# Navi Role And Permission Matrix

Audit date: 2026-05-05

Hard rule: backend permissions are authoritative. Mobile and dashboard checks are only UI convenience.

## Required Role Matrix

| Role | Allowed screens | Blocked screens | Allowed APIs | Blocked APIs | Allowed dashboard pages | Permission keys | Data scope | Current status | Fix required |
|---|---|---|---|---|---|---|---|---|---|
| Guest | Splash, onboarding, login, signup, public home, discover, services browsing, listing detail, emergency, website marketing/legal | Saved, bookings, profile data, translator, trip generation, booking/order/payment actions, dashboard | Public APIs: health, i18n, destinations, listings, emirates, emergency, auth | Saved, bookings, payments, translator, trip planner generate, dashboard/admin/provider APIs | None | Public; seed has `destination.read.public`, `listing.read.public`, `category.read.public`, `content.read.public` | Public only | Partial: guest mode exists; some guest blocked actions use alert/login route | Add explicit guest smoke tests and hide/disable unsupported ordering actions |
| Tourist User | Home, discover, saved, bookings, profile/settings, translator, trip planner, emergency, listing detail booking | Dashboard/admin/provider pages, cross-user data, financial admin, provider data | Authenticated own APIs: users/me, saved, bookings/mine, booking create, payment create, trip, translator, support tickets when added | Admin users, roles, permissions, all bookings, all payments, provider-only order updates | None | `profile.read.own`, `profile.update.own`, `saved.*.own`, `booking.create`, `booking.read.own`, `order.create`, `payment.create.own`, `trip.*.own`, `ticket.*.own`, translator permission missing | Own user/session/bookings/orders/saved/trips/translations only | Partial: many own APIs exist; order/support/profile full APIs missing | Add `translator.use.own`, order APIs, profile model, support tickets |
| Premium User | Tourist screens plus premium offers/badges/advanced AI | Admin/provider/driver/support pages | Tourist APIs plus premium-only offer/AI endpoints later | Non-premium admin/provider APIs | None | Currently PREMIUM role seeded with no extra permissions | Own scope plus premium entitlements | Missing as real behavior | Define premium permissions, member badge, offers, advanced trip planner gates |
| Service Provider | Provider dashboard views, assigned listings, assigned bookings/orders, memberships, payouts, profile | Other provider data, admin role builder, user financial settings, super admin settings | Businesses assigned, listings assigned, booking/order assigned, payouts assigned, memberships assigned | All-users, all-payments unless finance/admin, other business data | Existing dashboard pages are permission-scoped: businesses, listings, bookings, payouts, memberships | `business.read.assigned`, `business.update.assigned`, `listing.read.assigned`, `listing.update.assigned`, `booking.read.assigned`, `order.read.assigned`, `payout.read.assigned`, `membership.read.assigned` | Business-scoped through memberships | Partial: scope utilities exist; provider-specific CRUD/order flows missing | Add provider listing CRUD, orders, availability, provider dashboard UX |
| Driver or Delivery Partner | Driver/delivery assigned order/ride screens | Provider/admin/support/other driver orders | Assigned taxi/order status endpoints | Unassigned orders, payments, user profile PII beyond assigned active order | None currently | Driver permissions not currently seeded | Assigned active ride/order only | Missing | Add role, permissions, assignment model, mobile/driver dashboard surfaces |
| Support Agent | Support tickets, customer lookup, booking/order lookup, emergency assistance logs, audit support view | Financial settlement changes, role builder, system settings | `ticket.read.all` when support module exists, bookings/orders support read/update, audit support | Payment settlement, payouts, role/system config | Audit logs, users/bookings/orders when built | `user.read.all`, `booking.read.all`, `booking.update.support`, `order.read.all`, `ticket.read.all`, `audit.read.support` | Platform support data, restricted financial data | Partial: role seeded; support module/pages missing | Add support APIs/pages and deny finance/system settings |
| Admin | Operations dashboard, users, providers, listings, bookings, orders, content, translations, reports | Super admin-only system integration keys/audit export if separated | Most platform CRUD except super admin-only settings | Secrets/integration key management unless super admin | Existing dashboard pages except missing orders/support/CMS pages | Current ADMIN has `*` | Platform-wide | Overpowered for strict admin vs super admin split | Replace wildcard Admin with explicit admin permissions; keep `*` only for Super Admin |
| Super Admin | All mobile if needed, full dashboard, system settings, integrations, countries/emirates, roles, permissions, audit export | None except production break-glass policies | All APIs | None | All dashboard pages | `*`, plus explicit `superadmin.system.manage` should be added | Platform-wide global | Exists with wildcard | Add documented break-glass and audit export/system pages |

