Roles & Access Matrix
Dynamic RBAC · edits take effect on the next request — no redeploy
Trainee TL = identical rights to Team Leader (§9 #4) — no separate column. The §3 matrix is a starting seed, not a contract.
| Permission | OH | SM | TL | SCM | MON | CS |
|---|---|---|---|---|---|---|
checklist.approve verify / approve cascade |
all |
own |
own_team |
— |
— |
— |
checklist.fill tick + photo + submit |
— |
— |
own_team |
own |
own |
own |
roster.create build / publish roster |
all |
own |
own_team |
— |
— |
— |
user.manage onboard / edit users |
all |
own |
— |
— |
— |
— |
gamezone.create add / edit branches |
all |
— |
— |
— |
— |
— |
report.view positive / negative / overdue |
all |
own |
own_team |
own |
own |
own |
Toggling a cell writes a RolePermission row (with updatedBy audit). The runtime resolver reads this table per request — no hardcoded role checks anywhere in the API.