Per-view & per-vault ACL

Section permissions (R/W/E/D) are the outer gate. For some surfaces, that’s not granular enough — a Sales rep with cars:read = true should see their assigned yard’s cars, not every car in the company. The platform layers inner gates for this.

The three-layer model

1. Section visibility — does this role see the route/sidebar item at all? (cars:read, vaults:read)
2. Sub-tab or sub-content gating — within a shared section, does this role see this particular tab/view? (Saved views; vault-row visibility)
3. Row-level scoping — within an accessible view, which rows are returned? (Per-location ACL filters; per-vault ACL gates)

All three must pass for the user to see a row.

Per-view ACL (cars)

Each saved view carries a per-role bindings table. Each binding has:

• Visible toggle — does this role see the view in the tab strip?
• Offering price toggle — can this role edit internalOfferingPrice on rows in this view?

A role with no binding to a view doesn’t see it. A role with multiple bound views sees a tab strip with each.

Note

The View Config dialog also shows columns labeled Create / Edit / Delete that are visible but inert today — they’re persisted for future per-view RWED enforcement. The “Visible” toggle is the only enforced flag at present.

Per-vault ACL

Same pattern, applied to vaults. Each vault row has per-role bindings:

• Visible toggle — does this role see the vault in /vaults?
• Write toggle — can this role create transactions on this vault?

A role bound only to “Cash KEB USD” can’t see “Cash KEB KRW” — the vault is filtered out of every list query for them.

Per-location ACL (cars, planned)

The next layer for cars uses locations (not views) as the action ACL primitive. Each role gets per-location flags:

• canSee — see cars at this location
• canEdit — modify cars at this location
• canMoveOut — initiate a location change away
• canReceive — accept a location change to
• canSell — issue an invoice for cars at this location

Today only canSee is enforced; the other flags are persisted in preparation for the enforcement layer. See Locations and the open plan.

Layering example

A Sales role with:

• cars:read = true, cars:edit = true (section layer — passes)
• Bound to the “Showroom A” view, canEditOfferingPrice = true (sub-tab layer — passes)
• (Future) canSell = true on the Showroom A location, canSee = true on Showroom A (row layer — passes)

…can see cars at Showroom A, edit their offering price, and issue invoices against them. Sees nothing at the Korea yard. The platform composes all three gates; missing any one = no access.

Related

• Sections and roles
• Saved views
• Locations
• Audit & troubleshooting