Handbook
Role and permission matrix
Capability-first model (aligned with /api/me and forge360/auth/user_profile.py).
Updated
| Capability | Typical roles | Data classes |
|---|---|---|
manage_directory |
Tenant admin | PII directory, org units, invites |
manage_surveys |
HR / program owner | Campaign config, rater assignments (not plaintext answers) |
view_completion |
Manager, HR | Completion status, aggregates above threshold |
| Subject (implicit) | All users | Own assignments, own results per policy |
is_tenant_admin |
Org admin | /api/admin/* |
is_operator |
Platform operator | /api/tenants/*, /api/operator/* — no ordinary plaintext feedback |
Visibility rules (summary)
- Global operators do not receive tenant feedback plaintext through standard admin UI.
- Managers see team completion and nominated development views — not individual peer comments below anonymity threshold.
- HR sees campaign operations and org-wide completion — not individual sealed responses without policy.
- Imported Thomas data labeled external evidence; not merged into native trends without bridge.
Server enforcement
All matrix rows must be enforced in API handlers (forge360/auth/deps.py, route guards), not UI-only.