Access Control (Tee Time Admin)

Tee Time Admins manage a curated subset of Access Control for their own tenant. Platform Access Control Admin remains global and separate.

Capability profile

USER_MGMT — create, read, update, delete, restore
ROLE_MGMT — create, read, update, delete, restore
PERMISSION_ASSIGNMENT — create, read, update, delete, restore; extra: ASSIGN, UNASSIGN, UPDATE_ASSIGNMENT
INVITATION_MGMT — create, read, update, delete, restore
SESSION_MGMT — read, delete; extra: REVOKE
LOGIN_ATTEMPTS — read

Not included by default: TENANT_MGMT writes, FEATURE_MGMT, FEATURE_FLAG, PERMISSION_MGMT.

Seed TT Admin capabilities

Assign the above Access Control features to Tee Time roles OWNER and ADMIN (idempotent):

pnpm nx run access-control-client:prisma:seed-tt-ac-capabilities

This upserts features/permissions and assigns PermissionAssignments to the roles.

UI behavior

The Admin UI queries /capabilities/can and hides pages/actions the user is not allowed to access. Navigation items like “Tenants” and “User Profiles” are hidden when the corresponding TENANT_MGMT:read or USER_MGMT:read capability is missing. Route-level guards protect direct navigation.

Verification

Verify post‑seed that Tee Time roles have a healthy number of assigned permissions:

ACCESS_CONTROL_DATABASE_URL=postgres://… pnpm nx run access-control-client:prisma:verify-teetime-acl

This script checks that OWNER, ADMIN, PROSHOP, STARTER, FINANCE, and REGISTERED meet minimum thresholds.

Capability profile​

Seed TT Admin capabilities​

UI behavior​

Verification​

See also​

Capability profile

Seed TT Admin capabilities

UI behavior

Verification

See also