Permissions
Two Concepts Per User
Section titled “Two Concepts Per User”Every user has two independent attributes:
job_role(DM / DL / TL) - Determines which scorecard template and onboarding items applyaccess_level(Executive / Head / Manager / Lead / Employee) - Determines what you can see and do
Access Levels
Section titled “Access Levels”| Level | Description | Data Scope |
|---|---|---|
| Executive | Full access + admin | All data |
| Head | Cross-team visibility | All data |
| Manager | Team-level access | Own + squad data |
| Lead | Individual access | Own data |
| Employee | Individual access | Own data |
Tool Permissions
Section titled “Tool Permissions”Stored in the tool_permissions table, configurable via the Admin section (Executive only).
Each tool × access level combination has three permission flags:
can_view- Can see the tool and its datacan_update- Can modify data (create, edit, delete)can_manage- Can configure the tool itself (edit templates, phases, etc.)
Data Scoping via Squads
Section titled “Data Scoping via Squads”Squad membership determines the “own + squad” scope for Managers:
own: Only the current user’s data (Lead, Employee)own + squad: Own data + data from users in squads whereis_manager = 1(Manager)all: All users’ data across all squads (Head, Executive)
Enforcement
Section titled “Enforcement”- API middleware (
worker/middleware/permissions.ts): Checks tool permissions before request processing - Route handlers: Scope DB queries based on access level
- Frontend:
useAuth()exposescanView(),canUpdate(),canManage()helpers - Sidebar: Only shows tools the user has
can_viewfor - UI controls: Edit buttons hidden without
can_update, config hidden withoutcan_manage