# Default Permission Matrix

This document is generated from `unified-user-portal/lib/catalog.php`. The portal database is seeded with these defaults at installation. A Super Administrator can change the level-default matrix later.

## Decision order

1. The central account must be active.
2. The application must be enabled for that user. An application deny blocks every function.
3. A per-user explicit Deny blocks the function.
4. A per-user explicit Allow enables the function.
5. Inherit uses the user’s level default.
6. Local branch, manager, owner and record-state rules may further restrict a function; they never grant it.

Dependent implementation permissions are intentionally merged into complete business functions. For example, peer review includes the visibility needed to review, label creation includes product lookup, and branch self-audits include branch report visibility.

## Fixed levels and default additions

Defaults are cumulative from the previous level except where stated.

| Level | Rank | Default additions / restrictions |
|---|---:|---|
| Employee | 10 | Staff policy acknowledgement and training completion; assigned corrective-action response; label creation and price-review submission. |
| Supervisor | 20 | Employee defaults plus assigned-team compliance, competency sign-off and standard audit work. |
| Assistant Manager | 30 | Supervisor defaults plus Staff task reissue/reporting and recurring branch self-audits/branch reports. |
| Store Manager | 40 | Assistant Manager defaults plus audit assignment. |
| Administrator | 50 | All three application functions, portal user management below Administrator level and central audit-log visibility. Cannot manage Administrator accounts, level defaults or central security by default. |
| Super Administrator | 60 | All applications and all functions. Final-active-account protections still apply. |

## Full function catalogue

### Unified User Portal

| Permission key | Complete function | First level allowed by default | Description / merged dependency |
|---|---|---|---|
| `portal.manage_users` | Create and manage users below Administrator level | Administrator | Create, edit, disable and reset sessions or passwords for Employee through Store Manager accounts. |
| `portal.manage_administrators` | Create and manage Administrator accounts | Super Administrator | Manage Administrator accounts. Super Administrator accounts remain protected. |
| `portal.manage_levels` | Configure level permission defaults | Super Administrator | Change the default allow/deny matrix for all six account levels. |
| `portal.view_audit_log` | View central security audit log | Administrator | View sign-ins and user, permission, password, session and security changes. |
| `portal.manage_security` | Manage security settings and application URLs | Super Administrator | Change session and reauthentication limits, browser binding and registered application addresses. Administrator two-factor authentication remains mandatory. |
### Staff Compliance Portal

| Permission key | Complete function | First level allowed by default | Description / merged dependency |
|---|---|---|---|
| `staff.acknowledge_policies` | Read and acknowledge policies | Employee | View applicable policy documents and record acknowledgements. |
| `staff.complete_training` | Read and complete training | Employee | View assigned training and submit employee completion acknowledgements. |
| `staff.view_assigned_compliance` | View assigned staff compliance dashboard | Supervisor | View users assigned to the signed-in supervisor or manager. |
| `staff.view_all_compliance` | View all staff compliance and employee details | Administrator | Organisation-wide compliance visibility; includes the team dashboard dependency. |
| `staff.signoff_competencies` | Sign off training competencies | Supervisor | Countersign eligible staff training records; includes assigned-staff visibility. |
| `staff.reissue_tasks` | Reissue policy and training requirements | Assistant Manager | Revoke or reissue completed tasks; includes assigned-staff visibility. |
| `staff.manage_staff_assignments` | Manage staff manager, branch and archive assignments | Administrator | Credentials and account levels remain managed in this central portal. |
| `staff.manage_documents` | Manage policy, training and library documents | Administrator | Upload, version, archive and delete compliance documents. |
| `staff.view_reports` | View and export compliance records and PDF reports | Assistant Manager | Access individual and organisation compliance reporting. |
| `staff.view_audit_log` | View Staff Compliance audit log | Administrator | View application activity, IP addresses and event details. |
| `staff.manage_announcements` | Manage announcements | Administrator | Create, edit, archive and delete staff announcements. |
| `staff.manage_settings` | Manage branding and operational settings | Administrator | Change portal text, timeout, thresholds, upload limits and report settings. |
| `staff.manage_branches` | Manage branches | Administrator | Create, rename, enable and disable Staff Compliance branches. |
### Store Audit System

