Appearance
Roles and User Settings
| Backlog field | Value |
|---|---|
| Story ID | AP-GS-008 |
| Epic | General Settings |
| Story type | Master data / configuration |
| Review status | Draft - business analyst and business owner review required |
| Source evidence | AppsPortal.Apis controller, application command/query handlers, validators, domain entities, and matching MFE workflow where available |
| Last source review | 2026-07-10 |
User story
As security administrators, I want to manage roles, action permissions, user branches, and user settings so that least-privilege access is enforced.
Acceptance criteria
- Only authorized users can view or execute the feature's actions.
- Required business data, active dependencies, tenant/branch scope, and current document state are validated.
- Invalid requests return actionable validation errors without applying a partial change.
- Search, list, view, print, and export operations use the same authorized business scope.
- Material create, edit, status, approval, posting, reversal, and integration actions are auditable where applicable.
- Financial or stock effects are applied atomically and no more than once.
Business rules
Required
Role identity and explicit module/service/action permissions are required; users need authorized branch/company assignment.
Optional or conditional
Descriptions, copied roles, UI preferences, defaults, and extra branches are optional.
Action behavior
Save changes future access; direct API enforcement remains authoritative.
Blocking rule or downstream effect
Removing access does not erase historical authorship; users cannot grant permissions they do not control.
Frontend page coverage
The following UI coverage is sourced from the pulled MFE route configuration. A Module-level supporting artifact mapping is evidence of a reachable screen, but requires BA confirmation that it belongs to this story rather than a more specific feature story.
| Route/page | Component | Mode | Route permission/guard | Mapping confidence | Source |
|---|---|---|---|---|---|
| roles | MainRolesComponent | List/navigation | Permission: AppGeneralSettingsPermissions.Role_List; Guards: PolicyAuthGuard | Feature token match | apps/erpHome/src/app/remote-entry/admin/admin-routing.module.ts:42 |
| user-management | MainUserSettingsComponent | List/navigation | Permission: AppGeneralSettingsPermissions.UserSettings_List; Guards: PolicyAuthGuard | Feature token match | apps/erpHome/src/app/remote-entry/admin/admin-routing.module.ts:143 |
Observed frontend fields and validation
| Component | Control | Observed frontend rule | Component source |
|---|---|---|---|
| - | - | No reactive formControlName controls were found for the routed components; review template-driven/shared child components. | Route sources above |
Observed frontend actions
| Component | Click action/handler | Business review requirement | Component source |
|---|---|---|---|
| - | - | No direct (click) handler was found; review shared toolbar/table commands and form submission bindings. | Route sources above |
Page-specific frontend acceptance criteria
- roles - List/navigation: Load an authorized paged/searchable list or navigation page; preserve filters/sort/paging and expose only permitted row and bulk actions. Security observed: Permission: AppGeneralSettingsPermissions.Role_List; Guards: PolicyAuthGuard
- user-management - List/navigation: Load an authorized paged/searchable list or navigation page; preserve filters/sort/paging and expose only permitted row and bulk actions. Security observed: Permission: AppGeneralSettingsPermissions.UserSettings_List; Guards: PolicyAuthGuard