permission-lifecycle-matrix · supabase_json
B2BEA.org V1 Permission + Lifecycle Matrix
permission-lifecycle-matrix artifact · for B2BEA.org Rebuild · status approved
Agent Handoff
Start Here
permission-lifecycle-matrix artifact · for B2BEA.org Rebuild · status approved
Completion Evidence
No explicit evidence field yet. Require tests, screenshots, linked PRs, or reviewed outputs before marking complete.
Artifact Shape
- roles: 10 items
- title: B2BEA.org V1 Permission + Lifecycle Matrix
- version: 1
- decisions: 6 items
- principle: Keep internal B2BEA admin simple; enforce external self-service, entitlements, ownership, lifecycle, and public visibility rules rigorously.
- project id: a820dd0c-6cef-4133-bfbd-d802fd806e44
- updated at: 2026-05-06T20:00:08.982Z
- admin model: not_v1: object, v1_rule: string, core_admins: object, required_controls: object
- artifact type: permission-lifecycle-matrix
- next artifacts: 5 items
- lifecycle matrix: 19 items
- source artifacts: 2 items
Structured Payload
Machine-readable source fields
roles
| role | description | access boundary |
|---|---|---|
| anonymous | Unauthenticated public visitor. | Public content, ungated forms, public surveys, vendor/person/job/event pages, signup/login. |
| member | Authenticated individual with a profile. | Own profile, own learning, own survey responses, member resources according to entitlements. |
| pro_member | Member with paid/pro entitlement. | Pro gated resources, eligible academy/content/event benefits. |
| vendor_admin | Vendor user who manages a vendor account. | Own vendor profile submissions, vendor team, content submissions, leads/analytics/billing when enabled. |
| vendor_member | Vendor team member with limited vendor workspace access. | Vendor workspace sections assigned by vendor admin. |
| company_admin | Practitioner company user who manages company access. | Own company employees, seats, academy/careers access, company entitlements, team reporting. |
| company_employee | Employee under a practitioner company account. | Assigned academy/career/resources benefits, own profile and progress. |
| author | Content contributor. | Own drafts/submissions where enabled; public publishing controlled by B2BEA admin/editorial workflow. |
| b2bea_admin | Trusted B2BEA core admin team. | Full internal operations for V1; simple team trust model with audit for material changes. |
| system | Automations, scheduled jobs, integrations. | Narrow service actions for notifications, analytics, imports, syncs, and lifecycle events. |
title
B2BEA.org V1 Permission + Lifecycle Matrix
version
1
decisions
| id | topic | decision | rationale |
|---|---|---|---|
| DEC-001 | Public practitioner company profiles | Exclude from V1. Vendor public profiles are V1; practitioner company accounts are private workspace only. | Practitioner company value in V1 is operational access for seats, academy, careers, entitlements, and team reporting. Public company pages would add a new public directory/moderation surface without being required for V1. |
| DEC-002 | Company-created jobs | Require B2BEA admin review before public publishing in V1. | |
| DEC-003 | Sanity versus Supabase source of truth | Sanity owns editorial/public content. B2BEA Supabase owns application and operational data, including people, company, vendor, membership, course, survey, job, event, analytics, and notification records. | |
| DEC-004 | Notifications | V1 is email-first with an internal notification event log. In-app notifications are designed for later unless a surface explicitly needs them. | |
| DEC-005 | CRM source of truth | HubSpot is the primary CRM for leads, pipeline, sales activity, and renewals. B2BEA Supabase owns website profiles and operational entities. | |
| DEC-006 | Vendor and company analytics exports | V1 allows bounded own-account exports only. No raw platform-wide data, cross-account comparisons, or sensitive user-level data unless explicitly consented and permitted. |
principle
Keep internal B2BEA admin simple; enforce external self-service, entitlements, ownership, lifecycle, and public visibility rules rigorously.
project id
a820dd0c-6cef-4133-bfbd-d802fd806e44
updated at
2026-05-06T20:00:08.982Z
admin model
not v1
- granular internal admin privilege tiers
- multi-step internal approval chains for the core team
v1 rule
All three can make core site/admin changes. Avoid complex internal admin tiers for V1.
