# Task L.3.1: Customer, Contact & Approval Visibility Hardening ## Objective Close the remaining authorization gaps from Task L.3 and make CRM visibility enforcement production-ready. After Task L.3.1: ```txt Customer Visibility Contact Visibility Approval Visibility ``` must all use the same resolved CRM access model as: ```txt Leads Enquiries Quotations Dashboard PDF Artifacts ``` This task is expected to close the Authorization Epic. --- # Background Task L.3 completed: ```txt Quotation Scope Enforcement Pricing Visibility PDF Security Artifact Security Dashboard Revenue Security Approval Actor Validation ``` Remaining gaps: ```txt Customer Ownership Scope Contact Ownership Scope Approval List Visibility Approval Detail Visibility Runtime Security Verification ``` --- # Scope L3.1.1 Customer Ownership Enforcement Apply resolved CRM access to: ```txt Customers List Customer Detail Customer Search Customer Lookup Customer API ``` Rules: ## Sales ```txt Own customers only ``` Customer ownership derived from: ```txt createdBy salesmanId assigned ownership relationship ``` based on current CRM model. --- ## Sales Manager ```txt Team customers ``` limited by: ```txt Branch Scope Product Scope Ownership Scope ``` --- ## Marketing ```txt Monitoring visibility only ``` May view customer profile if related to: ```txt Lead Enquiry ``` but cannot access quotation pricing. --- ## CRM Admin ```txt Organization-wide visibility ``` --- # Scope L3.1.2 Contact Ownership Enforcement Apply same resolved access model. Protect: ```txt Contacts List Contact Detail Contact Search Contact API ``` Rules: ```txt Owner Shared User Manager Scope Admin Scope ``` must all work correctly. --- # Scope L3.1.3 Contact Sharing Validation Audit existing sharing model. Verify: ```txt Shared Contact ``` still visible after ownership enforcement. Rules: ```txt Creator Shared User CRM Admin ``` retain access. Users outside sharing relationship: ```txt Access Denied ``` --- # Scope L3.1.4 Approval Visibility Enforcement Approval actor validation already exists. Now enforce visibility for: ```txt Approval List Approval Detail Approval History Approval Dashboard Widgets ``` Rules: User can only see approval records when: ```txt Can Access Related Quotation ``` OR ```txt Current Approval Actor ``` OR ```txt CRM Admin ``` --- # Scope L3.1.5 Approval Detail Security Protect: ```txt Approval Route Approval APIs Approval Timeline Approval History ``` Users without quotation visibility: ```txt cannot access approval details ``` even if they know the URL. Server-side enforcement required. --- # Scope L3.1.6 Approval Dashboard Hardening Verify: ```txt Pending Approvals My Approvals Approval KPIs Approval Analytics ``` all respect: ```txt Branch Scope Product Scope Ownership Scope ``` and resolved CRM access. --- # Scope L3.1.7 Team Scope Clarification Current implementation uses: ```txt Most Permissive Ownership Scope ``` but team membership is approximate. Document current behavior. Create: ```txt docs/security/team-scope-limitations.md ``` Document: ```txt Current Team Scope Logic Known Limitations Future Team Hierarchy Model ``` No hierarchy implementation in this task. --- # Scope L3.1.8 Security Fixture Expansion Expand: ```txt scripts/security/verify-crm-access.ts ``` Add scenarios: ### Customer Visibility ```txt Sales A cannot see Sales B customer ``` --- ### Contact Sharing ```txt Shared Contact visible Unshared Contact hidden ``` --- ### Approval Visibility ```txt Approver can access Non-Approver cannot access ``` --- ### Marketing ```txt can monitor lead cannot view quotation pricing ``` --- ### CRM Admin ```txt full access ``` --- # Scope L3.1.9 Security Audit Logging Extend: ```txt crm_security_access ``` Events: ```txt customer_scope_violation contact_scope_violation approval_scope_violation ``` Payload: ```txt userId entityId entityType reason resolvedScope ``` --- # Scope L3.1.10 Security Inventory Update Update: ```txt docs/security/crm-access-enforcement-inventory.md ``` Status should become: ```txt Protected ``` for: ```txt Customers Contacts Approvals ``` Remove: ```txt Partially Protected ``` classification where resolved. --- # Scope L3.1.11 Authorization Boundary Review Update: ```txt docs/security/crm-authorization-boundaries.md ``` Document final behavior for: ```txt Customer Contact Lead Enquiry Quotation Approval Dashboard Artifacts Settings ``` This becomes the official CRM authorization reference. --- # Verification Matrix ## Sales A Expected: ```txt Own Customers Own Contacts Own Quotations ``` Cannot: ```txt Access Sales B records ``` --- ## Sales Manager Expected: ```txt Team Customers Team Contacts Team Quotations ``` within scope. --- ## Marketing Expected: ```txt Lead Monitoring Follow-Ups Assignments ``` Cannot: ```txt View Pricing View Revenue View Approval Detail ``` --- ## Approver Expected: ```txt Can Access Pending Approval Can Access Approval Detail ``` --- ## Non Approver Expected: ```txt Cannot Access Approval Detail ``` --- ## CRM Admin Expected: ```txt Full CRM Access ``` --- # Deliverables 1. Customer Ownership Enforcement 2. Contact Ownership Enforcement 3. Contact Sharing Validation 4. Approval Visibility Enforcement 5. Approval Dashboard Hardening 6. Security Fixture Expansion 7. Security Audit Events 8. Updated Security Inventory 9. Authorization Boundary Review --- # Definition of Done Task L.3.1 is complete when: * customer visibility uses resolved CRM access * contact visibility uses resolved CRM access * contact sharing still works * approval visibility is secured * approval detail is secured * approval dashboard respects scope * security regression scenarios pass * security inventory updated * authorization boundary documentation updated Result: ```txt Authorization Foundation = CLOSED CRM Security Boundary = PRODUCTION READY CRM UAT Security Baseline = READY ```