RBAC Model: Work Order QMS
Document Type: Security & Access Control Specification
Version: 1.0 | Date: 2026-02-13
Compliance: FDA 21 CFR Part 11 §11.10(d), HIPAA, SOC 2 CC6.1
1. Role Definitions
1.1 Human Roles
| Role | Scope | Assignment | Typical Persona |
|---|---|---|---|
ORIGINATOR | Per-WO | Automatic (creator) | Lab tech, program, vendor system |
ASSIGNER | Per-WO | Designated planner or System Owner | Department lead, project manager |
ASSIGNEE | Per-WO | Person or team executing | IT technician, lab engineer, vendor |
SYSTEM_OWNER | Per-system/asset | Tenant configuration | Quality manager, department head |
QA | Per-tenant | Tenant configuration | QA specialist, compliance officer |
VENDOR | Per-WO + per-vendor | Contract-based | External vendor representative |
ADMIN | Per-tenant | Superuser designation | IT administrator, platform admin |
AUDITOR | Per-tenant | Read-only compliance | External auditor, FDA inspector |
1.2 Agent Roles (CODITECT-Specific)
| Agent Role | Maps to Human Role(s) | Autonomy Level | Human Checkpoint Required |
|---|---|---|---|
AGENT_ORCHESTRATOR | ASSIGNER (delegated) | High | Architecture decisions only |
AGENT_ASSET_MGMT | ASSIGNEE (delegated) | Medium | Status changes to production systems |
AGENT_SCHEDULER | ASSIGNER (delegated) | Medium | Resource conflicts |
AGENT_VENDOR_COORD | ASSIGNER (delegated) | Low | All vendor interactions |
AGENT_DOCUMENTATION | ASSIGNEE (delegated) | Medium | Controlled document updates |
AGENT_QA_ASSIST | None (advisory only) | Low | All QA decisions require human |
Critical rule: Agents NEVER hold SYSTEM_OWNER, QA, or ADMIN roles. These require human identity and e-signature.
2. Permission Matrix
2.1 Work Order Operations
| Operation | ORIGINATOR | ASSIGNER | ASSIGNEE | SYSTEM_OWNER | QA | VENDOR | ADMIN | AUDITOR |
|---|---|---|---|---|---|---|---|---|
| Create WO (DRAFT) | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
| Edit DRAFT fields | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Transition DRAFT→PLANNED | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Set assignee | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Set job plan | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Set schedule | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Transition PLANNED→SCHEDULED | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Acknowledge start (→IN_PROGRESS) | ❌ | ❌ | ✅ | ❌ | ❌ | ✅* | ❌ | ❌ |
| Update execution details | ❌ | ❌ | ✅ | ❌ | ❌ | ✅* | ❌ | ❌ |
| Log time entries | ❌ | ❌ | ✅ | ❌ | ❌ | ✅* | ❌ | ❌ |
| Request review (→PENDING_REVIEW) | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Approve (→APPROVED) | ❌ | ❌ | ❌ | ✅ | ✅** | ❌ | ❌ | ❌ |
| Reject (→REJECTED) | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Complete (→COMPLETED) | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Cancel (→CANCELLED) | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ |
| View own WOs | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| View all WOs (tenant) | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ✅ | ✅ |
| View audit trail | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ✅ | ✅ |
| Export audit data | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ✅ |
* VENDOR: Only on WOs where they are the assigned vendor
** QA: Required for regulatory-flagged WOs; optional for non-regulatory
2.2 Separation of Duties
| Constraint | Rule | Part 11 Reference |
|---|---|---|
| Self-approval prohibition | ASSIGNEE cannot be APPROVER on same WO | §11.10(g) |
| Dual approval for regulatory | Both SYSTEM_OWNER and QA must approve | §11.10(c) |
| Admin cannot override approvals | ADMIN can cancel but not approve/reject | §11.10(d) |
| Vendor boundary | VENDOR sees only their assigned WOs | Least privilege |
| Auditor read-only | AUDITOR cannot modify any records | §11.10(e) |
2.3 Agent Permission Constraints
| Constraint | Enforcement |
|---|---|
| Agents operate under delegated human authority | Every agent action logged with both agent_id AND delegating_human_id |
| Agents cannot approve or reject | Hard-coded exclusion from APPROVED/REJECTED transitions |
| Agents cannot cancel WOs | Requires human e-signature |
| Agent actions are attributable | Audit trail includes agent identity + human delegation chain |
| Agent budget limits | Token budget controller prevents runaway agent actions |
3. Multi-Tenancy Isolation
3.1 Row-Level Security
-- Every table includes tenant_id
-- RLS policy ensures complete tenant isolation
CREATE POLICY tenant_isolation ON work_orders
USING (tenant_id = current_setting('app.current_tenant')::uuid);
-- Applied to ALL tables: work_orders, approvals, audit_trail,
-- job_plans, schedules, assets, persons, etc.
