61 lines
2.0 KiB
Markdown
61 lines
2.0 KiB
Markdown
# Task L: CRM Permission & Role Management
|
|
|
|
## Summary
|
|
|
|
Task L starts the production CRM authorization foundation by replacing template-level behavior with organization-owned role profiles, effective permission resolution, and server-side scope enforcement.
|
|
|
|
## Implemented
|
|
|
|
- Added CRM role profile defaults for:
|
|
- `marketing`
|
|
- `sales`
|
|
- `sales_support`
|
|
- `sales_manager`
|
|
- `department_manager`
|
|
- `top_manager`
|
|
- `crm_admin`
|
|
- Added dedicated CRM permissions for:
|
|
- quotation pricing visibility
|
|
- role management
|
|
- master option management
|
|
- Added `crmRoleProfiles` persistence model with:
|
|
- permissions
|
|
- ownership scope
|
|
- branch scope mode
|
|
- product scope mode
|
|
- approval authority
|
|
- active/system flags
|
|
- Added membership scope fields:
|
|
- `branchScopeIds`
|
|
- `productTypeScopeIds`
|
|
- Added resolved CRM access helper to combine:
|
|
- system role
|
|
- membership role
|
|
- role profile permissions
|
|
- direct membership permissions
|
|
- Added CRM Settings > Roles page and role-management APIs for:
|
|
- role listing
|
|
- role editing
|
|
- permission matrix
|
|
- role cloning
|
|
- role activation/deactivation
|
|
- Added audit logging for CRM role create/update events.
|
|
- Moved CRM dashboard access evaluation to resolved branch/product/ownership scope.
|
|
- Started server-side enquiry enforcement for:
|
|
- branch scope
|
|
- product-type scope
|
|
- ownership visibility
|
|
- assign/reassign/follow-up access consistency
|
|
|
|
## Notes
|
|
|
|
- This task lays the authorization foundation first; dynamic user assignment UI for cloned CRM roles can build on top of these role profiles next.
|
|
- Quotation and approval flows should continue migrating onto the same resolved access model so ownership and scope rules stay consistent across CRM.
|
|
|
|
## Verification
|
|
|
|
- Run: `npx tsc --noEmit`
|
|
- Confirm CRM Settings sidebar shows `Roles & Permissions` only for users with `crm.role.read`
|
|
- Confirm sales users cannot access enquiries outside assigned branch/product scope
|
|
- Confirm dashboard export and dashboard summary honor resolved scope and permissions
|