sankofa-hw-infra/docs/rbac-sovereign-operations.md

RBAC matrix for sovereign operations

Who can see, who can change, and who can approve (by role and by site/sovereign) for UniFi, compliance, and purchasing.

Permissions

Permission	Description
unifi:read	Read UniFi devices and product catalog within assigned site/org
unifi:write	Change UniFi mappings and controller config within assigned site/org
unifi_oversight:read	Read-only across sovereigns (central oversight; no write)
compliance:read	View compliance profiles
compliance:write	Create/update/delete compliance profiles
purchasing_catalog:read	View approved buy lists and BOMs

Role vs permission (sovereign-relevant)

Role	unifi:read	unifi:write	unifi_oversight:read	compliance:read	compliance:write	purchasing_catalog:read
super_admin	yes	yes	yes	yes	yes	yes
security_admin			yes	yes	yes
procurement_manager	yes					yes
finance_approver						yes
site_admin	yes	yes		yes
noc_operator	yes
read_only_auditor	yes			yes		yes
partner_inspector

Scoping rules

• unifi:read and unifi:write apply only within the operator’s assigned site or org (via user_roles.scope_site_id / org). No cross-sovereign write.
• unifi_oversight:read is the only cross-sovereign read; used by central Sankofa Phoenix oversight. No write authority.
• compliance:read / compliance:write are scoped by org (sovereign); enforce in API so users only see/edit profiles for their org.
• purchasing_catalog:read is scoped by org/site so approved lists and BOMs are sovereign-specific.

Existing ABAC (e.g. scope_site_id on user_roles) enforces these boundaries; ensure new integration and compliance endpoints check permission and org/site scope.