval
|
||||
Dashboard
|
||||
Settings
|
||||
```
|
||||
|
||||
Menus disappear automatically when permission is absent.
|
||||
|
||||
---
|
||||
|
||||
# Scope L.8 Dashboard Security
|
||||
|
||||
Enforce:
|
||||
|
||||
```txt
|
||||
Lead KPI
|
||||
Enquiry KPI
|
||||
Revenue KPI
|
||||
Approval KPI
|
||||
```
|
||||
|
||||
according to permission.
|
||||
|
||||
No UI-only hiding.
|
||||
|
||||
Server-side enforcement required.
|
||||
|
||||
---
|
||||
|
||||
# Scope L.9 CRM Settings Security
|
||||
|
||||
Protect:
|
||||
|
||||
```txt
|
||||
Document Templates
|
||||
Approval Workflows
|
||||
Document Sequences
|
||||
Master Options
|
||||
```
|
||||
|
||||
using dedicated CRM permissions.
|
||||
|
||||
---
|
||||
|
||||
# Scope L.10 Permission Audit
|
||||
|
||||
Audit:
|
||||
|
||||
```txt
|
||||
Role Created
|
||||
Role Updated
|
||||
Role Deleted
|
||||
|
||||
Permission Added
|
||||
Permission Removed
|
||||
|
||||
Scope Changed
|
||||
```
|
||||
|
||||
Entity Types:
|
||||
|
||||
```txt
|
||||
crm_role
|
||||
crm_permission
|
||||
crm_scope
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
# Scope L.11 Migration Strategy
|
||||
|
||||
Convert legacy roles:
|
||||
|
||||
```txt
|
||||
admin
|
||||
user
|
||||
```
|
||||
|
||||
into CRM-aligned business roles.
|
||||
|
||||
Backfill:
|
||||
|
||||
```txt
|
||||
sales
|
||||
marketing
|
||||
sales_manager
|
||||
crm_admin
|
||||
```
|
||||
|
||||
where possible.
|
||||
|
||||
Retain historical records.
|
||||
|
||||
---
|
||||
|
||||
# Scope L.12 Verification
|
||||
|
||||
Verify:
|
||||
|
||||
```txt
|
||||
Marketing cannot see quotation price
|
||||
Sales cannot see other sales enquiries
|
||||
Managers can see team data
|
||||
Dashboard respects permissions
|
||||
Menus respect permissions
|
||||
CRM settings respect permissions
|
||||
```
|
||||
|
||||
Run:
|
||||
|
||||
```txt
|
||||
npx tsc --noEmit
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
# Deliverables
|
||||
|
||||
1. Role Management Center
|
||||
2. Permission Matrix
|
||||
3. Branch Scope Enforcement
|
||||
4. Product Type Scope Enforcement
|
||||
5. Ownership Visibility Enforcement
|
||||
6. Dashboard Security Enforcement
|
||||
7. CRM Settings Security
|
||||
8. Audit Logging
|
||||
9. Legacy Role Migration
|
||||
|
||||
---
|
||||
|
||||
# Definition of Done
|
||||
|
||||
Task L is complete when:
|
||||
|
||||
* permissions are assignable
|
||||
* role matrix exists
|
||||
* branch scope enforced
|
||||
* product scope enforced
|
||||
* ownership enforced
|
||||
* dashboard secured
|
||||
* settings secured
|
||||
* menus secured
|
||||
* audits recorded
|
||||
|
||||
This becomes the final authorization foundation before Report Center and Notification Center work begins.
|
||||
Reference in New Issue
Block a user