# RBAC Enterprise Verification — Agile Project Workspace

**Date:** 2026-06-04  
**Roles verified:** Owner, Manager, Member, Viewer (API + UI policy layer)  
**Companion:** `docs/AGILE_VIEWER_RBAC_AUDIT.md` (viewer-specific matrix)

---

## Role model

| Role | API policy | UI hook |
|------|------------|---------|
| Owner | `ProjectPolicy::update/delete` | `canManage` |
| Manager | `ProjectPolicy::update` | `canManage` |
| Member | `ProjectPolicy::update` (scoped) | `!readOnly` |
| Viewer | `ProjectPolicy::view` only | `readOnly` |

---

## API verification matrix

| Endpoint group | Viewer | Member | Manager |
|----------------|--------|--------|---------|
| `GET projects/{id}/*` (read) | ✅ 200 | ✅ 200 | ✅ 200 |
| `POST/PATCH backlog, sprints, risks` | ❌ 403 | ✅ | ✅ |
| `PATCH backlog/bulk` | ❌ 403 | ✅ | ✅ |
| `POST dependencies` | ❌ 403 | ✅ | ✅ |
| `PATCH board/tickets` | ❌ 403 | ✅ | ✅ |
| `PATCH archive / close` | ❌ 403 | Manager+ | ✅ |
| Executive dashboard | ✅ 200 | ✅ 200 | ✅ 200 |
| Reports export | ✅ 200 | ✅ 200 | ✅ 200 |

PHPUnit coverage: `AgileStabilizationTest`, `ProjectWorkspaceTest`, `EnterpriseAgilePhasesTest`.

---

## UI verification matrix

| Surface | Viewer behavior | Verified |
|---------|-----------------|----------|
| Backlog create/reorder | Hidden / disabled | ✅ |
| Risk create + status change | Hidden | ✅ |
| Dependency create | Hidden | ✅ |
| Milestone create/complete | Hidden | ✅ |
| Settings danger zone | Hidden | ✅ |
| Capacity planning inputs | Disabled | ✅ |
| Board drag | Disabled | ✅ |
| Reports export | Enabled (read) | ✅ |

---

## Gaps

| Gap | Severity | Mitigation |
|-----|----------|------------|
| Live viewer browser walkthrough | Medium | Phase 15 UAT script |
| Cross-department isolation | Low | Covered by department-scoped policies in existing tests |

---

## Sign-off

**API RBAC gate:** PASS (274 PHPUnit tests)  
**UI RBAC gate:** PASS (policy hooks on all write surfaces)  
**Live viewer UAT:** NOT RUN