5.9 KiB
Task L.3.1: Customer, Contact & Approval Visibility Hardening
Objective
Close the remaining authorization gaps from Task L.3 and make CRM visibility enforcement production-ready.
After Task L.3.1:
Customer Visibility
Contact Visibility
Approval Visibility
must all use the same resolved CRM access model as:
Leads
Enquiries
Quotations
Dashboard
PDF
Artifacts
This task is expected to close the Authorization Epic.
Background
Task L.3 completed:
Quotation Scope Enforcement
Pricing Visibility
PDF Security
Artifact Security
Dashboard Revenue Security
Approval Actor Validation
Remaining gaps:
Customer Ownership Scope
Contact Ownership Scope
Approval List Visibility
Approval Detail Visibility
Runtime Security Verification
Scope L3.1.1 Customer Ownership Enforcement
Apply resolved CRM access to:
Customers List
Customer Detail
Customer Search
Customer Lookup
Customer API
Rules:
Sales
Own customers only
Customer ownership derived from:
createdBy
salesmanId
assigned ownership relationship
based on current CRM model.
Sales Manager
Team customers
limited by:
Branch Scope
Product Scope
Ownership Scope
Marketing
Monitoring visibility only
May view customer profile if related to:
Lead
Enquiry
but cannot access quotation pricing.
CRM Admin
Organization-wide visibility
Scope L3.1.2 Contact Ownership Enforcement
Apply same resolved access model.
Protect:
Contacts List
Contact Detail
Contact Search
Contact API
Rules:
Owner
Shared User
Manager Scope
Admin Scope
must all work correctly.
Scope L3.1.3 Contact Sharing Validation
Audit existing sharing model.
Verify:
Shared Contact
still visible after ownership enforcement.
Rules:
Creator
Shared User
CRM Admin
retain access.
Users outside sharing relationship:
Access Denied
Scope L3.1.4 Approval Visibility Enforcement
Approval actor validation already exists.
Now enforce visibility for:
Approval List
Approval Detail
Approval History
Approval Dashboard Widgets
Rules:
User can only see approval records when:
Can Access Related Quotation
OR
Current Approval Actor
OR
CRM Admin
Scope L3.1.5 Approval Detail Security
Protect:
Approval Route
Approval APIs
Approval Timeline
Approval History
Users without quotation visibility:
cannot access approval details
even if they know the URL.
Server-side enforcement required.
Scope L3.1.6 Approval Dashboard Hardening
Verify:
Pending Approvals
My Approvals
Approval KPIs
Approval Analytics
all respect:
Branch Scope
Product Scope
Ownership Scope
and resolved CRM access.
Scope L3.1.7 Team Scope Clarification
Current implementation uses:
Most Permissive Ownership Scope
but team membership is approximate.
Document current behavior.
Create:
docs/security/team-scope-limitations.md
Document:
Current Team Scope Logic
Known Limitations
Future Team Hierarchy Model
No hierarchy implementation in this task.
Scope L3.1.8 Security Fixture Expansion
Expand:
scripts/security/verify-crm-access.ts
Add scenarios:
Customer Visibility
Sales A
cannot see
Sales B customer
Contact Sharing
Shared Contact
visible
Unshared Contact
hidden
Approval Visibility
Approver
can access
Non-Approver
cannot access
Marketing
can monitor lead
cannot view quotation pricing
CRM Admin
full access
Scope L3.1.9 Security Audit Logging
Extend:
crm_security_access
Events:
customer_scope_violation
contact_scope_violation
approval_scope_violation
Payload:
userId
entityId
entityType
reason
resolvedScope
Scope L3.1.10 Security Inventory Update
Update:
docs/security/crm-access-enforcement-inventory.md
Status should become:
Protected
for:
Customers
Contacts
Approvals
Remove:
Partially Protected
classification where resolved.
Scope L3.1.11 Authorization Boundary Review
Update:
docs/security/crm-authorization-boundaries.md
Document final behavior for:
Customer
Contact
Lead
Enquiry
Quotation
Approval
Dashboard
Artifacts
Settings
This becomes the official CRM authorization reference.
Verification Matrix
Sales A
Expected:
Own Customers
Own Contacts
Own Quotations
Cannot:
Access Sales B records
Sales Manager
Expected:
Team Customers
Team Contacts
Team Quotations
within scope.
Marketing
Expected:
Lead Monitoring
Follow-Ups
Assignments
Cannot:
View Pricing
View Revenue
View Approval Detail
Approver
Expected:
Can Access Pending Approval
Can Access Approval Detail
Non Approver
Expected:
Cannot Access Approval Detail
CRM Admin
Expected:
Full CRM Access
Deliverables
- Customer Ownership Enforcement
- Contact Ownership Enforcement
- Contact Sharing Validation
- Approval Visibility Enforcement
- Approval Dashboard Hardening
- Security Fixture Expansion
- Security Audit Events
- Updated Security Inventory
- Authorization Boundary Review
Definition of Done
Task L.3.1 is complete when:
- customer visibility uses resolved CRM access
- contact visibility uses resolved CRM access
- contact sharing still works
- approval visibility is secured
- approval detail is secured
- approval dashboard respects scope
- security regression scenarios pass
- security inventory updated
- authorization boundary documentation updated
Result:
Authorization Foundation = CLOSED
CRM Security Boundary = PRODUCTION READY
CRM UAT Security Baseline = READY