# User Management IT Admin Only Review ## 1. Summary Updated User Management access so the `พนักงาน` menu and related `/dashboard/users` + `/api/users*` endpoints are available only to IT admin access (`IT` business role and `super_admin` via existing role mapping). HRD/Admin keeps access to `รายชื่อพนักงานทั้งหมด` and the rest of the master-data menu. ## 2. Files Changed - `src/config/nav-config.ts` - `src/types/index.ts` - `src/hooks/use-nav.ts` - `src/lib/auth/roles.ts` - `src/lib/auth/session.ts` - `src/lib/auth/page-guards.ts` - `src/app/dashboard/users/page.tsx` - `src/app/api/users/route.ts` - `src/app/api/users/[id]/route.ts` - `src/features/users/server/user-data.ts` - `src/features/users/info-content.ts` ## 3. Navigation Changes - Added support for `businessRoles` in nav access rules. - Changed `พนักงาน` under `ข้อมูลหลัก` to visible only for `IT`. - Kept `รายชื่อพนักงานทั้งหมด`, `หลักสูตร`, `นโยบาย`, and `ประกาศ` visible for both `HRD` and `IT`. - Updated nav filtering so parent items with no visible children are hidden instead of leaving a stray direct link. ## 4. Permission Rules - Added `requireUserManagementAccess()` as the shared access gate for user-management features. - Changed `canManageUsers()` to allow only IT user-management access instead of any organizer admin. - Existing `super_admin` behavior is preserved because the current business-role mapping resolves `super_admin` to `IT`. ## 5. Route Protection - `/dashboard/users` now uses `requireUserManagementDashboardAccess()`. - Unauthorized users are redirected using the existing dashboard guard behavior. ## 6. API Protection - `/api/users` - `/api/users/[id]` Both routes now require `requireUserManagementAccess()` before any list, options, create, update, or deactivate action. ## 7. Manual Test Checklist - Admin IT sees `พนักงาน` menu. - HRD/Admin does not see `พนักงาน` menu. - Employee does not see `พนักงาน` menu. - HRD/Admin still sees `รายชื่อพนักงานทั้งหมด`. - Admin IT can open `/dashboard/users`. - HRD/Admin cannot open `/dashboard/users` by direct URL. - Employee cannot open `/dashboard/users` by direct URL. - User management APIs reject HRD/Admin. - Employee Directory is not affected. - Other menus still work. ## 8. Known Limitations - This change assumes the current role mapping remains: `super_admin` => `IT`, organizer admin => `HRD`, member => `EMPLOYEE`. - There is no dedicated `admin_it` database field yet; access still relies on the existing derived business-role model. - Only the current `/dashboard/users` page exists in App Router right now, so no additional `/dashboard/users/[id]` page update was needed.