| Permission key | Complete function | First level allowed by default | Description / merged dependency |
|---|---|---|---|
| `audit.respond_to_actions` | Respond to assigned corrective actions | Employee | View assigned actions, add completion notes and upload evidence. |
| `audit.perform_standard_audits` | Perform standard audits | Supervisor | Start, edit, save, submit and view audits owned by the user. |
| `audit.perform_branch_self_audits` | Perform recurring branch self-audits | Assistant Manager | Claim and complete self-audits for the assigned branch; includes branch report visibility. |
| `audit.view_branch_reports` | View completed reports for assigned branch | Assistant Manager | View current published audit reports and branch audit history. |
| `audit.organisation_dashboard` | View organisation-wide audit dashboard and reports | Administrator | View all branches, audits, reports, review queues, schedules and action metrics. |
| `audit.assign_audits` | Assign audits | Store Manager | Create and assign audit work using eligible branches, templates and auditors. |
| `audit.peer_review_publish` | Peer review, return and publish audits | Administrator | Includes organisation-wide audit visibility required for review. |
| `audit.manage_corrective_actions` | Manage and verify corrective actions | Administrator | Edit, reopen, verify and close corrective actions; includes required audit visibility. |
| `audit.manage_user_assignments` | Manage Audit System user and branch assignments | Administrator | Manage local workflow profiles and branch assignments; credentials remain central. |
| `audit.manage_branches` | Manage audit branches | Administrator | Create, edit and deactivate branches and Store Manager assignments. |
| `audit.manage_templates` | Manage audit templates | Administrator | Create, clone, edit, publish, retire and delete template families and criteria. |
| `audit.manage_schedules` | Manage standard and recurring audit schedules | Administrator | Create and change branch schedules, recurrence, windows and assignees. |
| `audit.manage_settings` | Manage branding and audit settings | Administrator | Change report branding, thresholds, upload limits and operational settings. |
| `audit.view_activity_log` | View Audit System activity log | Administrator | View user and audit activity records. |
| `audit.amend_published_audits` | Amend and regenerate published audits | Administrator | Open amendments, alter published records and issue new report revisions; includes required audit visibility. |
| `audit.delete_audits` | Permanently delete audits | Administrator | Delete audits, answers, photographs, actions and report revisions; includes required audit visibility. |
### Price Label Maker

| Permission key | Complete function | First level allowed by default | Description / merged dependency |
|---|---|---|---|
| `labels.create_labels` | Create and print price labels | Employee | Includes product lookup required to generate labels. |
| `labels.submit_price_reviews` | Submit price review requests | Employee | Includes product lookup and branch notifications required for requests. |
| `labels.use_all_branches` | Use any branch rather than only the assigned branch | Administrator | Applies to label creation and product lookup. |
| `labels.manage_price_reviews` | Accept, reject and delete price review requests | Administrator | View pending and completed review requests and create store notifications. |
| `labels.manage_user_assignments` | Assign Price Label users to branches | Administrator | Credentials and account levels remain managed in this central portal. |
| `labels.manage_branches` | Manage branches | Administrator | Create branches used by products, labels and requests. |
| `labels.import_products` | Import and replace branch product data | Administrator | Upload CSV product data and replace the selected branch catalogue. |
| `labels.manage_backgrounds` | Upload label backgrounds | Administrator | Upload images used when rendering A4 labels. |
| `labels.manage_settings` | Manage branding | Administrator | Change the Price Label Maker header logo and footer text. |
| `labels.view_version_log` | View version log | Administrator | View application release history. |

## Delegated administration safeguards

- An Administrator can manage Employee through Store Manager accounts by default.
- Only a Super Administrator can manage Administrator accounts, change level defaults or change central security/application URLs by default.
- A delegated administrator cannot assign a level, application or function they do not possess.
- A user cannot manage a target whose effective access exceeds their own.
- Usernames are immutable after creation because they are legacy-link identity keys.
- The final active Super Administrator cannot be disabled or demoted, including under concurrent requests.

## Recommended configuration practice

Keep most users on Inherit. Use explicit Deny for a durable exception that must remain blocked if level defaults later expand. Use explicit Allow only when the complete business function is intentionally delegated. Review all explicit overrides quarterly or when responsibilities change.
