Skip to content

User Roles & Security

Role-Based Access Control (RBAC) and authentication security.

UC-CORE-002: User Roles & Permissions

Purpose: Ensure users only access features relevant to their role.

Property Value
Actor Admin / System
Trigger User Login
Priority P0

Capabilities:

  • Standard Roles:

    • Owner: Full access to all dashboards, revenue, and staff settings.

    • Manager: Access to Staff Schedule, Inventory, and Rosters. No Financials.

    • Front Desk: Access to Calendar, Booking, and Check-in. No Settings.

    • Stylist: Read-only access to own schedule and commissions.

  • Custom Permissions:

    • Toggle specific actions (e.g., "Allow Front Desk to Refund").

Main Success Scenario:

  1. "Stylist" logs in.
  2. Dashboard shows only "My Appointments" and "My Performance".
  3. "Settings" tab is hidden.
  4. User tries to access /admin/revenue -> Redirected to 403 Forbidden.

Acceptance Criteria:

  1. [ ] Admin can assign roles to new staff invites.
  2. [ ] UI elements (buttons/tabs) are hidden based on permissions.
  3. [ ] API endpoints enforce same role checks (Backend validation).