Roles & Governance

Status: INTERIM (AS-BUILT partial; role standardization in progress). Current services already enforce roles as documented per service.

Purpose

Provide a unified governance model across services, including org roles, facility grants, and cost visibility rules.

Owners can perform all actions; primary owners retain specific governance actions.
Members require explicit org roles and, for facility-scoped operations, an active facility grant.
Permanent and temporary roles are supported, including time-bounded and recurring schedules.
Cost visibility is restricted to cost_view (facility-scoped) or finance_audit (org-wide).
Approval gates: high-risk requests can require approval (draft -> pending approval -> submitted). Thresholds are % and $ values set per org with optional facility overrides. Approvals capture approver, timestamp, and reason; optional no-self-approval rules apply where configured. Approval checks must not slow operational calls.

Separate request preparation from approval for high-risk actions (discount overrides, transfers, POs).
Allow no-self-approval policies for sensitive thresholds or high-value actions.
Use time-bounded elevation for exceptional access, with automatic expiry.
Require reason codes and audit trails for privileged actions and overrides.
Prefer least-privilege role grants with facility-level scope by default.

Set org-wide delegation defaults and policy guardrails (pricing, discounts, approvals).
Configure valuation and landed-cost policies.
Configure tender liability policy.
Configure procurement approval and matching policies.
Enable or disable loyalty programs and influencer payout policies.
Configure accounting export and settlement policies.

Member access roles: /common/member-access-roles.html — detailed role explanations with examples
Role matrix: /common/role-matrix.html
Request context: /common/request-context.html