RBAC Permission Matrix — FitZalo V2

Governance: NAMING_CONVENTIONS.md §4
Last updated: 2026-02-28 — Synced with PermissionString enum (57 permissions)

Standard Roles

Role Code	Scope	Description
SYSTEM_ADMIN	Global	Platform owner. Full access to every permission.
OWNER	Tenant	Full control over a single tenant (excl. system-level).
ADMIN	Tenant	Operational manager. View + selective MANAGE for daily ops.
MEMBER	Tenant	Day-to-day staff. View access + basic ops (order, inventory, inbox).
CUSTOMER	Tenant	End-user. View-only access. Default role on signup.

Permission Matrix

Legend: ✅ = granted, — = denied

Module	Permission	SYS_ADMIN	OWNER	ADMIN	MEMBER	CUSTOMER
IAM	TENANT_VIEW	✅	✅	✅	✅	✅
	TENANT_MANAGE	✅	✅	—	—	—
	TENANT_ADMIN	✅	—	—	—	—
	MEMBER_VIEW	✅	✅	✅	✅	✅
	MEMBER_MANAGE	✅	✅	—	—	—
	ROLE_VIEW	✅	✅	✅	✅	✅
	ROLE_MANAGE	✅	✅	—	—	—
	AUDIT_VIEW	✅	✅	✅	✅	✅
NOTIFY	NOTIFY_VIEW	✅	✅	✅	✅	✅
	NOTIFY_MANAGE	✅	✅	—	—	—
COMMS (ESN)	COMMS_VIEW	✅	✅	✅	✅	✅
	COMMS_MANAGE	✅	✅	—	—	—
CATALOG	CAT_VIEW	✅	✅	✅	✅	✅
	CAT_MANAGE	✅	✅	✅	—	—
ORDER	ORDER_VIEW	✅	✅	✅	✅	✅
	ORDER_MANAGE	✅	✅	✅	✅	—
VOUCHER	VOUCHER_VIEW	✅	✅	✅	✅	✅
	VOUCHER_MANAGE	✅	✅	✅	—	—
INVENTORY	INV_VIEW	✅	✅	✅	✅	✅
	INV_MANAGE	✅	✅	✅	✅	—
PROCUREMENT	PROC_VIEW	✅	✅	✅	✅	✅
	PROC_MANAGE	✅	✅	—	—	—
PRODUCTION	PROD_VIEW	✅	✅	✅	✅	✅
	PROD_MANAGE	✅	✅	—	—	—
SHIPPING	SHIP_VIEW	✅	✅	✅	✅	✅
	SHIP_MANAGE	✅	✅	—	—	—
CMS	CMS_VIEW	✅	✅	✅	✅	✅
	CMS_MANAGE	✅	✅	✅	—	—
	CMS_PUBLISH	✅	✅	✅	—	—
PARTNER/CRM	CRM_VIEW	✅	✅	✅	✅	✅
	CRM_MANAGE	✅	✅	✅	—	—
INBOX	INBOX_VIEW	✅	✅	✅	✅	✅
	INBOX_REPLY	✅	✅	✅	✅	—
	INBOX_MANAGE	✅	✅	—	—	—
AI	AI_VIEW	✅	✅	✅	✅	✅
	AI_MANAGE	✅	✅	—	—	—
ZALO	ZALO_VIEW	✅	✅	✅	✅	✅
	ZALO_MANAGE	✅	✅	—	—	—
PLUGIN	PLUGIN_VIEW	✅	✅	✅	✅	✅
	PLUGIN_MANAGE	✅	✅	—	—	—
BILLING	BILLING_VIEW	✅	✅	✅	✅	✅
	BILLING_MANAGE	✅	✅	—	—	—
FILE	FILE_VIEW	✅	✅	✅	✅	✅
	FILE_MANAGE	✅	✅	—	—	—
	FILE_UPLOAD	✅	✅	✅	✅	—
	FILE_EDIT	✅	✅	✅	—	—
	FILE_DELETE	✅	✅	✅	—	—
	FILE_RESTORE	✅	✅	✅	—	—
	FILE_PROCESS	✅	✅	✅	—	—
	FILE_USAGE_VIEW	✅	✅	✅	✅	✅
	FILE_POLICY_VIEW	✅	✅	✅	✅	✅
	FILE_POLICY_MANAGE	✅	✅	—	—	—
ADMIN	ADMIN_FULL	✅	—	—	—	—
MDM	MDM_MANAGE	✅	✅	—	—	—
ENABLEMENT	BUSINESSTYPE_MANAGE	✅	✅	—	—	—
	TENANT_ENABLEMENT_MANAGE	✅	✅	—	—	—
	TENANT_ENABLEMENT_VIEW	✅	✅	✅	✅	✅

Summary

Role	Total Permissions	Logic
SYSTEM_ADMIN	57	All permissions
OWNER	55	All except TENANT_ADMIN, ADMIN_FULL
ADMIN	37	View + selective MANAGE (CAT, ORDER, INV, CRM, CMS, VOUCHER)
MEMBER	27	All _VIEW + INBOX_REPLY + ORDER_MANAGE + INV_MANAGE
CUSTOMER	24	All *_VIEW permissions

Notes

• SYS_CAT_VIEW was previously listed but does not exist in the codebase. Removed.
• Loyalty / Customer-Loyalty controllers reuse CRM_VIEW / CRM_MANAGE.
• Balance controller reuses BILLING_VIEW / BILLING_MANAGE.
• File permissions are granular (10 perms) to support fine-grained file operations.
• ADMIN gets VOUCHER_MANAGE (added 2026-02-28) for daily operations.
• Permission enforcement: @Permissions() decorator + PermissionsGuard + TenantGuard.

Note: SYSTEM_ADMIN has implicit access to all regular tenant permissions but special SYS_* permissions for global operations.

RBAC Implementation Rule

The backend MUST enforce permissions via a declarative guard:

@Permissions('ORDER_MANAGE')
@Patch(':id/status')
async updateStatus(...) { ... }

• Multi-tenancy isolation (tenantId check) happens at TenantGuard.
• RBAC check happens at PermissionsGuard by verifying the user's roles attached to their Membership for the current tenantId.