## Permission Gaps

| Area | Current permission state | Gap | Required fix |
|---|---|---|---|
| Translator | Uses `profile.read.own` | Too generic | Add `translator.use.own`, `translator.history.own`, analytics permission |
| Orders | `order.create/read.*` seed exists partly | No module/guarded endpoints | Add order manage permissions and scoped APIs |
| Driver | No role in seed | Missing assigned-only enforcement | Add `DRIVER`, `driver.order.update.assigned`, assignment model |
| Premium | Role exists without permissions | No product behavior | Add premium offers/AI permission keys |
| Admin vs Super Admin | Both use wildcard | Admin not distinct from Super Admin | Remove Admin wildcard and define explicit Admin set |
| CMS | `content.update/publish` exists | No banner/onboarding/marketing permissions | Add `banner.manage`, `onboarding.manage`, `marketing.manage` |
| Uploads | No upload permissions | Prescriptions/avatar privacy cannot be enforced | Add `upload.create.own`, `upload.read.own`, `prescription.review.assigned` |
| Support | Ticket permissions seeded partly | No support APIs/pages | Add support module using ticket permissions |

## Required Phase One Permission Key Coverage

| Permission key | Required by Phase One | Current coverage | Fix required |
|---|---|---|---|
| `auth.login` | Auth login action and audit policy | Missing as explicit key; login route is public | Add explicit auth audit policy docs; route remains public |
| `profile.read` | Profile and session restore | Covered as `profile.read.own` | Keep own-scope key; map prompt docs to existing scope |
| `profile.update` | Edit profile, settings, delete account | Covered partly as `profile.update.own`; APIs incomplete | Add profile APIs and account/session management |
| `destination.read` | Guest discovery/home | Covered as public destination/listing keys | Keep public read keys and add destination detail QA |
| `destination.save` | Heart save and saved destinations | Covered as saved own permissions | Add visible mobile mutation states and tests |
| `booking.create` | Hotel/activity/taxi booking | Exists for basic booking; quote/taxi incomplete | Add quote and taxi-specific create paths |
| `booking.cancel` | User/support cancellation | Missing dedicated cancellation key and API | Add `booking.cancel.own` and support/admin variants |
| `order.create` | Food/pharmacy/grocery/SIM orders | Permission referenced; order APIs missing | Add order module and order tests |
| `payment.manage` | Admin/finance payments/refunds | Payment/refund permissions exist but need clearer role split | Add finance/admin matrix and mobile checkout boundaries |
| `provider.listing.manage` | Provider listing management | Missing as exact key; assigned listing perms exist | Add alias or migrate to explicit provider key |
| `provider.order.manage` | Provider order status updates | Missing because order module missing | Add provider order permission and scope guard |
| `driver.order.update` | Driver assigned order/ride status | Missing | Add driver role, assignment model, permission, and tests |
| `support.ticket.manage` | Support ticket queue | Ticket permissions partly seeded; APIs/pages missing | Add support module and support dashboard |
| `admin.user.manage` | User status/admin operations | Admin wildcard currently covers too much | Add explicit user manage permissions and remove Admin wildcard |
| `admin.content.manage` | Banners/onboarding/marketing/listings content | Content perms exist partly | Add banner/onboarding/marketing/listing content keys |
| `admin.report.read` | Reports and analytics | Reports page exists; analytics APIs incomplete | Add report-specific permissions and analytics endpoints |
| `superadmin.system.manage` | System settings, integrations, platform config | Missing explicit key; Super Admin wildcard exists | Add explicit key and audit system setting changes |
| `audit.read` | Audit log visibility/export | Audit read keys exist in scoped form | Add export permissions and role-based filters |

## Backend Enforcement Points Checked

- `RbacGuard` enforces decorators globally.
- `JwtAuthMiddleware` resolves request user context.
- `applyScope` exists for assigned/all dashboard reads.
- Public routes use `@Public()`.
- Dashboard route visibility uses `routePermissions.ts`, but backend remains the security boundary.

## Required Role QA

1. Guest cannot save, book, order, translate, or access profile data.
2. Tourist cannot access dashboard APIs.
3. Provider cannot read another provider business, listings, bookings, orders, or payouts.
4. Driver cannot update unassigned orders/rides.
5. Support cannot approve refunds or view payout settings.
6. Admin can manage platform operations but not super-admin system secrets after role split.
7. Super Admin can access all pages and every sensitive action creates an audit log.