CRM
CRM permission notes
Every `/crm` route validates an authenticated session and requires `crm.view`. Users without it return to the authenticated dashboard. The permission allows viewing all Sprint 3 CR
Use this when a safety, approval, permission, or governance decision is involved.
Read access
Every /crm route validates an authenticated session and requires crm.view. Users without it return to the authenticated dashboard. The permission allows viewing all Sprint 3 CRM records; row-level or territory scope is not implemented.
Write access
Create and edit forms are shown only to users with crm.manage. Every server action independently reloads the current principal and asserts crm.manage; hidden UI is not treated as authorization.
Each successful mutation writes a CrmActivity and a system ActivityLog entry in the same database transaction as the business record. Actor, action, entity type, entity identifier, and a short non-sensitive summary are retained. Secrets and uncontrolled request bodies must never be logged.
Developer Details
- Source
- apps/docs/content/crm/permissions.md
- Owner
- Module Owner
- Status
- Current
- Module
- CRM
- Related route
- /crm