RBAC-matrix

Reference for adgangskontrol. Den autoritative kilde er lib/authz.ts — denne side er en menneskelæsbar gengivelse.

Roller

Rolle	Tildeles via	Typisk bruger
`ORG_ADMIN`	Entra-gruppe	Organisations-admin
`DEPT_ADMIN`	Entra-gruppe (org-wide) eller manuelt (per afdeling)	Afdelingsleder
`COORDINATOR`	Entra-gruppe (org-wide) eller manuelt (per afd/team)	Team-koordinator
`RESOURCE`	Baseline ved login	Alle medarbejdere
`VIEWER`	Manuelt af ORG_ADMIN	Læseadgang (revision, ledelse)

Scope-typer

`scopeType`	`scopeId` peger på	Effekt
`ORG`	Organisationens ID	Wildcard — gælder alle afdelinger/teams
`DEPT`	Afdelings-ID	Kun den ene afdeling
`TEAM`	Team-ID (kun COORDINATOR)	Kun det ene team

Entra-gruppe-mapping giver altid ORG-scope. For at begrænse en DEPT_ADMIN eller COORDINATOR til specifikke afdelinger/teams skal rollen tildeles manuelt med DEPT- eller TEAM-scope (og brugeren må ikke samtidig være medlem af den org-wide Entra-gruppe).

Matrix: ressource × handling × rolle

✓ = tilladt · – = ikke tilladt · (egen) = kun for egne data · (scope) = kun i eget scope

`team` — afdelinger & teams

Handling	ORG_ADMIN	DEPT_ADMIN	COORDINATOR	RESOURCE	VIEWER
view	✓	✓	✓	✓	✓
edit	✓	✓ (scope)	✓ (eget team)	–	–
delete	✓	✓ (scope)	–	–	–

`user` — brugere

Handling	ORG_ADMIN	DEPT_ADMIN	COORDINATOR	RESOURCE	VIEWER
view	✓	✓ (scope)	✓ (scope)	✓ (egen)	✓ (org)
edit	✓	✓ (scope)	–	✓ (egen)	–

`project` — projekter

Handling	ORG_ADMIN	DEPT_ADMIN	COORDINATOR	RESOURCE	VIEWER
view	✓	✓	✓	✓	✓
edit	✓	✓ (scope)	✓ (scope)	–	–
delete	✓	✓ (scope)	–	–	–

`assignment` — allokeringer

Handling	ORG_ADMIN	DEPT_ADMIN	COORDINATOR	RESOURCE	VIEWER
view	✓	✓	✓	✓	✓
edit/delete	✓	✓ (scope)	✓ (scope)	✓ (egen)	–

`leave` — fravær

Handling	ORG_ADMIN	DEPT_ADMIN	COORDINATOR	RESOURCE	VIEWER
view	✓	✓	✓	✓	✓
edit/delete	✓	✓ (scope)	✓ (scope)	✓ (egen)	–

`time-entry` — tidsregistrering

Handling	ORG_ADMIN	DEPT_ADMIN	COORDINATOR	RESOURCE	VIEWER
view	✓	✓ (scope)	✓ (scope)	✓ (egen)	✓ (dept)
edit/delete	✓	✓ (scope)	✓ (scope)	✓ (egen)	–

`forecast-plan` — forecast

Handling	ORG_ADMIN	DEPT_ADMIN	COORDINATOR	RESOURCE	VIEWER
view	✓	✓	✓	✓	✓
edit/delete	✓	✓ (scope)	✓ (scope)	–	–

`insights` — analyser & dashboards

Handling	ORG_ADMIN	DEPT_ADMIN	COORDINATOR	RESOURCE	VIEWER
view	✓	✓ (scope)	✓ (scope)	✓ hvis `isManager`	✓ (org)

`config` / `audit`

Handling	ORG_ADMIN	Alle andre
view/edit	✓	–

Special-flags

Flag	Effekt
`User.isManager`	Giver `insights:view` uden separat rolle
`UserTeam.isCoordinator`	Markerer brugeren som koordinator for et team; ikke det samme som `COORDINATOR`-rollen — flag'et bruges af UI'et, rollen af authz

Helper-funktioner

Funktion	Returnerer
`requireSession()`	`Session \| null` — null hvis ikke logget ind
`can(session, action, resource)`	`boolean`
`getAdministeredDeptIds(roles)`	`null` (wildcard) eller `string[]` af afdelings-IDs
`getAdministeredOrCoordinatedDeptIds(roles)`	Som ovenfor, men inkluderer COORDINATOR-DEPT

Eksempel: tjek i en route-handler

import { auth } from "@/auth"
import { can } from "@/lib/authz"
 
export async function PATCH(req, { params }) {
  const session = await auth()
  if (!session) return new Response("Unauthorized", { status: 401 })
 
  const assignment = await db.assignment.findUnique({
    where: { id: params.id },
    select: { organizationId: true, departmentId: true, userId: true },
  })
  if (!assignment) return new Response("Not Found", { status: 404 })
 
  const allowed = can(session, "edit", {
    type: "assignment",
    ...assignment,
  })
  if (!allowed) return new Response("Forbidden", { status: 403 })
 
  // ... write
}

Læs videre i RBAC scope-model for hvorfor ORG-scope fungerer som wildcard.

On this page