Requirements

Functional Requirements

FR1: The system shall implement role-based authentication supporting EMTB Staff roles (Admin, Account Manager, Tax Specialist) and Client roles with appropriate access levels to existing tax claim functionality.

FR2: The system shall enforce tenant-based data isolation ensuring clients can only access their own sites, tax claims, documents, and related data with no cross-client data visibility.

FR3: The system shall build upon existing custom JWT authentication (Passport + JWT) while adding NestJS authorization middleware to control access to API endpoints based on user roles and tenant ownership.

FR4: The system shall provide EMTB Admin users with full system access including user management, all client data visibility, and system configuration capabilities.

FR5: The system shall restrict EMTB Account Managers to view and manage only clients assigned to them, with read/write access to those clients' tax claims, sites, and documents.

FR6: The system shall allow EMTB Tax Specialists to access client data as assigned by Account Managers, with read/write access to tax claim processing but limited client management capabilities.

FR7: The system shall ensure Client users can only view and interact with their own company's data including their tax claims, sites, documents, and invoices.

FR8: The system shall maintain all existing tax claim workflow functionality (client management, site management, document upload, invoicing) while adding role-based restrictions to each operation.

FR9: The system shall implement database-level tenant isolation using existing foreign key relationships (clientId) across all relevant tables, with User entity enhanced to support multi-client access via clientAccess array.

FR10: The system shall provide role-based UI rendering showing/hiding interface elements based on user permissions without exposing unauthorized functionality.

Non-Functional Requirements

NFR1: Role-based authorization checks must add less than 50ms to existing API response times to maintain current performance characteristics.

NFR2: Data isolation implementation must prevent any possibility of cross-tenant data leakage with 100% reliability across all API endpoints.

NFR3: The enhanced authentication system must support the existing user load (100+ concurrent users) without degradation in system performance.

NFR4: Role and permission changes must take effect immediately without requiring user re-authentication or system restart.

NFR5: The system must maintain 99.5% uptime during RBAC implementation with no data loss during the enhancement deployment.

NFR6: All role-based access control decisions must be logged for audit compliance with French data protection regulations.

NFR7: The authentication enhancement must be completed without breaking existing custom JWT authentication or requiring users to re-register accounts.

Compatibility Requirements

CR1: All existing API endpoints must maintain backward compatibility while adding role-based authorization layers without changing request/response formats.

CR2: Current database schema must be enhanced with tenant isolation fields without requiring data migration or breaking existing data relationships.

CR3: Existing Next.js frontend components must continue to function while adding role-based UI rendering and navigation restrictions.

CR4: Current custom JWT authentication flow must remain unchanged while extending with NestJS-based authorization for seamless user experience.