Stage 7 — RBAC

Roles & permissions

Define custom roles per org, attach permissions from the global catalog, and configure role-based reporting chains.

  • Custom roles — Branch Manager · Payroll Auditor · Team Lead · Factory Supervisor · whatever fits
  • Permission catalog (75+ codes) grouped by category
  • User-role assignment with hierarchy scope (unit subtree narrows access)
  • Role-reports-to mapping (Branch Manager → Area Manager → Divisional Manager → ...)
  • MFA-required permissions (payroll.process · billing.*) auto-flagged
  • Delegation — assign acting role during absence

Full spec: docs/modules/rbac/BLUEPRINT.md