508 lines
5.4 KiB
Markdown
508 lines
5.4 KiB
Markdown
# Task L: CRM Permission & Role Management Center
|
|
|
|
## Objective
|
|
|
|
Replace remaining template-level role behavior with a production CRM authorization model.
|
|
|
|
Task L establishes:
|
|
|
|
* CRM business roles
|
|
* role-based permissions
|
|
* branch scope
|
|
* product-type scope
|
|
* ownership visibility
|
|
* approval authority
|
|
* menu visibility
|
|
* configuration security
|
|
|
|
This task becomes the authorization foundation for all future CRM modules.
|
|
|
|
---
|
|
|
|
# Current Problems
|
|
|
|
The system currently has:
|
|
|
|
```txt
|
|
Users
|
|
Memberships
|
|
Roles
|
|
Permissions
|
|
```
|
|
|
|
but still relies partly on template behavior.
|
|
|
|
Examples:
|
|
|
|
* users cannot manage permissions directly
|
|
* role assignment is incomplete
|
|
* branch visibility is not enforced everywhere
|
|
* product-type visibility is not enforced everywhere
|
|
* dashboard visibility still depends on broad organization access
|
|
* approval authority is role-driven but not centrally configurable
|
|
|
|
---
|
|
|
|
# Business Roles (Frozen)
|
|
|
|
## Marketing
|
|
|
|
Responsibilities:
|
|
|
|
```txt
|
|
Lead creation
|
|
Lead follow-up
|
|
Lead assignment
|
|
Lead monitoring
|
|
```
|
|
|
|
Can:
|
|
|
|
```txt
|
|
View Leads
|
|
Create Leads
|
|
Assign Leads
|
|
View Enquiries
|
|
View Follow-Ups
|
|
```
|
|
|
|
Cannot:
|
|
|
|
```txt
|
|
View quotation pricing
|
|
View revenue dashboard
|
|
Approve quotations
|
|
Edit quotations
|
|
```
|
|
|
|
---
|
|
|
|
## Sales
|
|
|
|
Responsibilities:
|
|
|
|
```txt
|
|
Manage enquiries
|
|
Manage quotations
|
|
Manage follow-ups
|
|
```
|
|
|
|
Can:
|
|
|
|
```txt
|
|
View assigned enquiries
|
|
Create quotations
|
|
Edit own quotations
|
|
Manage own follow-ups
|
|
```
|
|
|
|
Cannot:
|
|
|
|
```txt
|
|
View other sales data
|
|
Approve quotations
|
|
Manage CRM settings
|
|
```
|
|
|
|
---
|
|
|
|
## Sales Support
|
|
|
|
Can:
|
|
|
|
```txt
|
|
Create quotations
|
|
Edit quotations
|
|
Support sales operations
|
|
```
|
|
|
|
Cannot:
|
|
|
|
```txt
|
|
Approve quotations
|
|
View management analytics
|
|
```
|
|
|
|
---
|
|
|
|
## Sales Manager
|
|
|
|
Can:
|
|
|
|
```txt
|
|
View team enquiries
|
|
Assign sales
|
|
Approve quotations
|
|
View team dashboard
|
|
```
|
|
|
|
Visibility:
|
|
|
|
```txt
|
|
Branch scope
|
|
Product-type scope
|
|
```
|
|
|
|
---
|
|
|
|
## Department Manager
|
|
|
|
Can:
|
|
|
|
```txt
|
|
Approve quotations
|
|
View department analytics
|
|
View department pipeline
|
|
```
|
|
|
|
---
|
|
|
|
## Top Manager
|
|
|
|
Can:
|
|
|
|
```txt
|
|
Approve final quotations
|
|
View all CRM analytics
|
|
```
|
|
|
|
---
|
|
|
|
## CRM Admin
|
|
|
|
Can:
|
|
|
|
```txt
|
|
Manage templates
|
|
Manage workflows
|
|
Manage document sequences
|
|
Manage master options
|
|
Manage CRM configuration
|
|
```
|
|
|
|
Cannot:
|
|
|
|
```txt
|
|
Override system security
|
|
```
|
|
|
|
---
|
|
|
|
## System Admin
|
|
|
|
Can:
|
|
|
|
```txt
|
|
Everything
|
|
```
|
|
|
|
---
|
|
|
|
# Scope L.1 Role Management UI
|
|
|
|
Add:
|
|
|
|
```txt
|
|
CRM Settings
|
|
└─ Roles & Permissions
|
|
```
|
|
|
|
Features:
|
|
|
|
```txt
|
|
Role list
|
|
Role detail
|
|
Permission matrix
|
|
Role cloning
|
|
Role activation
|
|
Role deactivation
|
|
```
|
|
|
|
---
|
|
|
|
# Scope L.2 Permission Assignment
|
|
|
|
Allow administrators to assign permissions to roles.
