# Task L: CRM Permission & Role Management Center ## Objective Replace remaining template-level role behavior with a production CRM authorization model. Task L establishes: * CRM business roles * role-based permissions * branch scope * product-type scope * ownership visibility * approval authority * menu visibility * configuration security This task becomes the authorization foundation for all future CRM modules. --- # Current Problems The system currently has: ```txt Users Memberships Roles Permissions ``` but still relies partly on template behavior. Examples: * users cannot manage permissions directly * role assignment is incomplete * branch visibility is not enforced everywhere * product-type visibility is not enforced everywhere * dashboard visibility still depends on broad organization access * approval authority is role-driven but not centrally configurable --- # Business Roles (Frozen) ## Marketing Responsibilities: ```txt Lead creation Lead follow-up Lead assignment Lead monitoring ``` Can: ```txt View Leads Create Leads Assign Leads View Enquiries View Follow-Ups ``` Cannot: ```txt View quotation pricing View revenue dashboard Approve quotations Edit quotations ``` --- ## Sales Responsibilities: ```txt Manage enquiries Manage quotations Manage follow-ups ``` Can: ```txt View assigned enquiries Create quotations Edit own quotations Manage own follow-ups ``` Cannot: ```txt View other sales data Approve quotations Manage CRM settings ``` --- ## Sales Support Can: ```txt Create quotations Edit quotations Support sales operations ``` Cannot: ```txt Approve quotations View management analytics ``` --- ## Sales Manager Can: ```txt View team enquiries Assign sales Approve quotations View team dashboard ``` Visibility: ```txt Branch scope Product-type scope ``` --- ## Department Manager Can: ```txt Approve quotations View department analytics View department pipeline ``` --- ## Top Manager Can: ```txt Approve final quotations View all CRM analytics ``` --- ## CRM Admin Can: ```txt Manage templates Manage workflows Manage document sequences Manage master options Manage CRM configuration ``` Cannot: ```txt Override system security ``` --- ## System Admin Can: ```txt Everything ``` --- # Scope L.1 Role Management UI Add: ```txt CRM Settings └─ Roles & Permissions ``` Features: ```txt Role list Role detail Permission matrix Role cloning Role activation Role deactivation ``` --- # Scope L.2 Permission Assignment Allow administrators to assign permissions to roles. Support: ```txt read create update delete approve assign export manage ``` Examples: ```txt crm.lead.read crm.lead.create crm.enquiry.read crm.enquiry.assign crm.quotation.approve crm.dashboard.export ``` --- # Scope L.3 User Permission Resolution Effective permission: ```txt System Role + Membership Role + Direct Permissions ``` Evaluation order: ```txt System Admin ↓ Role Permissions ↓ User Overrides ``` --- # Scope L.4 Branch Scope User can be assigned: ```txt Bangkok Rayong Chiang Mai ``` Visibility enforced server-side. Examples: ```txt Sales Bangkok cannot view Rayong enquiries ``` --- # Scope L.5 Product Type Scope Supported: ```txt Crane Dock Door Solar Cell Service Spare Part ``` Example: ```txt Sales Crane cannot see Solar quotations ``` --- # Scope L.6 Ownership Enforcement Server-side rules. Sales: ```txt Own records only ``` Manager: ```txt Team records ``` Admin: ```txt Organization records ``` Marketing: ```txt Lead monitoring only ``` --- # Scope L.7 Menu Security Navigation generated from permissions. Examples: ```txt Lead Enquiry Quotation Approval Dashboard Settings ``` Menus disappear automatically when permission is absent. --- # Scope L.8 Dashboard Security Enforce: ```txt Lead KPI Enquiry KPI Revenue KPI Approval KPI ``` according to permission. No UI-only hiding. Server-side enforcement required. --- # Scope L.9 CRM Settings Security Protect: ```txt Document Templates Approval Workflows Document Sequences Master Options ``` using dedicated CRM permissions. --- # Scope L.10 Permission Audit Audit: ```txt Role Created Role Updated Role Deleted Permission Added Permission Removed Scope Changed ``` Entity Types: ```txt crm_role crm_permission crm_scope ``` --- # Scope L.11 Migration Strategy Convert legacy roles: ```txt admin user ``` into CRM-aligned business roles. Backfill: ```txt sales marketing sales_manager crm_admin ``` where possible. Retain historical records. --- # Scope L.12 Verification Verify: ```txt Marketing cannot see quotation price Sales cannot see other sales enquiries Managers can see team data Dashboard respects permissions Menus respect permissions CRM settings respect permissions ``` Run: ```txt npx tsc --noEmit ``` --- # Deliverables 1. Role Management Center 2. Permission Matrix 3. Branch Scope Enforcement 4. Product Type Scope Enforcement 5. Ownership Visibility Enforcement 6. Dashboard Security Enforcement 7. CRM Settings Security 8. Audit Logging 9. Legacy Role Migration --- # Definition of Done Task L is complete when: * permissions are assignable * role matrix exists * branch scope enforced * product scope enforced * ownership enforced * dashboard secured * settings secured * menus secured * audits recorded This becomes the final authorization foundation before Report Center and Notification Center work begins.