Skip to content

Authorization and Segregation

Backlog fieldValue
Story IDCTRL-002
EpicCross Cutting Controls
Story typeSecurity control
Review statusDraft - business analyst and business owner review required
Source evidencePolicyMapper attributes, route guards, App permissions, role/user settings, and workflow decisions
Last source review2026-07-10

As a security administrator, I want List, View, Add, Edit, Delete, Post, Unpost, Approve, Print, Export, Import, and settings permissions enforced independently so that users receive least privilege.

Acceptance scenarios

  1. Hidden UI actions do not replace server authorization.
  2. Direct route/API access without permission is rejected without side effects.
  3. Approver/creator segregation and permission-grant boundaries follow approved policy.

Internal Documentation — Microtec