|
|
|
|
Support:
|
|
|
|
```txt
|
|
read
|
|
create
|
|
update
|
|
delete
|
|
approve
|
|
assign
|
|
export
|
|
manage
|
|
```
|
|
|
|
Examples:
|
|
|
|
```txt
|
|
crm.lead.read
|
|
crm.lead.create
|
|
|
|
crm.enquiry.read
|
|
crm.enquiry.assign
|
|
|
|
crm.quotation.approve
|
|
|
|
crm.dashboard.export
|
|
```
|
|
|
|
---
|
|
|
|
# Scope L.3 User Permission Resolution
|
|
|
|
Effective permission:
|
|
|
|
```txt
|
|
System Role
|
|
+
|
|
Membership Role
|
|
+
|
|
Direct Permissions
|
|
```
|
|
|
|
Evaluation order:
|
|
|
|
```txt
|
|
System Admin
|
|
↓
|
|
Role Permissions
|
|
↓
|
|
User Overrides
|
|
```
|
|
|
|
---
|
|
|
|
# Scope L.4 Branch Scope
|
|
|
|
User can be assigned:
|
|
|
|
```txt
|
|
Bangkok
|
|
Rayong
|
|
Chiang Mai
|
|
```
|
|
|
|
Visibility enforced server-side.
|
|
|
|
Examples:
|
|
|
|
```txt
|
|
Sales Bangkok
|
|
cannot view
|
|
Rayong enquiries
|
|
```
|
|
|
|
---
|
|
|
|
# Scope L.5 Product Type Scope
|
|
|
|
Supported:
|
|
|
|
```txt
|
|
Crane
|
|
Dock Door
|
|
Solar Cell
|
|
Service
|
|
Spare Part
|
|
```
|
|
|
|
Example:
|
|
|
|
```txt
|
|
Sales Crane
|
|
cannot see
|
|
Solar quotations
|
|
```
|
|
|
|
---
|
|
|
|
# Scope L.6 Ownership Enforcement
|
|
|
|
Server-side rules.
|
|
|
|
Sales:
|
|
|
|
```txt
|
|
Own records only
|
|
```
|
|
|
|
Manager:
|
|
|
|
```txt
|
|
Team records
|
|
```
|
|
|
|
Admin:
|
|
|
|
```txt
|
|
Organization records
|
|
```
|
|
|
|
Marketing:
|
|
|
|
```txt
|
|
Lead monitoring only
|
|
```
|
|
|
|
---
|
|
|
|
# Scope L.7 Menu Security
|
|
|
|
Navigation generated from permissions.
|
|
|
|
Examples:
|
|
|
|
```txt
|
|
Lead
|
|
Enquiry
|
|
Quotation
|
|
Approval
|
|
Dashboard
|
|
Settings
|
|
```
|
|
|
|
Menus disappear automatically when permission is absent.
|
|
|
|
---
|
|
|
|
# Scope L.8 Dashboard Security
|
|
|
|
Enforce:
|
|
|
|
```txt
|
|
Lead KPI
|
|
Enquiry KPI
|
|
Revenue KPI
|
|
Approval KPI
|
|
```
|
|
|
|
according to permission.
|
|
|
|
No UI-only hiding.
|
|
|
|
Server-side enforcement required.
|
|
|
|
---
|
|
|
|
# Scope L.9 CRM Settings Security
|
|
|
|
Protect:
|
|
|
|
```txt
|
|
Document Templates
|
|
Approval Workflows
|
|
Document Sequences
|
|
Master Options
|
|
```
|
|
|
|
using dedicated CRM permissions.
|
|
|
|
---
|
|
|
|
# Scope L.10 Permission Audit
|
|
|
|
Audit:
|
|
|
|
```txt
|
|
Role Created
|
|
Role Updated
|
|
Role Deleted
|
|
|
|
Permission Added
|
|
Permission Removed
|
|
|
|
Scope Changed
|
|
```
|
|
|
|
Entity Types:
|
|
|
|
```txt
|
|
crm_role
|
|
crm_permission
|
|
crm_scope
|
|
```
|
|
|
|
---
|
|
|
|
# Scope L.11 Migration Strategy
|
|
|
|
Convert legacy roles:
|
|
|
|
```txt
|
|
admin
|
|
user
|
|
```
|
|
|
|
into CRM-aligned business roles.
|
|
|
|
Backfill:
|
|
|
|
```txt
|
|
sales
|
|
marketing
|
|
sales_manager
|
|
crm_admin
|
|
```
|
|
|
|
where possible.
|
|
|
|
Retain historical records.
|
|
|
|
---
|
|
|
|
# Scope L.12 Verification
|
|
|
|
Verify:
|
|
|
|
```txt
|
|
Marketing cannot see quotation price
|
|
Sales cannot see other sales enquiries
|
|
Managers can see team data
|
|
Dashboard respects permissions
|
|
Menus respect permissions
|
|
CRM settings respect permissions
|
|
```
|
|
|
|
Run:
|
|
|
|
```txt
|
|
npx tsc --noEmit
|
|
```
|
|
|
|
---
|
|
|
|
# Deliverables
|
|
|
|
1. Role Management Center
|
|
2. Permission Matrix
|
|
3. Branch Scope Enforcement
|
|
4. Product Type Scope Enforcement
|
|
5. Ownership Visibility Enforcement
|
|
6. Dashboard Security Enforcement
|
|
7. CRM Settings Security
|
|
8. Audit Logging
|
|
9. Legacy Role Migration
|
|
|
|
---
|
|
|
|
# Definition of Done
|
|
|
|
Task L is complete when:
|
|
|
|
* permissions are assignable
|
|
* role matrix exists
|
|
* branch scope enforced
|
|
* product scope enforced
|
|
* ownership enforced
|
|
* dashboard secured
|
|
* settings secured
|
|
* menus secured
|
|
* audits recorded
|
|
|
|
This becomes the final authorization foundation before Report Center and Notification Center work begins.
|