Aller au contenu principal

Client Management Enhancement - Post-RBAC Epic

Epic Goal​

Enhance the existing client management system to provide comprehensive client lifecycle management with improved document tracking, status workflows, and contact management capabilities that integrate with the newly implemented RBAC and authentication infrastructure.

Epic Description​

Current System Context (Post-RBAC Implementation):

  • Authentication: JWT-based authentication with role extraction implemented
  • Authorization: Role-based guards and security infrastructure in place
  • Core functionality: Basic CRUD operations for clients with automatic reference generation, contact management, and statistics
  • Technology stack: NestJS controllers/services, Prisma ORM, PostgreSQL database, Swagger with Bearer auth
  • Integration points: ApporteurAffaires, Sites, FacturePartenaires, Users, Contact entities
  • Security patterns: JwtAuthGuard, RolesGuard, role-based endpoint protection

Enhancement Details:

  • What's being added/changed: Role-aware client lifecycle management including secure document workflows, tenant-isolated status tracking, role-based bulk operations, and comprehensive audit trails
  • How it integrates: Extends existing ClientService with RBAC integration, adds secured endpoints to ClientController, implements tenant-aware database relationships
  • Security integration: All new endpoints protected with JwtAuthGuard and RolesGuard, role-based feature access, tenant isolation for client data
  • Success criteria: Full client management workflow operational with proper RBAC enforcement, existing functionality preserved, performance maintained, complete security compliance

Stories​

  1. Story 1: Secure Client Document Management System

    • Add role-based document upload/download capabilities to client records
    • Implement tenant-isolated document storage and access controls
    • Track document status with audit trail and role-based validation requirements
    • Integrate with existing client status workflow (EN_ATTENTE_DOCUMENTS) with proper authorization

  2. Story 2: RBAC-Enhanced Client Status Workflow

    • Implement role-based status transition validation and business rules
    • Add tenant-scoped status history tracking and comprehensive audit trail
    • Create automated status change notifications with role-based recipients
    • Ensure status changes respect user permissions and tenant boundaries

  3. Story 3: Secure Client Bulk Operations & Role-Based Dashboards

    • Add role-restricted bulk client operations (import, export, status updates)
    • Implement tenant-aware advanced search and filtering capabilities
    • Create role-based client dashboards with appropriate statistics and reporting
    • Ensure all operations respect user roles and tenant data isolation

Compatibility Requirements​

  • Existing APIs enhanced with RBAC but remain functionally unchanged
  • All client endpoints now secured with JWT authentication
  • Database schema changes are backward compatible (additive fields only, including tenant_id preparation)
  • UI changes follow existing Swagger documentation patterns with Bearer auth
  • Performance impact is minimal (optimized queries with existing includes plus role checks)
  • RBAC integration maintains existing API contracts while adding security layers

Risk Mitigation​

  • Primary Risk: Breaking existing client relationships with Sites, ApporteurAffaires, and FacturePartenaires during RBAC integration
  • Security Risk: Ensuring proper tenant isolation without data leakage between clients
  • Performance Risk: Role checks and tenant filtering impacting query performance
  • Mitigation: All new features are additive, existing service methods preserved, comprehensive relationship and security testing, extensive E2E test coverage
  • Rollback Plan: Database migrations are reversible, RBAC can be temporarily disabled via guards, new endpoints can be disabled via feature flags, existing functionality isolated

Definition of Done​

  • All stories completed with acceptance criteria met including RBAC integration
  • Existing client CRUD functionality verified through testing with security layers
  • Integration points with Sites, ApporteurAffaires working correctly with tenant isolation
  • Swagger documentation updated with Bearer authentication
  • No regression in existing client statistics and reference generation features
  • All endpoints properly secured with JwtAuthGuard and RolesGuard
  • Comprehensive E2E testing covering all role-based scenarios
  • Tenant isolation verified and tested for data security
  • Performance impact within acceptable bounds (< 10% degradation)

Story Manager Handoff​

"Please develop detailed user stories for this post-RBAC epic. Key considerations:

  • Security Foundation: This epic builds upon the completed RBAC implementation with JWT authentication and role-based guards
  • Technology Context: NestJS/Prisma/PostgreSQL with implemented JwtAuthGuard, RolesGuard, and role-based decorators
  • Integration points: Contact (1:1), ApporteurAffaire (1:N), Site (1:N), FacturePartenaire (1:N), User (1:N) - all now requiring RBAC compliance
  • Security patterns to follow: All endpoints must use JwtAuthGuard + RolesGuard, tenant-aware data access, role-based feature restrictions
  • Critical security requirements: Ensure proper tenant isolation, implement role-based data access, maintain audit trails for all operations
  • Each story must include:
    • RBAC implementation details (required roles, tenant context)
    • Security testing scenarios (unauthorized access attempts, cross-tenant data leakage prevention)
    • Verification that existing client functionality works with security layers

The epic should integrate seamlessly with the RBAC infrastructure while delivering comprehensive client lifecycle management with enterprise-grade security."