Files
alla-allaos-fullstack/plans/task-l.3.md
phaichayon 42f403a7ed task-l.3
2026-06-22 13:36:00 +07:00

6.7 KiB

Task L.3: Full CRM Scope Enforcement & Security Validation

Objective

Complete CRM authorization by enforcing resolved CRM access consistently across all CRM modules.

After Task L.3:

Resolved CRM Access

becomes the single source of truth for:

Visibility
Ownership
Branch Scope
Product Scope
Approval Authority
Pricing Visibility
Dashboard Access
Settings Access

No CRM module may rely solely on UI filtering or legacy membership role behavior.


Background

Completed:

Task L
Task L.1
Task L.2

Current state:

CRM Role Profiles
CRM User Role Assignments
Effective Access Resolver
User Management Integration

Remaining risk:

Some modules may still:

filter in UI only
use organization visibility
ignore branch scope
ignore product scope
ignore ownership scope

Task L.3 closes those gaps.


Scope L3.1 Access Enforcement Inventory

Create a complete inventory of CRM endpoints.

Audit:

Customers
Contacts
Leads
Enquiries
Quotations
Approvals
Dashboard
Document Artifacts
CRM Settings

For each endpoint classify:

Protected
Partially Protected
Not Protected
Legacy Protected

Output:

docs/security/crm-access-enforcement-inventory.md

Scope L3.2 Resolver Adoption Audit

Verify every CRM route uses:

resolveCrmAccess()

or equivalent centralized helper.

Remove direct dependency on:

membership.businessRole
membership.role
manual permission arrays

except compatibility fallback inside resolver.


Scope L3.3 Customer Enforcement

Apply:

Branch Scope
Product Scope
Ownership Scope

Rules:

Sales:

own customers only

Manager:

team customers

Admin:

organization customers

CRM Admin:

all CRM customers

Server-side enforced.


Scope L3.4 Contact Enforcement

Apply same rules.

Preserve:

Contact Sharing

Rules:

Shared contacts remain visible.

Ownership rules still respected.


Scope L3.5 Lead Enforcement

Apply:

Lead Scope

Marketing:

view monitoring surfaces
assign leads
view follow-ups

Sales:

assigned leads only

Manager:

team leads

Enforce:

branch scope
product scope
ownership

Scope L3.6 Enquiry Enforcement

Apply:

lead -> enquiry pipeline rules

Sales:

assigned enquiries only

Manager:

team enquiries

Marketing:

monitor only

Must not edit sales-owned enquiries unless permission exists.


Scope L3.7 Quotation Enforcement

Highest priority.

Rules:

Sales:

own quotations

Manager:

team quotations

CRM Admin:

all quotations

Marketing:

cannot view pricing
cannot edit quotations

Support:

can edit only if permission granted

Scope L3.8 Pricing Visibility Enforcement

Add centralized helper:

canViewQuotationPricing()

Required for:

Quotation Detail
Quotation List
Dashboard Revenue
Exports
PDF Preview
PDF Download
Approved PDF

If denied:

Hide:

subtotal
discount
tax
total
currency values

Server-side.

Not UI-only.


Scope L3.9 Approval Enforcement

Verify:

approval authority

comes from:

resolved CRM access

not role string.

Rules:

Only users with matching authority level may:

approve
reject
request changes

Scope L3.10 Dashboard Enforcement

Apply resolved scope to:

Lead KPI
Enquiry KPI
Revenue KPI
Approval KPI
Follow-up KPI
Sales Ranking
Exports

Rules:

Revenue only visible with:

crm.quotation.price.read

Sales Ranking:

branch/product filtered

Exports:

same scope as dashboard

Scope L3.11 Report / Export Enforcement

Audit:

CSV
Excel
Dashboard Export
Revenue Export
Sales Ranking Export

Rules:

Export must never return records not visible in UI.

Server-side filtering required.


Scope L3.12 Document Artifact Enforcement

Protect:

Approved PDF
Artifacts
Downloads

Rules:

User may download only if:

can access quotation
AND
has artifact permission

No direct artifact bypass.


Scope L3.13 CRM Settings Enforcement

Protect:

Roles
User Assignments
Templates
Approval Workflows
Document Sequences
Master Options

Permissions:

crm.role.*
crm.role.assignment.*
crm.document_template.*
crm.approval.workflow.*
crm.document_sequence.*
crm.master_option.*

No implicit admin access.


Scope L3.14 Security Regression Suite

Add:

scripts/security/verify-crm-access.ts

Verify:

Marketing

cannot see quotation prices
cannot export revenue
cannot approve quotation

Sales

cannot see other sales records

Sales Manager

can see team records only

CRM Admin

can manage settings

Mixed Roles

permissions union correctly
scope union correctly

Scope L3.15 Security Audit Logging

Audit entity:

crm_security_access

Log:

access_denied
scope_violation
permission_violation
pricing_hidden

Purpose:

Security troubleshooting.


Scope L3.16 Documentation

Create:

docs/security/crm-authorization-boundaries.md
docs/implementation/task-l3-full-crm-scope-enforcement.md

Document:

ownership model
scope model
pricing visibility model
approval authority model
dashboard visibility model
artifact visibility model

Verification Matrix

Marketing

Expected:

Lead Monitoring
Follow-ups
Assignments

No Pricing
No Revenue
No Approval

Sales

Expected:

Own Records
Own Quotations
Own Follow-ups

Sales Manager

Expected:

Team Visibility
Approval Access

CRM Admin

Expected:

Settings
Roles
Templates
Sequences

Sales + Manager

Expected:

Union Permissions
Union Scope

Marketing + Sales Support

Expected:

Lead Access
Quotation Support

No Revenue

Deliverables

  1. Full CRM Scope Enforcement
  2. Pricing Visibility Layer
  3. Dashboard Security Layer
  4. Artifact Security Layer
  5. Approval Authority Enforcement
  6. Security Verification Suite
  7. Security Audit Logging
  8. Authorization Boundary Documentation

Definition of Done

Task L.3 is complete when:

  • all CRM routes use resolved CRM access
  • branch scope enforced
  • product scope enforced
  • ownership scope enforced
  • pricing visibility enforced
  • dashboard security enforced
  • artifact security enforced
  • approval authority enforced
  • exports respect visibility
  • regression suite passes
  • authorization boundaries documented

Result:

Authorization Foundation = CLOSED
CRM Security Boundary = PRODUCTION READY