6.7 KiB
Task L.3: Full CRM Scope Enforcement & Security Validation
Objective
Complete CRM authorization by enforcing resolved CRM access consistently across all CRM modules.
After Task L.3:
Resolved CRM Access
becomes the single source of truth for:
Visibility
Ownership
Branch Scope
Product Scope
Approval Authority
Pricing Visibility
Dashboard Access
Settings Access
No CRM module may rely solely on UI filtering or legacy membership role behavior.
Background
Completed:
Task L
Task L.1
Task L.2
Current state:
CRM Role Profiles
CRM User Role Assignments
Effective Access Resolver
User Management Integration
Remaining risk:
Some modules may still:
filter in UI only
use organization visibility
ignore branch scope
ignore product scope
ignore ownership scope
Task L.3 closes those gaps.
Scope L3.1 Access Enforcement Inventory
Create a complete inventory of CRM endpoints.
Audit:
Customers
Contacts
Leads
Enquiries
Quotations
Approvals
Dashboard
Document Artifacts
CRM Settings
For each endpoint classify:
Protected
Partially Protected
Not Protected
Legacy Protected
Output:
docs/security/crm-access-enforcement-inventory.md
Scope L3.2 Resolver Adoption Audit
Verify every CRM route uses:
resolveCrmAccess()
or equivalent centralized helper.
Remove direct dependency on:
membership.businessRole
membership.role
manual permission arrays
except compatibility fallback inside resolver.
Scope L3.3 Customer Enforcement
Apply:
Branch Scope
Product Scope
Ownership Scope
Rules:
Sales:
own customers only
Manager:
team customers
Admin:
organization customers
CRM Admin:
all CRM customers
Server-side enforced.
Scope L3.4 Contact Enforcement
Apply same rules.
Preserve:
Contact Sharing
Rules:
Shared contacts remain visible.
Ownership rules still respected.
Scope L3.5 Lead Enforcement
Apply:
Lead Scope
Marketing:
view monitoring surfaces
assign leads
view follow-ups
Sales:
assigned leads only
Manager:
team leads
Enforce:
branch scope
product scope
ownership
Scope L3.6 Enquiry Enforcement
Apply:
lead -> enquiry pipeline rules
Sales:
assigned enquiries only
Manager:
team enquiries
Marketing:
monitor only
Must not edit sales-owned enquiries unless permission exists.
Scope L3.7 Quotation Enforcement
Highest priority.
Rules:
Sales:
own quotations
Manager:
team quotations
CRM Admin:
all quotations
Marketing:
cannot view pricing
cannot edit quotations
Support:
can edit only if permission granted
Scope L3.8 Pricing Visibility Enforcement
Add centralized helper:
canViewQuotationPricing()
Required for:
Quotation Detail
Quotation List
Dashboard Revenue
Exports
PDF Preview
PDF Download
Approved PDF
If denied:
Hide:
subtotal
discount
tax
total
currency values
Server-side.
Not UI-only.
Scope L3.9 Approval Enforcement
Verify:
approval authority
comes from:
resolved CRM access
not role string.
Rules:
Only users with matching authority level may:
approve
reject
request changes
Scope L3.10 Dashboard Enforcement
Apply resolved scope to:
Lead KPI
Enquiry KPI
Revenue KPI
Approval KPI
Follow-up KPI
Sales Ranking
Exports
Rules:
Revenue only visible with:
crm.quotation.price.read
Sales Ranking:
branch/product filtered
Exports:
same scope as dashboard
Scope L3.11 Report / Export Enforcement
Audit:
CSV
Excel
Dashboard Export
Revenue Export
Sales Ranking Export
Rules:
Export must never return records not visible in UI.
Server-side filtering required.
Scope L3.12 Document Artifact Enforcement
Protect:
Approved PDF
Artifacts
Downloads
Rules:
User may download only if:
can access quotation
AND
has artifact permission
No direct artifact bypass.
Scope L3.13 CRM Settings Enforcement
Protect:
Roles
User Assignments
Templates
Approval Workflows
Document Sequences
Master Options
Permissions:
crm.role.*
crm.role.assignment.*
crm.document_template.*
crm.approval.workflow.*
crm.document_sequence.*
crm.master_option.*
No implicit admin access.
Scope L3.14 Security Regression Suite
Add:
scripts/security/verify-crm-access.ts
Verify:
Marketing
cannot see quotation prices
cannot export revenue
cannot approve quotation
Sales
cannot see other sales records
Sales Manager
can see team records only
CRM Admin
can manage settings
Mixed Roles
permissions union correctly
scope union correctly
Scope L3.15 Security Audit Logging
Audit entity:
crm_security_access
Log:
access_denied
scope_violation
permission_violation
pricing_hidden
Purpose:
Security troubleshooting.
Scope L3.16 Documentation
Create:
docs/security/crm-authorization-boundaries.md
docs/implementation/task-l3-full-crm-scope-enforcement.md
Document:
ownership model
scope model
pricing visibility model
approval authority model
dashboard visibility model
artifact visibility model
Verification Matrix
Marketing
Expected:
Lead Monitoring
Follow-ups
Assignments
No Pricing
No Revenue
No Approval
Sales
Expected:
Own Records
Own Quotations
Own Follow-ups
Sales Manager
Expected:
Team Visibility
Approval Access
CRM Admin
Expected:
Settings
Roles
Templates
Sequences
Sales + Manager
Expected:
Union Permissions
Union Scope
Marketing + Sales Support
Expected:
Lead Access
Quotation Support
No Revenue
Deliverables
- Full CRM Scope Enforcement
- Pricing Visibility Layer
- Dashboard Security Layer
- Artifact Security Layer
- Approval Authority Enforcement
- Security Verification Suite
- Security Audit Logging
- Authorization Boundary Documentation
Definition of Done
Task L.3 is complete when:
- all CRM routes use resolved CRM access
- branch scope enforced
- product scope enforced
- ownership scope enforced
- pricing visibility enforced
- dashboard security enforced
- artifact security enforced
- approval authority enforced
- exports respect visibility
- regression suite passes
- authorization boundaries documented
Result:
Authorization Foundation = CLOSED
CRM Security Boundary = PRODUCTION READY