# RBAC Operational Roles Matrix

Date: 2026-05-20

This matrix defines the operational staff roles for ECOLE ECOIN. `super_admin` remains the only role with every permission. `admin` is now a basic operational administrator, not a hidden super admin.

## Roles

| Role key | Arabic label | Purpose |
|---|---|---|
| `registration_officer` | موظف التسجيلات | Handles registration follow-up, WhatsApp enrollment journey, and basic payment visibility. |
| `training_manager` | مسؤول التكوين والحصص | Manages courses, cohorts, sessions, rooms, attendance, instructors, and certificates until training completion. |
| `corporate_manager` | مسؤول المؤسسات | Manages B2B leads, organizations, proposals, agreements, corporate cohorts, trainees, attendance, and corporate reports. |
| `finance_officer` | مسؤول المالية | Manages payments, expenses, revenues, corporate invoices, corporate payments, receivables, credit notes, and financial reports. |
| `general_manager` | الإدارة العامة والإحصائيات | View-only executive role for dashboards, reports, statistics, and operational visibility. |
| `admin` | مدير أساسي | Handles basic platform operations without full finance, corporate finance, or permission assignment powers. |
| `super_admin` | مدير أعلى | Full access for ownership and technical support. |

## Separation Rules

- Registration staff cannot approve, reject, or refund payments.
- Training managers cannot access finance or corporate proposal workflows.
- Corporate managers cannot allocate corporate payments or manage finance receivables.
- Finance officers cannot mutate training/cohort operations or create corporate proposals.
- General managers are view/report oriented and should not approve, allocate, or mutate operations.
- Admins do not receive `permissions.assign`, `corporate_finance.view`, or finance expense/revenue powers by default.
- Super admins keep all permissions and should be reserved for support/ownership.

## How To Apply

Run:

```bash
php artisan db:seed --class=RolesAndPermissionsSeeder
```

Then assign users from:

```text
/admin/security/users
```

The selectable roles are driven by `PermissionCatalog::CORE_ROLES`.

## Important Compatibility Notes

- `support`, `teacher`, and `student` remain core roles for existing workflows.
- Legacy roles such as `finance_manager`, `finance_reporting`, and `finance_reviewer` remain available to avoid breaking existing accounts.
- `finance` and `finance_manager` are mapped to the new finance behavior in the Gate fallback.
- `finance_reporting` is mapped to the general manager style view/report behavior in the Gate fallback.

## Verification

Targeted test:

```bash
php artisan test tests/Unit/Security/OperationalRolePermissionCatalogTest.php --stop-on-failure
```