Files
alla-allaos-fullstack/plans/task-l.3.1.md
phaichayon 1b901efc51 task-l.3.1
2026-06-22 14:18:26 +07:00

5.9 KiB

Task L.3.1: Customer, Contact & Approval Visibility Hardening

Objective

Close the remaining authorization gaps from Task L.3 and make CRM visibility enforcement production-ready.

After Task L.3.1:

Customer Visibility
Contact Visibility
Approval Visibility

must all use the same resolved CRM access model as:

Leads
Enquiries
Quotations
Dashboard
PDF
Artifacts

This task is expected to close the Authorization Epic.


Background

Task L.3 completed:

Quotation Scope Enforcement
Pricing Visibility
PDF Security
Artifact Security
Dashboard Revenue Security
Approval Actor Validation

Remaining gaps:

Customer Ownership Scope
Contact Ownership Scope
Approval List Visibility
Approval Detail Visibility
Runtime Security Verification

Scope L3.1.1 Customer Ownership Enforcement

Apply resolved CRM access to:

Customers List
Customer Detail
Customer Search
Customer Lookup
Customer API

Rules:

Sales

Own customers only

Customer ownership derived from:

createdBy
salesmanId
assigned ownership relationship

based on current CRM model.


Sales Manager

Team customers

limited by:

Branch Scope
Product Scope
Ownership Scope

Marketing

Monitoring visibility only

May view customer profile if related to:

Lead
Enquiry

but cannot access quotation pricing.


CRM Admin

Organization-wide visibility

Scope L3.1.2 Contact Ownership Enforcement

Apply same resolved access model.

Protect:

Contacts List
Contact Detail
Contact Search
Contact API

Rules:

Owner
Shared User
Manager Scope
Admin Scope

must all work correctly.


Scope L3.1.3 Contact Sharing Validation

Audit existing sharing model.

Verify:

Shared Contact

still visible after ownership enforcement.

Rules:

Creator
Shared User
CRM Admin

retain access.

Users outside sharing relationship:

Access Denied

Scope L3.1.4 Approval Visibility Enforcement

Approval actor validation already exists.

Now enforce visibility for:

Approval List
Approval Detail
Approval History
Approval Dashboard Widgets

Rules:

User can only see approval records when:

Can Access Related Quotation

OR

Current Approval Actor

OR

CRM Admin

Scope L3.1.5 Approval Detail Security

Protect:

Approval Route
Approval APIs
Approval Timeline
Approval History

Users without quotation visibility:

cannot access approval details

even if they know the URL.

Server-side enforcement required.


Scope L3.1.6 Approval Dashboard Hardening

Verify:

Pending Approvals
My Approvals
Approval KPIs
Approval Analytics

all respect:

Branch Scope
Product Scope
Ownership Scope

and resolved CRM access.


Scope L3.1.7 Team Scope Clarification

Current implementation uses:

Most Permissive Ownership Scope

but team membership is approximate.

Document current behavior.

Create:

docs/security/team-scope-limitations.md

Document:

Current Team Scope Logic
Known Limitations
Future Team Hierarchy Model

No hierarchy implementation in this task.


Scope L3.1.8 Security Fixture Expansion

Expand:

scripts/security/verify-crm-access.ts

Add scenarios:

Customer Visibility

Sales A
cannot see
Sales B customer

Contact Sharing

Shared Contact
visible

Unshared Contact
hidden

Approval Visibility

Approver
can access

Non-Approver
cannot access

Marketing

can monitor lead
cannot view quotation pricing

CRM Admin

full access

Scope L3.1.9 Security Audit Logging

Extend:

crm_security_access

Events:

customer_scope_violation
contact_scope_violation
approval_scope_violation

Payload:

userId
entityId
entityType
reason
resolvedScope

Scope L3.1.10 Security Inventory Update

Update:

docs/security/crm-access-enforcement-inventory.md

Status should become:

Protected

for:

Customers
Contacts
Approvals

Remove:

Partially Protected

classification where resolved.


Scope L3.1.11 Authorization Boundary Review

Update:

docs/security/crm-authorization-boundaries.md

Document final behavior for:

Customer
Contact
Lead
Enquiry
Quotation
Approval
Dashboard
Artifacts
Settings

This becomes the official CRM authorization reference.


Verification Matrix

Sales A

Expected:

Own Customers
Own Contacts
Own Quotations

Cannot:

Access Sales B records

Sales Manager

Expected:

Team Customers
Team Contacts
Team Quotations

within scope.


Marketing

Expected:

Lead Monitoring
Follow-Ups
Assignments

Cannot:

View Pricing
View Revenue
View Approval Detail

Approver

Expected:

Can Access Pending Approval
Can Access Approval Detail

Non Approver

Expected:

Cannot Access Approval Detail

CRM Admin

Expected:

Full CRM Access

Deliverables

  1. Customer Ownership Enforcement
  2. Contact Ownership Enforcement
  3. Contact Sharing Validation
  4. Approval Visibility Enforcement
  5. Approval Dashboard Hardening
  6. Security Fixture Expansion
  7. Security Audit Events
  8. Updated Security Inventory
  9. Authorization Boundary Review

Definition of Done

Task L.3.1 is complete when:

  • customer visibility uses resolved CRM access
  • contact visibility uses resolved CRM access
  • contact sharing still works
  • approval visibility is secured
  • approval detail is secured
  • approval dashboard respects scope
  • security regression scenarios pass
  • security inventory updated
  • authorization boundary documentation updated

Result:

Authorization Foundation = CLOSED
CRM Security Boundary = PRODUCTION READY
CRM UAT Security Baseline = READY