# Navi Role Permission Demo Matrix

Date: 2026-05-05

This matrix defines the intended Phase One role model and maps it to the current backend permission catalog. Backend RBAC is authoritative; mobile and dashboard checks are only user experience gates.

| Role | Demo user | Allowed screens/pages | Blocked screens/pages | Core permission keys | Data scope | Current status | Priority |
|---|---|---|---|---|---|---|---|
| Guest | No account | Public website, onboarding, public home, discover, listing detail, emergency | Saved, bookings, orders, profile, dashboard, protected APIs | `destination.read.public`, `listing.read.public`, `category.read.public`, `content.read.public` | Public data only | Connected | P0 |
| Tourist User | `tourist@navi.demo` | Mobile customer tabs, profile, saved, bookings, trip planner, translator | Dashboard/admin/provider pages | `profile.read.own`, `profile.update.own`, `destination.save.own`, `booking.create.own`, `booking.read.own`, `order.create.own`, `order.read.own`, `payment.create.own`, `trip.create.own`, `trip.read.own` | Own user data | Partial alias mapping needed | P0 |
| Premium User | `premium@navi.demo` | Tourist screens plus premium badge/offers/planner options | Dashboard/admin/provider pages | Tourist keys plus premium feature flags | Own user data | Role exists but currently has no additional permissions | P1 |
| Partner Owner | `hotel.owner@navi.demo`, service owners | Provider dashboard, own business, own listings, own bookings/orders, own payouts/reports, team management | Other providers, Super Admin settings, platform roles | `provider.read.own`, `provider.update.own`, `provider.team.manage.own`, `provider.listing.create.own`, `provider.listing.update.own`, `provider.order.read.own`, `provider.order.update.own` | Own business membership | Partial via partner role codes and memberships | P0 |
| Provider Manager | `provider.manager@navi.demo` | Assigned provider operations, listings/orders/bookings/availability | Bank/payout ownership, role/permission/system settings | `provider.listing.update.own`, `provider.order.read.own`, `provider.order.update.own`, `booking.read.assigned` | Assigned business | Needs explicit seeded role | P1 |
| Provider Staff | `provider.staff@navi.demo` | Assigned operational items/status checklists | Payouts, team, ownership, roles | Limited assigned provider order/booking permissions | Assigned business and assigned items | Needs explicit seeded role | P1 |
| Driver or Delivery Partner | `driver@navi.demo` | Assigned jobs, pickup/delivery status | Unassigned orders, provider admin, payouts, system settings | `driver.order.read.assigned`, `driver.order.update.assigned` | Assigned jobs only | Permission aliases missing; assignment model missing | P1 |
| Support Agent | `support@navi.demo` | Tickets, customer lookup, booking/order lookup, emergency support logs | Payment provider settings, payouts, system settings, roles | `support.ticket.read.assigned`, `support.ticket.manage.assigned`, `ticket.read.all`, `booking.read.all`, `order.read.all`, `audit.read.support` | Support queue/customer support data | Partial | P1 |
| Admin | `admin@navi.demo` | Operational dashboard, users, providers, listings, bookings, orders, content, reports, support, audit where allowed | Super Admin settings unless granted | `admin.user.read`, `admin.user.write`, `admin.provider.read`, `admin.provider.write`, `admin.content.read`, `admin.content.write`, `admin.report.read`, `admin.audit.read` | Platform operations | Current ADMIN has wildcard; needs policy decision | P0 |
| Super Admin | `superadmin@navi.demo` | Full platform, roles, permissions, integrations, feature flags, demo access, system settings | None | `*`, `superadmin.system.manage`, `superadmin.role.manage`, `superadmin.permission.manage`, `superadmin.integration.manage` | Global | Connected by wildcard; explicit keys should be seeded | P0 |

## Enforcement Notes

- Public routes must be explicitly marked `@Public()`.
- Protected routes must use `RequirePermissions` or `RequireAnyPermissions`.
- Provider/staff/driver data scope cannot be proven by permission alone; APIs must filter by `RequestContext.memberships` or assignment records.
- Existing roles use older permission names such as `booking.create` and `saved.create.own`. This branch should seed requested permission aliases and map them onto roles so new tests/docs have stable names.
- Demo access must call normal auth. It must never mint tokens in the frontend.