# Enterprise ERP Specification - RBAC, Hierarchy, & Workflows

This document defines user access layers, permission grids, administrative hierarchies, operational approval chains, and automated audit logging structures.

---

## 1. User & Department Hierarchy

The organization is structured across a clear executive leadership team, functional departments, project managers, and execution team members.

### Corporate Department Topology
- **Board / Executive**: CEO, COO, CTO, CFO, CMO
- **PMO (Project Management Office)**: PMO Director, Project Managers, Scrum Masters
- **Engineering & Product**: VP Engineering, Engineering Leads, Software Engineers, QA, Product Managers
- **Sales & Marketing**: CRM Manager, Account Executives, Marketing Officers
- **Finance & Administration**: CFO, Treasury Manager, Procurement Leads
- **HRMS & Operations**: HR Directors, Recruitment Specialists, Admin Officers

---

## 2. Role-Based Access Control (RBAC) Permission Matrix

Permissions are structured using **REST Verb + Domain Resource** naming conventions (e.g., `invoice:create`, `payroll:approve`).

| Module / Area | CEO | COO | CTO | CFO | CMO | Sales Manager | HR Manager | PMO Dir | Team Lead | Employee |
| :--- | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: |
| **Employee Profiles** | CRUD | CRUD | R | R | R | R | CRUD | R | RU | RU |
| **Attendance/Checkins**| R | R | R | R | R | R | CRUD | R | RU | RU |
| **Payroll & Compensation**| R | R | - | CRUD | - | - | RU | - | - | - |
| **Financial Ledgers** | R | R | - | CRUD | - | - | - | - | - | - |
| **Client / CRM Leads** | R | R | - | R | - | CRUD | - | - | - | - |
| **Quoters & Proposals** | R | R | - | RU | - | CRUD | - | - | - | - |
| **Project Setup** | CRUD | CRUD | RU | R | - | R | - | CRUD | RU | R |
| **Task / Sprint Timers** | R | R | R | R | - | - | - | R | CRUD | RU |
| **SOP Management** | CRUD | CRUD | CRUD | CRUD | CRUD | RU | RU | RU | RU | R |
| **Procurements & Assets**| RU | CRUD | R | CRUD | R | - | R | R | RU | R |
| **OKR / KPI Setup** | CRUD | CRUD | CRUD | CRUD | CRUD | RU | RU | RU | RU | R |

*Legend: **CRUD** = Full Access (Create, Read, Update, Delete) | **RU** = Read & Update | **R** = Read Only | **-** = No Access.*

---

## 3. Workflows & Approval Chains

### A. Expense Reimbursement Workflow
Tracks expenditures (such as client entertainment, server costs, or travel) against project budgets and company ledger balances.

```mermaid
graph TD
    Start([Employee Submits Expense]) --> TL_Check{TL Review}
    TL_Check -->|Rejected| End_Reject([Notify Employee: Rejected])
    TL_Check -->|Approved & Project Cost| PMO_Check{PMO Director Review}
    TL_Check -->|Approved & Non-Project| CFO_Check{CFO Approval}
    
    PMO_Check -->|Budget Exceeded| CFO_Check
    PMO_Check -->|Within Budget| Auto_Approve[Auto-Approve Project Cost]
    Auto_Approve --> Fin_Disburse[Finance Disburses Funds]
    
    CFO_Check -->|Approved| Fin_Disburse
    CFO_Check -->|Rejected| End_Reject
    Fin_Disburse --> End_Success([Notify Employee: Settled])
```

### B. Leave Application Workflow
Automatically cross-references available vacation balances and active project allocations.

- **Trigger**: Employee applies for Leave (Date range + Type).
- **Step 1: Resource Engine Evaluation**:
  - Checks remaining leave balance in DB.
  - Queries active tasks/sprints assigned to the user.
- **Step 2: Team Lead Review**:
  - Receive Slack/Email notification with task delegation proposals.
  - *If Approved*: Moves to HR check.
- **Step 3: HR Logging**:
  - Auto-updates Attendance & Payroll engine deductions (if loss of pay).

### C. SOP & Corporate Policy Execution Workflow
Enforces administrative compliance and training verification.

```mermaid
sequenceDiagram
    actor Author as Department Head (CTO/HR)
    actor Executive as COO / CEO
    actor Staff as Target Employees
    participant Sys as ERP Notification Engine

    Author->>Executive: Draft SOP & Request Approval
    Note over Executive: Reviews against corporate guidelines
    Executive->>Author: Approve & Sign Off
    Author->>Sys: Publish Policy (Target: Engineering Dept)
    Sys->>Staff: Dispatched to email & dashboard portal
    Note over Staff: Opens SOP and clicks "I have read & understood"
    Staff->>Sys: Submit compliance mark
    Note over Sys: Logs IP, timestamp & marks training complete
```

---

## 4. Audit Trail Architecture

To comply with SOC2, HIPAA, and ISO 27001 guidelines, the ERP logs every state modification (mutation).

### Audit Trail Data Schema (`audit_logs`):
```json
{
  "audit_id": "aud_77416a2b8e390c5c",
  "timestamp": "2026-05-31T19:40:39+05:30",
  "user_id": "usr_992a76f2c3004e8d",
  "user_name": "Ananya Sharma",
  "user_role": "HR Manager",
  "client_ip": "10.0.4.15",
  "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)...",
  "action": "PAYROLL_APPROVE",
  "resource_type": "payroll",
  "resource_id": "pay_may2026_01",
  "data_before": {
    "status": "DRAFT",
    "total_payout": 4500000.00
  },
  "data_after": {
    "status": "APPROVED",
    "total_payout": 4500000.00,
    "approved_by": "usr_992a76f2c3004e8d"
  },
  "hash": "b2f694e9f3ab18b8577bc71c773e34bf53075678cd8e76c11a687311d9f8ac2c"
}
```
*Note: The `hash` field represents an SHA-256 fingerprint of the log block including the previous log entry's hash, forming an immutable audit chain (tamper-evident log ledger).*