1.8 KiB
1.8 KiB
Task L.1: CRM Multi-Role User Assignment
Summary
Task L.1 extends the CRM authorization foundation so one user can hold multiple CRM role assignments inside the same organization.
Implemented
- Added
crm_user_role_assignmentsschema for CRM-specific authorization rows - Added assignment permissions:
crm.role.assignment.readcrm.role.assignment.createcrm.role.assignment.updatecrm.role.assignment.deletecrm.role.assignment.manage
- Added lazy compatibility backfill from
memberships.businessRoleinto CRM role assignments - Updated CRM access resolution to:
- union permissions across all active assignments
- union branch/product scope across assignments
- choose the most permissive ownership scope
- choose the highest approval authority
- use primary role for display only
- Added
CRM Settings > User Role Assignments - Added assignment API routes:
GET /api/crm/settings/user-role-assignmentsPOST /api/crm/settings/user-role-assignmentsPATCH /api/crm/settings/user-role-assignments/[id]DELETE /api/crm/settings/user-role-assignments/[id]
- Added audit logging for
crm_user_role_assignment - Added ADR
0014-crm-multi-role-user-assignment
Compatibility
memberships.businessRoleremains in place- when no active CRM role assignment exists, resolver still falls back safely
- when role assignments exist, CRM authorization no longer treats
memberships.businessRoleas the primary source
Verification
- Run:
npx tsc --noEmit
Remaining Risks
- user-creation and user-edit flows still center around legacy
memberships.businessRole - some CRM modules beyond the current resolver consumers may still need deeper scenario verification with mixed-role fixtures
- a dedicated one-shot operational migration script can still be useful even though lazy backfill is active