cms.fellies.org/docs/product-engineering/rbac-permission-model.md

RBAC And Permission Model

This document defines the current role model, permission matrix, and scope semantics used by the admin app.

Roles

• admin: full system access
• manager: broad operational access with selective limitations
• editor: content-focused access with reduced user-management privileges

Permission Scopes

• own: applies to records the user owns
• team: applies to records within the user's team/org unit
• global: applies across all records

Scope hierarchy (higher includes lower):

• global -> team -> own

Permission Matrix Summary

Admin

• All permissions at global scope

Manager

• Dashboard and roadmap read: global
• Pages, navigation, media, commissions, banner, news: global
• Users: read at global, write at team

Editor

• Dashboard: read at global
• Pages/navigation/media/news: mostly team
• Publish and workflow transitions: mostly own
• Users and commissions: mostly own
• Banner: read at global

Enforcement Layers

• Route-level: apps/admin/src/proxy.ts
• Action-level: server component checks in admin pages (/ and /todo)
• Shared model + checks: packages/content/src/rbac.ts

Dev Role Fallback

For local development only:

• If no role cookie/header is present and environment is not production, role falls back to CMS_DEV_ROLE or admin.

Use this only as bootstrap behavior until full auth/session integration is finished.

Related Tasks

See TODO.md MVP0 gate items:

• RBAC domain model finalized
• RBAC route/action enforcement
• Permission matrix documented and tested