sankofa-hw-infra/docs/rbac-sovereign-operations.md

# RBAC matrix for sovereign operations

Who can **see**, who can **change**, and who can **approve** (by role and by site/sovereign) for UniFi, compliance, and purchasing.

## Permissions

| Permission | Description |
|------------|-------------|
| unifi:read | Read UniFi devices and product catalog within assigned site/org |
| unifi:write | Change UniFi mappings and controller config within assigned site/org |
| unifi_oversight:read | Read-only across sovereigns (central oversight; no write) |
| compliance:read | View compliance profiles |
| compliance:write | Create/update/delete compliance profiles |
| purchasing_catalog:read | View approved buy lists and BOMs |

## Role vs permission (sovereign-relevant)

| Role | unifi:read | unifi:write | unifi_oversight:read | compliance:read | compliance:write | purchasing_catalog:read |
|------|:----------:|:-----------:|:--------------------:|:----------------:|:-----------------:|:------------------------:|
| super_admin | yes | yes | yes | yes | yes | yes |
| security_admin | | | yes | yes | yes | |
| procurement_manager | yes | | | | | yes |
| finance_approver | | | | | | yes |
| site_admin | yes | yes | | yes | | |
| noc_operator | yes | | | | | |
| read_only_auditor | yes | | | yes | | yes |
| partner_inspector | | | | | | |

## Scoping rules

- **unifi:read** and **unifi:write** apply only within the operator’s assigned **site** or **org** (via `user_roles.scope_site_id` / org). No cross-sovereign write.
- **unifi_oversight:read** is the only cross-sovereign read; used by central Sankofa Phoenix oversight. No write authority.
- **compliance:read** / **compliance:write** are scoped by org (sovereign); enforce in API so users only see/edit profiles for their org.
- **purchasing_catalog:read** is scoped by org/site so approved lists and BOMs are sovereign-specific.

Existing ABAC (e.g. `scope_site_id` on user_roles) enforces these boundaries; ensure new integration and compliance endpoints check permission and org/site scope.