Files
alla-allaos-fullstack/plans/task-l.md
phaichayon b154a8de33 task-l
2026-06-22 10:22:45 +07:00

5.4 KiB

Task L: CRM Permission & Role Management Center

Objective

Replace remaining template-level role behavior with a production CRM authorization model.

Task L establishes:

  • CRM business roles
  • role-based permissions
  • branch scope
  • product-type scope
  • ownership visibility
  • approval authority
  • menu visibility
  • configuration security

This task becomes the authorization foundation for all future CRM modules.


Current Problems

The system currently has:

Users
Memberships
Roles
Permissions

but still relies partly on template behavior.

Examples:

  • users cannot manage permissions directly
  • role assignment is incomplete
  • branch visibility is not enforced everywhere
  • product-type visibility is not enforced everywhere
  • dashboard visibility still depends on broad organization access
  • approval authority is role-driven but not centrally configurable

Business Roles (Frozen)

Marketing

Responsibilities:

Lead creation
Lead follow-up
Lead assignment
Lead monitoring

Can:

View Leads
Create Leads
Assign Leads
View Enquiries
View Follow-Ups

Cannot:

View quotation pricing
View revenue dashboard
Approve quotations
Edit quotations

Sales

Responsibilities:

Manage enquiries
Manage quotations
Manage follow-ups

Can:

View assigned enquiries
Create quotations
Edit own quotations
Manage own follow-ups

Cannot:

View other sales data
Approve quotations
Manage CRM settings

Sales Support

Can:

Create quotations
Edit quotations
Support sales operations

Cannot:

Approve quotations
View management analytics

Sales Manager

Can:

View team enquiries
Assign sales
Approve quotations
View team dashboard

Visibility:

Branch scope
Product-type scope

Department Manager

Can:

Approve quotations
View department analytics
View department pipeline

Top Manager

Can:

Approve final quotations
View all CRM analytics

CRM Admin

Can:

Manage templates
Manage workflows
Manage document sequences
Manage master options
Manage CRM configuration

Cannot:

Override system security

System Admin

Can:

Everything

Scope L.1 Role Management UI

Add:

CRM Settings
 └─ Roles & Permissions

Features:

Role list
Role detail
Permission matrix
Role cloning
Role activation
Role deactivation

Scope L.2 Permission Assignment

Allow administrators to assign permissions to roles.

Support:

read
create
update
delete
approve
assign
export
manage

Examples:

crm.lead.read
crm.lead.create

crm.enquiry.read
crm.enquiry.assign

crm.quotation.approve

crm.dashboard.export

Scope L.3 User Permission Resolution

Effective permission:

System Role
+
Membership Role
+
Direct Permissions

Evaluation order:

System Admin
↓
Role Permissions
↓
User Overrides

Scope L.4 Branch Scope

User can be assigned:

Bangkok
Rayong
Chiang Mai

Visibility enforced server-side.

Examples:

Sales Bangkok
cannot view
Rayong enquiries

Scope L.5 Product Type Scope

Supported:

Crane
Dock Door
Solar Cell
Service
Spare Part

Example:

Sales Crane
cannot see
Solar quotations

Scope L.6 Ownership Enforcement

Server-side rules.

Sales:

Own records only

Manager:

Team records

Admin:

Organization records

Marketing:

Lead monitoring only

Scope L.7 Menu Security

Navigation generated from permissions.

Examples:

Lead
Enquiry
Quotation
Approval
Dashboard
Settings

Menus disappear automatically when permission is absent.


Scope L.8 Dashboard Security

Enforce:

Lead KPI
Enquiry KPI
Revenue KPI
Approval KPI

according to permission.

No UI-only hiding.

Server-side enforcement required.


Scope L.9 CRM Settings Security

Protect:

Document Templates
Approval Workflows
Document Sequences
Master Options

using dedicated CRM permissions.


Scope L.10 Permission Audit

Audit:

Role Created
Role Updated
Role Deleted

Permission Added
Permission Removed

Scope Changed

Entity Types:

crm_role
crm_permission
crm_scope

Scope L.11 Migration Strategy

Convert legacy roles:

admin
user

into CRM-aligned business roles.

Backfill:

sales
marketing
sales_manager
crm_admin

where possible.

Retain historical records.


Scope L.12 Verification

Verify:

Marketing cannot see quotation price
Sales cannot see other sales enquiries
Managers can see team data
Dashboard respects permissions
Menus respect permissions
CRM settings respect permissions

Run:

npx tsc --noEmit

Deliverables

  1. Role Management Center
  2. Permission Matrix
  3. Branch Scope Enforcement
  4. Product Type Scope Enforcement
  5. Ownership Visibility Enforcement
  6. Dashboard Security Enforcement
  7. CRM Settings Security
  8. Audit Logging
  9. Legacy Role Migration

Definition of Done

Task L is complete when:

  • permissions are assignable
  • role matrix exists
  • branch scope enforced
  • product scope enforced
  • ownership enforced
  • dashboard secured
  • settings secured
  • menus secured
  • audits recorded

This becomes the final authorization foundation before Report Center and Notification Center work begins.