You are a Senior Full Stack Engineer. Project: Training Management System (TMS) Current task: Update sidebar permission for User Management menu. Requirement: The menu "พนักงาน" that represents User Management / login accounts must be visible only to Admin IT role. Important constraints: - Do NOT delete the User Management route. - Do NOT delete APIs. - Do NOT change database schema. - Do NOT affect Employee Directory menu. - Keep Thai UI. - Minimal-impact changes only. Business Rule: 1. Menu: พนักงาน Purpose: - User Management - Login accounts - Role - Provider - Keycloak mapping Visible only to: - admin_it - IT Admin - super_admin if currently used as highest role Not visible to: - HRD/Admin - Employee/User 2. Menu: รายชื่อพนักงานทั้งหมด Purpose: - Employee Master - Training hours - Training history Visible to: - HRD/Admin - Admin IT if allowed - super_admin if used 3. Direct URL protection: For User Management route: - /dashboard/users - /dashboard/users/\* - related user management APIs Only Admin IT / super_admin can access. HRD/Admin direct URL access should be blocked: - 403 Forbidden or - redirect to dashboard 4. Sidebar: Under ข้อมูลหลัก: For Admin IT: - พนักงาน - รายชื่อพนักงานทั้งหมด - หลักสูตร - นโยบาย - ประกาศ For HRD/Admin: - รายชื่อพนักงานทั้งหมด - หลักสูตร - นโยบาย - ประกาศ For Employee: - should not see ข้อมูลหลัก unless already allowed by current design 5. Files likely involved: - src/config/nav-config.ts - src/lib/auth/session.ts - src/lib/auth/permissions.ts - src/app/dashboard/users/page.tsx - src/app/dashboard/users/[id]/page.tsx - src/app/api/users/route.ts - src/app/api/users/[id]/route.ts - src/components/layout/app-sidebar.tsx 6. Add or reuse helper: requireITAdmin() or requireUserManagementAccess() Recommended: function requireUserManagementAccess() { allow roles: - super_admin - admin_it } Do not allow HRD admin. 7. Output Review File Create: docs/management-change-user-management-it-admin-only-review.md Include: 1. Summary 2. Files Changed 3. Navigation Changes 4. Permission Rules 5. Route Protection 6. API Protection 7. Manual Test Checklist 8. Known Limitations Manual Test Checklist: - Admin IT sees พนักงาน menu. - HRD/Admin does not see พนักงาน menu. - Employee does not see พนักงาน menu. - HRD/Admin still sees รายชื่อพนักงานทั้งหมด. - Admin IT can open /dashboard/users. - HRD/Admin cannot open /dashboard/users by direct URL. - Employee cannot open /dashboard/users by direct URL. - User management APIs reject HRD/Admin. - Employee Directory is not affected. - Other menus still work. Return: - Complete code changes with file paths. - Content of docs/management-change-user-management-it-admin-only-review.md.