CRM

CRM permission notes

Every `/crm` route validates an authenticated session and requires `crm.view`. Users without it return to the authenticated dashboard. The permission allows viewing all Sprint 3 CR

Use this when...

Use this when a safety, approval, permission, or governance decision is involved.

Read access

Every /crm route validates an authenticated session and requires crm.view. Users without it return to the authenticated dashboard. The permission allows viewing all Sprint 3 CRM records; row-level or territory scope is not implemented.

Write access

Create and edit forms are shown only to users with crm.manage. Every server action independently reloads the current principal and asserts crm.manage; hidden UI is not treated as authorization.

Each successful mutation writes a CrmActivity and a system ActivityLog entry in the same database transaction as the business record. Actor, action, entity type, entity identifier, and a short non-sensitive summary are retained. Secrets and uncontrolled request bodies must never be logged.

Developer Details
Source
apps/docs/content/crm/permissions.md
Owner
Module Owner
Status
Current
Module
CRM
Related route
/crm