Files
alla-allaos-fullstack/plans/task-l.3.md
phaichayon 42f403a7ed task-l.3
2026-06-22 13:36:00 +07:00

664 lines
6.7 KiB
Markdown

# Task L.3: Full CRM Scope Enforcement & Security Validation
## Objective
Complete CRM authorization by enforcing resolved CRM access consistently across all CRM modules.
After Task L.3:
```txt
Resolved CRM Access
```
becomes the single source of truth for:
```txt
Visibility
Ownership
Branch Scope
Product Scope
Approval Authority
Pricing Visibility
Dashboard Access
Settings Access
```
No CRM module may rely solely on UI filtering or legacy membership role behavior.
---
# Background
Completed:
```txt
Task L
Task L.1
Task L.2
```
Current state:
```txt
CRM Role Profiles
CRM User Role Assignments
Effective Access Resolver
User Management Integration
```
Remaining risk:
Some modules may still:
```txt
filter in UI only
use organization visibility
ignore branch scope
ignore product scope
ignore ownership scope
```
Task L.3 closes those gaps.
---
# Scope L3.1 Access Enforcement Inventory
Create a complete inventory of CRM endpoints.
Audit:
```txt
Customers
Contacts
Leads
Enquiries
Quotations
Approvals
Dashboard
Document Artifacts
CRM Settings
```
For each endpoint classify:
```txt
Protected
Partially Protected
Not Protected
Legacy Protected
```
Output:
```txt
docs/security/crm-access-enforcement-inventory.md
```
---
# Scope L3.2 Resolver Adoption Audit
Verify every CRM route uses:
```txt
resolveCrmAccess()
```
or equivalent centralized helper.
Remove direct dependency on:
```txt
membership.businessRole
membership.role
manual permission arrays
```
except compatibility fallback inside resolver.
---
# Scope L3.3 Customer Enforcement
Apply:
```txt
Branch Scope
Product Scope
Ownership Scope
```
Rules:
Sales:
```txt
own customers only
```
Manager:
```txt
team customers
```
Admin:
```txt
organization customers
```
CRM Admin:
```txt
all CRM customers
```
Server-side enforced.
---
# Scope L3.4 Contact Enforcement
Apply same rules.
Preserve:
```txt
Contact Sharing
```
Rules:
Shared contacts remain visible.
Ownership rules still respected.
---
# Scope L3.5 Lead Enforcement
Apply:
```txt
Lead Scope
```
Marketing:
```txt
view monitoring surfaces
assign leads
view follow-ups
```
Sales:
```txt
assigned leads only
```
Manager:
```txt
team leads
```
Enforce:
```txt
branch scope
product scope
ownership
```
---
# Scope L3.6 Enquiry Enforcement
Apply:
```txt
lead -> enquiry pipeline rules
```
Sales:
```txt
assigned enquiries only
```
Manager:
```txt
team enquiries
```
Marketing:
```txt
monitor only
```
Must not edit sales-owned enquiries unless permission exists.
---
# Scope L3.7 Quotation Enforcement
Highest priority.
Rules:
Sales:
```txt
own quotations
```
Manager:
```txt
team quotations
```
CRM Admin:
```txt
all quotations
```
Marketing:
```txt
cannot view pricing
cannot edit quotations
```
Support:
```txt
can edit only if permission granted
```
---
# Scope L3.8 Pricing Visibility Enforcement
Add centralized helper:
```txt
canViewQuotationPricing()
```
Required for:
```txt
Quotation Detail
Quotation List
Dashboard Revenue
Exports
PDF Preview
PDF Download
Approved PDF
```
If denied:
Hide:
```txt
subtotal
discount
tax
total
currency values
```
Server-side.
Not UI-only.
---
# Scope L3.9 Approval Enforcement
Verify:
```txt
approval authority
```
comes from:
```txt
resolved CRM access
```
not role string.
Rules:
Only users with matching authority level may:
```txt
approve
reject
request changes
```
---
# Scope L3.10 Dashboard Enforcement
Apply resolved scope to:
```txt
Lead KPI
Enquiry KPI
Revenue KPI
Approval KPI
Follow-up KPI
Sales Ranking
Exports
```
Rules:
Revenue only visible with:
```txt
crm.quotation.price.read
```
Sales Ranking:
```txt
branch/product filtered
```
Exports:
```txt
same scope as dashboard
```
---
# Scope L3.11 Report / Export Enforcement
Audit:
```txt
CSV
Excel
Dashboard Export
Revenue Export
Sales Ranking Export
```
Rules:
Export must never return records not visible in UI.
Server-side filtering required.
---
# Scope L3.12 Document Artifact Enforcement
Protect:
```txt
Approved PDF
Artifacts
Downloads
```
Rules:
User may download only if:
```txt
can access quotation
AND
has artifact permission
```
No direct artifact bypass.
---
# Scope L3.13 CRM Settings Enforcement
Protect:
```txt
Roles
User Assignments
Templates
Approval Workflows
Document Sequences
Master Options
```
Permissions:
```txt
crm.role.*
crm.role.assignment.*
crm.document_template.*
crm.approval.workflow.*
crm.document_sequence.*
crm.master_option.*
```
No implicit admin access.
---
# Scope L3.14 Security Regression Suite
Add:
```txt
scripts/security/verify-crm-access.ts
```
Verify:
### Marketing
```txt
cannot see quotation prices
cannot export revenue
cannot approve quotation
```
### Sales
```txt
cannot see other sales records
```
### Sales Manager
```txt
can see team records only
```
### CRM Admin
```txt
can manage settings
```
### Mixed Roles
```txt
permissions union correctly
scope union correctly
```
---
# Scope L3.15 Security Audit Logging
Audit entity:
```txt
crm_security_access
```
Log:
```txt
access_denied
scope_violation
permission_violation
pricing_hidden
```
Purpose:
Security troubleshooting.
---
# Scope L3.16 Documentation
Create:
```txt
docs/security/crm-authorization-boundaries.md
docs/implementation/task-l3-full-crm-scope-enforcement.md
```
Document:
```txt
ownership model
scope model
pricing visibility model
approval authority model
dashboard visibility model
artifact visibility model
```
---
# Verification Matrix
## Marketing
Expected:
```txt
Lead Monitoring
Follow-ups
Assignments
No Pricing
No Revenue
No Approval
```
---
## Sales
Expected:
```txt
Own Records
Own Quotations
Own Follow-ups
```
---
## Sales Manager
Expected:
```txt
Team Visibility
Approval Access
```
---
## CRM Admin
Expected:
```txt
Settings
Roles
Templates
Sequences
```
---
## Sales + Manager
Expected:
```txt
Union Permissions
Union Scope
```
---
## Marketing + Sales Support
Expected:
```txt
Lead Access
Quotation Support
No Revenue
```
---
# Deliverables
1. Full CRM Scope Enforcement
2. Pricing Visibility Layer
3. Dashboard Security Layer
4. Artifact Security Layer
5. Approval Authority Enforcement
6. Security Verification Suite
7. Security Audit Logging
8. Authorization Boundary Documentation
---
# Definition of Done
Task L.3 is complete when:
* all CRM routes use resolved CRM access
* branch scope enforced
* product scope enforced
* ownership scope enforced
* pricing visibility enforced
* dashboard security enforced
* artifact security enforced
* approval authority enforced
* exports respect visibility
* regression suite passes
* authorization boundaries documented
Result:
```txt
Authorization Foundation = CLOSED
CRM Security Boundary = PRODUCTION READY
```