core admins
- Brett
- Sarah
- Justin
required controls
- preview
- status
- publish/archive
- rollback where feasible
- audit events for public/material changes
- required fields and validation
artifact type
permission-lifecycle-matrix
next artifacts
- design-system-spec
- publishing-model-spec
- data-model-spec
- surface-specs
- security-privacy-spec
lifecycle matrix
| owner | entity | states | approval rule | source of truth | public visibility |
|---|---|---|---|---|---|
| b2bea_admin | Sanity standard page | - draft - preview - scheduled - published - archived | Core admin can publish directly; audit material public changes. | Sanity | published only |
| b2bea_admin | Custom HTML landing/resource page | - draft - preview - published - archived - rolled_back | Core admin can publish directly; rollback/archive required. | code/import registry | published only |
| b2bea_admin or author/vendor by submission | Article/resource/guide/report | - draft - submitted - in_review - approved - scheduled - published - rejected - archived | Vendor/author submissions require B2BEA review. | Sanity plus Supabase tracking as needed | published only |
| vendor_admin plus b2bea_admin | Vendor profile | - unclaimed - claimed - update_submitted - in_review - approved - published - rejected - archived | Vendor changes submit for admin approval before public projection changes. | Supabase | approved/published fields only |
| member | Member profile | - incomplete - active - public_profile_enabled - hidden - suspended | Member edits own profile; public display rules validated by system. | Supabase | public projection only when enabled/eligible |
| company_admin plus b2bea_admin | Company workspace/account | - prospect - active - suspended - expired - archived | Company admin manages own workspace within entitlement limits; no public profile publishing in V1. | Supabase | Private workspace only in V1. No public practitioner company profiles. |
| company_admin | Company employee seat | - invited - active - removed - expired | Company admin manages seats within purchased/assigned entitlement. | Supabase | private |
| b2bea_admin | Course | - draft - preview - published - retired - archived | Core admin can publish directly. | Supabase/Sanity decision needed | catalog visibility by status and entitlement |
| member/company_admin/b2bea_admin | Enrollment/course assignment | - assigned - enrolled - in_progress - completed - expired - revoked | Assignment must pass entitlement checks. | Supabase | private to learner/company/admin |
| member plus b2bea_admin | Certificate | - eligible - issued - revoked - expired | System/admin issues only when completion criteria pass. | Supabase | private unless member shares/public enabled |
| b2bea_admin | Survey | - draft - preview - published - closed - archived | Core admin can publish; audience and result visibility required. | Supabase | published surveys according to audience |
| respondent | Survey response | - started - submitted - invalidated - deleted | Respondent can submit; admin can analyze/export according to privacy rules. | Supabase | private/aggregated unless explicit results display |
| b2bea_admin | Form | - draft - preview - published - closed - archived | Core admin can publish directly. | Supabase or Sanity decision needed | published only |
| submitter plus b2bea_admin | Form submission | - submitted - triaged - assigned - in_progress - resolved - spam - archived | Admin reviews and assigns. | Supabase | private |
| b2bea_admin or company_admin | Job posting | - draft - submitted - in_review - published - closed - rejected - archived | Company-created jobs require B2BEA admin review before public publishing in V1. | Supabase | published only |
| b2bea_admin | Event | - draft - preview - published - registration_open - sold_out - completed - archived | Core admin can publish directly. | Supabase/Sanity decision needed | published and registration states |
| vendor_admin plus b2bea_admin | Vendor sponsorship | - draft - submitted - in_review - approved - active - fulfilled - rejected - archived | Vendor submissions require B2BEA approval. | Supabase | active/approved sponsor assets only |
| system | Notification | - queued - sent - delivered - failed - suppressed | Triggered by lifecycle events and user preferences. | Supabase plus provider logs | private to recipient/admin logs |
| b2bea_admin | Lead/opportunity | - new - assigned - contacted - qualified - converted - lost - archived | Internal sales/admin workflow in HubSpot; B2BEA.org routes qualified intake to CRM. | HubSpot primary CRM; B2BEA Supabase stores site intake/submission references as needed | private admin only |
source artifacts
| version | artifact id | artifact type |
|---|---|---|
| 3 | c889a1fe-c3ce-4b0d-873c-af4e0ec8dfe4 | capability-map |
| 1 | 80328220-3deb-4cf9-a68f-d440b41a38da | production-readiness-gap-register |
enforcement rules
- Public read paths can be static/client-rendered when data is already public.
- Any mutation by members, vendors, companies, or anonymous users needs server-side validation and ownership checks.
- Entitlement decisions should not rely only on client-side checks.
- Vendor/company/member data updates must validate ownership before write.
- Public projection changes should be auditable even when the core admin team can publish directly.
- Billing, membership, course access, survey assignment, and company seats require explicit entitlement checks.
- Export actions require role checks and audit events because they can expose sensitive data.
permission matrix
| area | member | anonymous | pro member | b2bea admin | vendor admin |
|---|---|---|---|---|---|
| Public pages and directories | read | read | read | create/update/publish/archive | read |
| Custom HTML landing/resource pages | read by gate | read when published | read by gate | import/preview/publish/archive/rollback | none unless sponsor workflow |
| Sanity standard pages | read by gate | read when published | read by gate | create/update/preview/schedule/publish/archive | submit where enabled |
| Member profile | read/update own | read public projection only | read/update own | read/update/support | read own person only |
| Vendor profile | read published | read published | read published | create/update/approve/publish/archive | submit updates for own vendor |
| Vendor content submissions | none | none | none | review/approve/reject/publish/archive | create/update own submissions |
| Company workspace | none unless employee | none | none unless employee | create/update/support/audit | none |
| Academy courses | enroll/take if entitled | browse public catalog | enroll/take if entitled | create/update/enroll/manage | manage vendor-submitted courses when enabled |
| Surveys | take assigned/member surveys | take public surveys | take assigned/member surveys | create/publish/analyze/export | view vendor-owned results if enabled |
| Jobs and careers | apply/manage own activity | read published jobs/apply where public | apply/manage own activity | create/review/publish/archive | none unless sponsor/employer flow |
| Events and sponsorship | register/manage own registrations | read/register public events | register/manage eligible benefits | create/manage/publish/export | sponsor/manage own sponsorship assets |
| Billing and memberships | manage own membership where enabled | start checkout/application | manage own membership | support/manage/administer | manage own vendor billing |
| Analytics and reporting | own history only | none | own history only | platform analytics/export | own vendor analytics/leads |
unresolved decisions
No items captured.