# RBAC And Permission Model

This document defines the current role model, permission matrix, and scope semantics used by the admin app.

## Roles

- `admin`: full system access
- `manager`: broad operational access with selective limitations
- `editor`: content-focused access with reduced user-management privileges

## Permission Scopes

- `own`: applies to records the user owns
- `team`: applies to records within the user's team/org unit
- `global`: applies across all records

Scope hierarchy (higher includes lower):

- `global` -> `team` -> `own`

## Permission Matrix Summary

### Admin

- All permissions at `global` scope

### Manager

- Dashboard and roadmap read: `global`
- Pages, navigation, media, commissions, banner, news: `global`
- Users: `read` at `global`, `write` at `team`

### Editor

- Dashboard: `read` at `global`
- Pages/navigation/media/news: mostly `team`
- Publish and workflow transitions: mostly `own`
- Users and commissions: mostly `own`
- Banner: `read` at `global`

## Enforcement Layers

- Route-level: `apps/admin/src/middleware.ts`
- Action-level: server component checks in admin pages (`/` and `/todo`)
- Shared model + checks: `packages/content/src/rbac.ts`

## Dev Role Fallback

For local development only:

- If no role cookie/header is present and environment is not production,
  role falls back to `CMS_DEV_ROLE` or `admin`.

Use this only as bootstrap behavior until full auth/session integration is finished.

## Related Tasks

See `TODO.md` MVP0 gate items:

- RBAC domain model finalized
- RBAC route/action enforcement
- Permission matrix documented and tested