Stage 7 — RBAC
Roles & permissions
Define custom roles per org, attach permissions from the global catalog, and configure role-based reporting chains.
- Custom roles — Branch Manager · Payroll Auditor · Team Lead · Factory Supervisor · whatever fits
- Permission catalog (75+ codes) grouped by category
- User-role assignment with hierarchy scope (unit subtree narrows access)
- Role-reports-to mapping (Branch Manager → Area Manager → Divisional Manager → ...)
- MFA-required permissions (payroll.process · billing.*) auto-flagged
- Delegation — assign acting role during absence
Full spec: docs/modules/rbac/BLUEPRINT.md