RBAC Permissions Matrix — Bioscience QMS Work Order System
Status: Accepted | Version: 2.0 | Date: 2026-02-13
Alignment: 21 CFR Part 11, HIPAA, SOC 2 CC6.1
1. Role Definitions
Operational Roles
| Role | Type | Description | Assignment |
|---|---|---|---|
| ORIGINATOR | Person | Program | Vendor | Creates the change request | Auto-assigned at WO creation |
| ASSIGNER | Person | Plans and schedules the work | System Owner or designated planner |
| ASSIGNEE | Person | Team | Executes the work | Assigned by ASSIGNER |
| SYSTEM_OWNER | Person | Accountable for the validated system | Per-asset/system configuration |
| QA | Person | Validates regulatory compliance | QA department roster |
| VENDOR | External entity | Executes specialized work (e.g., IQ/OQ) | Per-contract, per-WO |
Administrative Roles
| Role | Type | Description | Assignment |
|---|---|---|---|
| ADMIN | Person | System configuration, role management | IT/Platform team |
| AUDITOR | Person | Read-only access to all audit trails | Compliance/audit team |
2. Permission Matrix
Work Order Operations
| Operation | ORIGINATOR | ASSIGNER | ASSIGNEE | SYS_OWNER | QA | VENDOR | ADMIN | AUDITOR |
|---|---|---|---|---|---|---|---|---|
| Create WO (DRAFT) | ✅ | ✅ | ❌ | ✅ | ❌ | ❌¹ | ❌ | ❌ |
| Edit DRAFT fields | ✅² | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| View own WOs | ✅ | ✅ | ✅ | ✅ | ✅³ | ✅⁴ | ✅ | ✅ |
| View all WOs | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ✅ | ✅ |
| Transition DRAFT→PLANNED | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Set assignee | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Set job plan | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Set schedule | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Transition PLANNED→SCHEDULED | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Acknowledge start | ❌ | ❌ | ✅ | ❌ | ❌ | ✅⁴ | ❌ | ❌ |
| Transition SCHEDULED→IN_PROGRESS | ❌ | ❌ | ✅ | ❌ | ❌ | ✅⁴ | ❌ | ❌ |
| Update execution details | ❌ | ❌ | ✅ | ❌ | ❌ | ✅⁵ | ❌ | ❌ |
| Record time entries | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| Transition IN_PROGRESS→PENDING_REVIEW | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Approve (System Owner) | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Approve (QA — reg only) | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ |
| Reject | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Transition APPROVED→COMPLETED | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Cancel WO | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
¹ Vendors create WOs indirectly through Vendor Coordinator Agent. ² ORIGINATOR can only edit WOs they created, only in DRAFT status. ³ QA sees all regulatory-flagged WOs system-wide. ⁴ VENDOR restricted to WOs where they are assignee or linked vendor party. ⁵ VENDOR can update execution details and time entries but NOT job plan, approvals, or WO metadata.
Job Plan Operations
| Operation | ORIGINATOR | ASSIGNER | ASSIGNEE | SYS_OWNER | QA | VENDOR | ADMIN |
|---|---|---|---|---|---|---|---|
| Create Job Plan | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ |
| Edit Job Plan | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ |
| View Job Plan | ✅ | ✅ | ✅ | ✅ | ✅ | ✅⁴ | ✅ |
| Link Job Plan to WO | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ |
Approval & Signature Operations
| Operation | ORIGINATOR | ASSIGNER | ASSIGNEE | SYS_OWNER | QA | VENDOR | ADMIN |
|---|---|---|---|---|---|---|---|
| Record approval | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
| Create e-signature | ❌ | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ |
| View audit trail | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
| View full audit (all entities) | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ |
Registry Operations (Assets, Tools, Experience, Persons)
| Operation | ORIGINATOR | ASSIGNER | ASSIGNEE | SYS_OWNER | QA | VENDOR | ADMIN |
|---|---|---|---|---|---|---|---|
| View assets | ✅ | ✅ | ✅ | ✅ | ✅ | ✅⁴ | ✅ |
| Manage assets | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ |
| View tools | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Manage tools | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ |
| View experience profiles | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ |
