RBAC — Role, Permission and Team Management

Surgical permission control

Every endpoint is checked at the table + action level. Actions include sidebar, create, read, update, delete, export, assign and approve. Owner-only access and other advanced patterns are built in.

Roles and permissions

Roles like admin, accountant, field_rep, auditor; permissions tied to a table + action; role-permission and user-role joins. A user can hold multiple roles.

Team structure

Users gain location / project access through team membership. The 'İstanbul field team' sees only its own region's customers — essential for location-bound operating models.

Cache and audit

Permissions are cached in Redis and invalidated on change. Sidebar items auto-hide where the user has no access. Permission grants and revokes are written to the audit log.