Files
alla-allaos-fullstack/plans/task-l.3.1.md
phaichayon 1b901efc51 task-l.3.1
2026-06-22 14:18:26 +07:00

562 lines
5.9 KiB
Markdown

# Task L.3.1: Customer, Contact & Approval Visibility Hardening
## Objective
Close the remaining authorization gaps from Task L.3 and make CRM visibility enforcement production-ready.
After Task L.3.1:
```txt
Customer Visibility
Contact Visibility
Approval Visibility
```
must all use the same resolved CRM access model as:
```txt
Leads
Enquiries
Quotations
Dashboard
PDF
Artifacts
```
This task is expected to close the Authorization Epic.
---
# Background
Task L.3 completed:
```txt
Quotation Scope Enforcement
Pricing Visibility
PDF Security
Artifact Security
Dashboard Revenue Security
Approval Actor Validation
```
Remaining gaps:
```txt
Customer Ownership Scope
Contact Ownership Scope
Approval List Visibility
Approval Detail Visibility
Runtime Security Verification
```
---
# Scope L3.1.1 Customer Ownership Enforcement
Apply resolved CRM access to:
```txt
Customers List
Customer Detail
Customer Search
Customer Lookup
Customer API
```
Rules:
## Sales
```txt
Own customers only
```
Customer ownership derived from:
```txt
createdBy
salesmanId
assigned ownership relationship
```
based on current CRM model.
---
## Sales Manager
```txt
Team customers
```
limited by:
```txt
Branch Scope
Product Scope
Ownership Scope
```
---
## Marketing
```txt
Monitoring visibility only
```
May view customer profile if related to:
```txt
Lead
Enquiry
```
but cannot access quotation pricing.
---
## CRM Admin
```txt
Organization-wide visibility
```
---
# Scope L3.1.2 Contact Ownership Enforcement
Apply same resolved access model.
Protect:
```txt
Contacts List
Contact Detail
Contact Search
Contact API
```
Rules:
```txt
Owner
Shared User
Manager Scope
Admin Scope
```
must all work correctly.
---
# Scope L3.1.3 Contact Sharing Validation
Audit existing sharing model.
Verify:
```txt
Shared Contact
```
still visible after ownership enforcement.
Rules:
```txt
Creator
Shared User
CRM Admin
```
retain access.
Users outside sharing relationship:
```txt
Access Denied
```
---
# Scope L3.1.4 Approval Visibility Enforcement
Approval actor validation already exists.
Now enforce visibility for:
```txt
Approval List
Approval Detail
Approval History
Approval Dashboard Widgets
```
Rules:
User can only see approval records when:
```txt
Can Access Related Quotation
```
OR
```txt
Current Approval Actor
```
OR
```txt
CRM Admin
```
---
# Scope L3.1.5 Approval Detail Security
Protect:
```txt
Approval Route
Approval APIs
Approval Timeline
Approval History
```
Users without quotation visibility:
```txt
cannot access approval details
```
even if they know the URL.
Server-side enforcement required.
---
# Scope L3.1.6 Approval Dashboard Hardening
Verify:
```txt
Pending Approvals
My Approvals
Approval KPIs
Approval Analytics
```
all respect:
```txt
Branch Scope
Product Scope
Ownership Scope
```
and resolved CRM access.
---
# Scope L3.1.7 Team Scope Clarification
Current implementation uses:
```txt
Most Permissive Ownership Scope
```
but team membership is approximate.
Document current behavior.
Create:
```txt
docs/security/team-scope-limitations.md
```
Document:
```txt
Current Team Scope Logic
Known Limitations
Future Team Hierarchy Model
```
No hierarchy implementation in this task.
---
# Scope L3.1.8 Security Fixture Expansion
Expand:
```txt
scripts/security/verify-crm-access.ts
```
Add scenarios:
### Customer Visibility
```txt
Sales A
cannot see
Sales B customer
```
---
### Contact Sharing
```txt
Shared Contact
visible
Unshared Contact
hidden
```
---
### Approval Visibility
```txt
Approver
can access
Non-Approver
cannot access
```
---
### Marketing
```txt
can monitor lead
cannot view quotation pricing
```
---
### CRM Admin
```txt
full access
```
---
# Scope L3.1.9 Security Audit Logging
Extend:
```txt
crm_security_access
```
Events:
```txt
customer_scope_violation
contact_scope_violation
approval_scope_violation
```
Payload:
```txt
userId
entityId
entityType
reason
resolvedScope
```
---
# Scope L3.1.10 Security Inventory Update
Update:
```txt
docs/security/crm-access-enforcement-inventory.md
```
Status should become:
```txt
Protected
```
for:
```txt
Customers
Contacts
Approvals
```
Remove:
```txt
Partially Protected
```
classification where resolved.
---
# Scope L3.1.11 Authorization Boundary Review
Update:
```txt
docs/security/crm-authorization-boundaries.md
```
Document final behavior for:
```txt
Customer
Contact
Lead
Enquiry
Quotation
Approval
Dashboard
Artifacts
Settings
```
This becomes the official CRM authorization reference.
---
# Verification Matrix
## Sales A
Expected:
```txt
Own Customers
Own Contacts
Own Quotations
```
Cannot:
```txt
Access Sales B records
```
---
## Sales Manager
Expected:
```txt
Team Customers
Team Contacts
Team Quotations
```
within scope.
---
## Marketing
Expected:
```txt
Lead Monitoring
Follow-Ups
Assignments
```
Cannot:
```txt
View Pricing
View Revenue
View Approval Detail
```
---
## Approver
Expected:
```txt
Can Access Pending Approval
Can Access Approval Detail
```
---
## Non Approver
Expected:
```txt
Cannot Access Approval Detail
```
---
## CRM Admin
Expected:
```txt
Full CRM Access
```
---
# Deliverables
1. Customer Ownership Enforcement
2. Contact Ownership Enforcement
3. Contact Sharing Validation
4. Approval Visibility Enforcement
5. Approval Dashboard Hardening
6. Security Fixture Expansion
7. Security Audit Events
8. Updated Security Inventory
9. Authorization Boundary Review
---
# Definition of Done
Task L.3.1 is complete when:
* customer visibility uses resolved CRM access
* contact visibility uses resolved CRM access
* contact sharing still works
* approval visibility is secured
* approval detail is secured
* approval dashboard respects scope
* security regression scenarios pass
* security inventory updated
* authorization boundary documentation updated
Result:
```txt
Authorization Foundation = CLOSED
CRM Security Boundary = PRODUCTION READY
CRM UAT Security Baseline = READY
```