Skip to main content

RBAC and Scope / Account Isolation Rules

IDBusiness RuleStatus
BR-RBAC-001Every protected action must check authentication.Confirmed
BR-RBAC-002Every protected action must check role permission.Confirmed
BR-RBAC-003Every scoped action must check assigned school, supplier, operator, parent, or student scope.Confirmed
BR-RBAC-004Cross-scope/account access must be denied by default.Confirmed by technical team; Evidence Pending Attachment
BR-RBAC-005Frontend hidden controls must not be treated as authorization.Confirmed