5.4 KiB
Task L: CRM Permission & Role Management Center
Objective
Replace remaining template-level role behavior with a production CRM authorization model.
Task L establishes:
- CRM business roles
- role-based permissions
- branch scope
- product-type scope
- ownership visibility
- approval authority
- menu visibility
- configuration security
This task becomes the authorization foundation for all future CRM modules.
Current Problems
The system currently has:
Users
Memberships
Roles
Permissions
but still relies partly on template behavior.
Examples:
- users cannot manage permissions directly
- role assignment is incomplete
- branch visibility is not enforced everywhere
- product-type visibility is not enforced everywhere
- dashboard visibility still depends on broad organization access
- approval authority is role-driven but not centrally configurable
Business Roles (Frozen)
Marketing
Responsibilities:
Lead creation
Lead follow-up
Lead assignment
Lead monitoring
Can:
View Leads
Create Leads
Assign Leads
View Enquiries
View Follow-Ups
Cannot:
View quotation pricing
View revenue dashboard
Approve quotations
Edit quotations
Sales
Responsibilities:
Manage enquiries
Manage quotations
Manage follow-ups
Can:
View assigned enquiries
Create quotations
Edit own quotations
Manage own follow-ups
Cannot:
View other sales data
Approve quotations
Manage CRM settings
Sales Support
Can:
Create quotations
Edit quotations
Support sales operations
Cannot:
Approve quotations
View management analytics
Sales Manager
Can:
View team enquiries
Assign sales
Approve quotations
View team dashboard
Visibility:
Branch scope
Product-type scope
Department Manager
Can:
Approve quotations
View department analytics
View department pipeline
Top Manager
Can:
Approve final quotations
View all CRM analytics
CRM Admin
Can:
Manage templates
Manage workflows
Manage document sequences
Manage master options
Manage CRM configuration
Cannot:
Override system security
System Admin
Can:
Everything
Scope L.1 Role Management UI
Add:
CRM Settings
└─ Roles & Permissions
Features:
Role list
Role detail
Permission matrix
Role cloning
Role activation
Role deactivation
Scope L.2 Permission Assignment
Allow administrators to assign permissions to roles.
Support:
read
create
update
delete
approve
assign
export
manage
Examples:
crm.lead.read
crm.lead.create
crm.enquiry.read
crm.enquiry.assign
crm.quotation.approve
crm.dashboard.export
Scope L.3 User Permission Resolution
Effective permission:
System Role
+
Membership Role
+
Direct Permissions
Evaluation order:
System Admin
↓
Role Permissions
↓
User Overrides
Scope L.4 Branch Scope
User can be assigned:
Bangkok
Rayong
Chiang Mai
Visibility enforced server-side.
Examples:
Sales Bangkok
cannot view
Rayong enquiries
Scope L.5 Product Type Scope
Supported:
Crane
Dock Door
Solar Cell
Service
Spare Part
Example:
Sales Crane
cannot see
Solar quotations
Scope L.6 Ownership Enforcement
Server-side rules.
Sales:
Own records only
Manager:
Team records
Admin:
Organization records
Marketing:
Lead monitoring only
Scope L.7 Menu Security
Navigation generated from permissions.
Examples:
Lead
Enquiry
Quotation
Approval
Dashboard
Settings
Menus disappear automatically when permission is absent.
Scope L.8 Dashboard Security
Enforce:
Lead KPI
Enquiry KPI
Revenue KPI
Approval KPI
according to permission.
No UI-only hiding.
Server-side enforcement required.
Scope L.9 CRM Settings Security
Protect:
Document Templates
Approval Workflows
Document Sequences
Master Options
using dedicated CRM permissions.
Scope L.10 Permission Audit
Audit:
Role Created
Role Updated
Role Deleted
Permission Added
Permission Removed
Scope Changed
Entity Types:
crm_role
crm_permission
crm_scope
Scope L.11 Migration Strategy
Convert legacy roles:
admin
user
into CRM-aligned business roles.
Backfill:
sales
marketing
sales_manager
crm_admin
where possible.
Retain historical records.
Scope L.12 Verification
Verify:
Marketing cannot see quotation price
Sales cannot see other sales enquiries
Managers can see team data
Dashboard respects permissions
Menus respect permissions
CRM settings respect permissions
Run:
npx tsc --noEmit
Deliverables
- Role Management Center
- Permission Matrix
- Branch Scope Enforcement
- Product Type Scope Enforcement
- Ownership Visibility Enforcement
- Dashboard Security Enforcement
- CRM Settings Security
- Audit Logging
- Legacy Role Migration
Definition of Done
Task L is complete when:
- permissions are assignable
- role matrix exists
- branch scope enforced
- product scope enforced
- ownership enforced
- dashboard secured
- settings secured
- menus secured
- audits recorded
This becomes the final authorization foundation before Report Center and Notification Center work begins.