Files
alla-allaos-fullstack/docs/implementation/task-l-crm-permission-role-management.md
phaichayon b154a8de33 task-l
2026-06-22 10:22:45 +07:00

2.0 KiB

Task L: CRM Permission & Role Management

Summary

Task L starts the production CRM authorization foundation by replacing template-level behavior with organization-owned role profiles, effective permission resolution, and server-side scope enforcement.

Implemented

  • Added CRM role profile defaults for:
    • marketing
    • sales
    • sales_support
    • sales_manager
    • department_manager
    • top_manager
    • crm_admin
  • Added dedicated CRM permissions for:
    • quotation pricing visibility
    • role management
    • master option management
  • Added crmRoleProfiles persistence model with:
    • permissions
    • ownership scope
    • branch scope mode
    • product scope mode
    • approval authority
    • active/system flags
  • Added membership scope fields:
    • branchScopeIds
    • productTypeScopeIds
  • Added resolved CRM access helper to combine:
    • system role
    • membership role
    • role profile permissions
    • direct membership permissions
  • Added CRM Settings > Roles page and role-management APIs for:
    • role listing
    • role editing
    • permission matrix
    • role cloning
    • role activation/deactivation
  • Added audit logging for CRM role create/update events.
  • Moved CRM dashboard access evaluation to resolved branch/product/ownership scope.
  • Started server-side enquiry enforcement for:
    • branch scope
    • product-type scope
    • ownership visibility
    • assign/reassign/follow-up access consistency

Notes

  • This task lays the authorization foundation first; dynamic user assignment UI for cloned CRM roles can build on top of these role profiles next.
  • Quotation and approval flows should continue migrating onto the same resolved access model so ownership and scope rules stay consistent across CRM.

Verification

  • Run: npx tsc --noEmit
  • Confirm CRM Settings sidebar shows Roles & Permissions only for users with crm.role.read
  • Confirm sales users cannot access enquiries outside assigned branch/product scope
  • Confirm dashboard export and dashboard summary honor resolved scope and permissions