# Task L: CRM Permission & Role Management ## Summary Task L starts the production CRM authorization foundation by replacing template-level behavior with organization-owned role profiles, effective permission resolution, and server-side scope enforcement. ## Implemented - Added CRM role profile defaults for: - `marketing` - `sales` - `sales_support` - `sales_manager` - `department_manager` - `top_manager` - `crm_admin` - Added dedicated CRM permissions for: - quotation pricing visibility - role management - master option management - Added `crmRoleProfiles` persistence model with: - permissions - ownership scope - branch scope mode - product scope mode - approval authority - active/system flags - Added membership scope fields: - `branchScopeIds` - `productTypeScopeIds` - Added resolved CRM access helper to combine: - system role - membership role - role profile permissions - direct membership permissions - Added CRM Settings > Roles page and role-management APIs for: - role listing - role editing - permission matrix - role cloning - role activation/deactivation - Added audit logging for CRM role create/update events. - Moved CRM dashboard access evaluation to resolved branch/product/ownership scope. - Started server-side enquiry enforcement for: - branch scope - product-type scope - ownership visibility - assign/reassign/follow-up access consistency ## Notes - This task lays the authorization foundation first; dynamic user assignment UI for cloned CRM roles can build on top of these role profiles next. - Quotation and approval flows should continue migrating onto the same resolved access model so ownership and scope rules stay consistent across CRM. ## Verification - Run: `npx tsc --noEmit` - Confirm CRM Settings sidebar shows `Roles & Permissions` only for users with `crm.role.read` - Confirm sales users cannot access enquiries outside assigned branch/product scope - Confirm dashboard export and dashboard summary honor resolved scope and permissions