| Manage experience profiles | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ |
| Manage person records | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ |
3. Separation of Duties Rules
Hard Constraints (Part 11 §11.10(e))
| Rule | Description | Enforcement |
|---|---|---|
| SOD-001 | Assignee cannot approve their own WO | approval.approverId !== wo.assigneeId |
| SOD-002 | Originator cannot be sole approver | approval.approverId !== wo.originatorId OR second approver required |
| SOD-003 | QA approver cannot also be System Owner approver on same WO | Distinct persons for each approval role |
| SOD-004 | ADMIN cannot override approval decisions | ADMIN role excluded from approval operations |
| SOD-005 | Vendor cannot approve any WO | VENDOR role excluded from all approval operations |
Soft Constraints (Configurable per Tenant)
| Rule | Description | Default |
|---|---|---|
| SOD-006 | Assigner should not be Assignee | Warning, not blocked |
| SOD-007 | Require 2+ approvers for critical priority WOs | Enabled for priority ≤ 2 |
| SOD-008 | Vendor WOs require System Owner pre-review | Enabled |
4. Multi-Tenancy Isolation
Row-Level Security (RLS)
-- Every query filters by tenant_id
CREATE POLICY tenant_isolation ON work_orders
USING (tenant_id = current_setting('app.tenant_id')::uuid);
-- Role-based row visibility
CREATE POLICY originator_visibility ON work_orders
FOR SELECT
USING (
originator_id = current_setting('app.party_id')::text
OR assignee_id = current_setting('app.party_id')::text
OR current_setting('app.role') IN ('SYSTEM_OWNER', 'QA', 'ADMIN', 'AUDITOR')
);
Agent Identity
When CODITECT agents act on behalf of a user, the agent assumes the user's role and permissions. The agent cannot escalate privileges.
interface AgentExecutionContext {
agent_id: string; // CODITECT agent identifier
acting_as: string; // person_id of the human principal
role: Role; // Role inherited from human
tenant_id: string; // Tenant scope
// Audit trail captures both
audit_performed_by: string; // person_id (human principal)
audit_agent_ref: string; // agent_id (automation context)
}
5. Part 11 Compliance Mapping
| 21 CFR Part 11 Section | Requirement | RBAC Implementation |
|---|---|---|
| §11.10(d) | Limit system access to authorized individuals | Role-based access, RLS, tenant isolation |
| §11.10(e) | Authority checks — ensure signers have authority | Approval role validation, SOD rules |
| §11.10(g) | Authority checks on input/output | RBAC per operation, field-level editability per state |
| §11.10(k)(2) | Accountability — attribute actions to individuals | performed_by on every audit event, agent identity tracking |
| §11.50 | Signature manifestation — identity, date, meaning | ElectronicSignature model with signer, signedAt, meaning |
| §11.70 | Signature/record linkage | Approval.signatureId → ElectronicSignature.id |
| §11.100 | General requirements for e-signatures | authMethod, re-authentication before signing |
| §11.200 | E-signature components — at least two distinct IDs | authMethod supports password+userId, smartcard, SSO+reauth |
6. CODITECT Agent Role Mapping
| CODITECT Agent | Permitted RBAC Roles | Notes |
|---|---|---|
| WO Orchestrator Agent | ASSIGNER (when decomposing Master→Children) | Cannot approve or sign |
| Asset Management Agent | ASSIGNER (asset state updates) | Restricted to Asset operations |
| Scheduling Agent | ASSIGNER (schedule proposals) | Cannot set assignee without human confirmation |
| Experience Matching Agent | Read-only (experience, person profiles) | Proposes candidates, does not assign |
| QA Review Agent | Read-only (pre-check artifacts) | Cannot approve — triggers human checkpoint |
| Vendor Coordinator Agent | VENDOR (restricted scope) | Only WOs where vendor is assignee |
| Documentation Agent | ASSIGNER (document linking) | Cannot modify controlled documents directly |
Critical constraint: No agent operates with SYSTEM_OWNER or QA approval authority. All approval transitions require human e-signatures. This is non-negotiable for Part 11 compliance.
Copyright 2026 AZ1.AI Inc. All rights reserved. Developer: Hal Casteel, CEO/CTO Product: CODITECT-BIO-QMS | Part of the CODITECT Product Suite Classification: Internal - Confidential