2.0 KiB
2.0 KiB
Task L: CRM Permission & Role Management
Summary
Task L starts the production CRM authorization foundation by replacing template-level behavior with organization-owned role profiles, effective permission resolution, and server-side scope enforcement.
Implemented
- Added CRM role profile defaults for:
marketingsalessales_supportsales_managerdepartment_managertop_managercrm_admin
- Added dedicated CRM permissions for:
- quotation pricing visibility
- role management
- master option management
- Added
crmRoleProfilespersistence model with:- permissions
- ownership scope
- branch scope mode
- product scope mode
- approval authority
- active/system flags
- Added membership scope fields:
branchScopeIdsproductTypeScopeIds
- Added resolved CRM access helper to combine:
- system role
- membership role
- role profile permissions
- direct membership permissions
- Added CRM Settings > Roles page and role-management APIs for:
- role listing
- role editing
- permission matrix
- role cloning
- role activation/deactivation
- Added audit logging for CRM role create/update events.
- Moved CRM dashboard access evaluation to resolved branch/product/ownership scope.
- Started server-side enquiry enforcement for:
- branch scope
- product-type scope
- ownership visibility
- assign/reassign/follow-up access consistency
Notes
- This task lays the authorization foundation first; dynamic user assignment UI for cloned CRM roles can build on top of these role profiles next.
- Quotation and approval flows should continue migrating onto the same resolved access model so ownership and scope rules stay consistent across CRM.
Verification
- Run:
npx tsc --noEmit - Confirm CRM Settings sidebar shows
Roles & Permissionsonly for users withcrm.role.read - Confirm sales users cannot access enquiries outside assigned branch/product scope
- Confirm dashboard export and dashboard summary honor resolved scope and permissions