Role Access Matrix

Role Definition

Source: App\\Models\\User + AuthServiceProvider + middleware access:*.

Roles	Code	Short Description
Head Admin	head_admin	main approval and full control
Projects	project	project account owner
SPV	spv	project supervisor
Logistics	logistics	supplier/logistics management
Logistics Admin	logistics_admin	variations in logistics access
Accounting	accounting	payment/tax process
Accounting Admin	accounting_admin	accounting with additional rights
SPK	spk	SPK module management
PM	pm	roles available in Gate/model (limited use of specific routes)

Functional Matrix

Areas	Head Admin	Projects	SPV	Logistics/Logistics Admin	Accounting	SPK
Project master	CRUD	-	-	-	-	-
Employeemaster	CRUD	-	-	-	-	-
Master Supplier	CRUD	-	-	CRUD	-	CRUD (supplier route access includes spk)
SPB create/update	approve/delete	create/update	read/list	download/list	-	-
PO create/update	approve/cancel/delete	status updates	status updates	create/download/mark supplier	read	-
PO Payment	approve/verify	-	-	-	update/check/submit	-
Payment Split	approve/paid	-	-	-	update/verify/paid	-
SPK contract	approve/reject/finish	list/detail (depending on project access)	-	-	list/detail/accounting	create/update/payment
SPK payment	approve/reject/revise	-	-	-	edit/update/accounting	create/update/delete

Middleware Summary

• auth: web login required.
• auth:sanctum: API token.
• access:...: granular role validation.
• tmd-bsa: basic auth for certain API docs endpoints.

Edge Cases

• The accounting_admin role is considered valid on some accounting accesses (see middleware).
• The project user role will be logged out automatically if the related project has been soft-deleted.

Verification Notes

• Status: Partial
• Scope: The use of the pm role on production endpoints has not been dominant in route audit results.
• Action: Validate real access based on business policy + endpoint usage logs.