284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Integration Tests / Check for relevant changes (push) Waiting to run
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Mobile checks / Mobile unit tests (push) Waiting to run
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Temporal Readiness / fast-readiness (push) Waiting to run
Temporal Readiness / docker-parity (push) Waiting to run
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Unit Tests / Skipped-test budget (push) Waiting to run
Unit Tests / Nx affected unit tests (push) Waiting to run
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz Source: /opt/alga-psa on psa.joliet.tech
25 lines
1.8 KiB
Markdown
25 lines
1.8 KiB
Markdown
# PRD — Timesheet Self-Approval Defaults
|
|
|
|
## Problem
|
|
Alga PSA serves small MSP owners and operators who often enter and approve their own time. Current timesheet approval paths block self-approval unconditionally, even when no premium ABAC policy has been configured. This makes the default product behavior too restrictive.
|
|
|
|
## Goal
|
|
Allow any user with the standard `timesheet:approve` permission to approve their own submitted time by default. Preserve the existing premium ABAC `not_self_approver` constraint so tenants that explicitly configure separation-of-duties policies can still block self-approval.
|
|
|
|
## Non-goals
|
|
- Do not change billing/quote self-approval behavior.
|
|
- Do not broaden approval of other users' time beyond existing RBAC/read_all/manager rules.
|
|
- Do not add new UI or settings.
|
|
|
|
## Requirements
|
|
1. Server-action timesheet approval allows self-approval when the actor has `timesheet:approve` and no assigned active ABAC bundle rule blocks it.
|
|
2. Workflow time approval allows self-approval under the same default rule while retaining an independent shared-code check for configured `not_self_approver` bundle rules.
|
|
3. Active, published, assigned authorization bundles with `resourceType=time_entry`, `action=approve`, and `constraintKey=not_self_approver` still deny self-approval.
|
|
4. The authorization bundle simulator reflects the same policy: no built-in timesheet self-approval denial, with denial coming from configured bundle constraints only.
|
|
5. Approval of another user's time remains governed by the existing `timesheet:approve` plus `timesheet:read_all` or manager relationship rules.
|
|
|
|
## Acceptance Criteria
|
|
- A user with `timesheet:approve` can approve their own timesheet by default.
|
|
- A configured `not_self_approver` ABAC bundle denies the same self-approval attempt.
|
|
- Existing non-self approval authorization behavior is unchanged.
|