3.2 Cross-Tenant Rules
| Rule | Enforcement |
|---|---|
| No cross-tenant data access | RLS at database level |
| No cross-tenant role assignment | tenant_id on role_assignments table |
| Audit trails are tenant-scoped | RLS + separate partition per tenant |
| ADMIN role is tenant-scoped | Cannot affect other tenants |
4. Implementation: Permission Check Function
type Permission =
| 'wo:create' | 'wo:edit_draft' | 'wo:assign' | 'wo:set_job_plan'
| 'wo:set_schedule' | 'wo:acknowledge_start' | 'wo:update_execution'
| 'wo:log_time' | 'wo:request_review' | 'wo:approve' | 'wo:reject'
| 'wo:complete' | 'wo:cancel' | 'wo:view_own' | 'wo:view_all'
| 'audit:view' | 'audit:export';
type Role =
| 'ORIGINATOR' | 'ASSIGNER' | 'ASSIGNEE' | 'SYSTEM_OWNER'
| 'QA' | 'VENDOR' | 'ADMIN' | 'AUDITOR'
| 'AGENT_ORCHESTRATOR' | 'AGENT_ASSET_MGMT' | 'AGENT_SCHEDULER'
| 'AGENT_VENDOR_COORD' | 'AGENT_DOCUMENTATION' | 'AGENT_QA_ASSIST';
const ROLE_PERMISSIONS: Record<Role, Permission[]> = {
ORIGINATOR: ['wo:create', 'wo:edit_draft', 'wo:view_own'],
ASSIGNER: ['wo:create', 'wo:edit_draft', 'wo:assign', 'wo:set_job_plan',
'wo:set_schedule', 'wo:request_review', 'wo:view_own'],
ASSIGNEE: ['wo:acknowledge_start', 'wo:update_execution', 'wo:log_time',
'wo:request_review', 'wo:view_own'],
SYSTEM_OWNER: ['wo:create', 'wo:edit_draft', 'wo:assign', 'wo:set_job_plan',
'wo:set_schedule', 'wo:request_review', 'wo:approve', 'wo:reject',
'wo:complete', 'wo:cancel', 'wo:view_all', 'audit:view'],
QA: ['wo:approve', 'wo:reject', 'wo:cancel', 'wo:view_all',
'audit:view', 'audit:export'],
VENDOR: ['wo:acknowledge_start', 'wo:update_execution', 'wo:log_time', 'wo:view_own'],
ADMIN: ['wo:create', 'wo:cancel', 'wo:view_all', 'audit:view', 'audit:export'],
AUDITOR: ['wo:view_all', 'audit:view', 'audit:export'],
// Agents: subset of their mapped human role
AGENT_ORCHESTRATOR: ['wo:create', 'wo:edit_draft', 'wo:assign', 'wo:set_job_plan',
'wo:set_schedule', 'wo:view_own'],
AGENT_ASSET_MGMT: ['wo:update_execution', 'wo:view_own'],
AGENT_SCHEDULER: ['wo:set_schedule', 'wo:view_own'],
AGENT_VENDOR_COORD: ['wo:view_own'],
AGENT_DOCUMENTATION: ['wo:update_execution', 'wo:view_own'],
AGENT_QA_ASSIST: ['wo:view_own'], // Advisory only, no write
};
function checkPermission(
actor: { id: string; roles: Role[]; tenant_id: string },
permission: Permission,
workOrder?: { id: string; originator_id: string; assignee_id: string; vendor_id?: string }
): boolean {
// 1. Check if any role grants the permission
const hasPermission = actor.roles.some(role =>
ROLE_PERMISSIONS[role]?.includes(permission)
);
if (!hasPermission) return false;
// 2. Scope checks for VENDOR and ASSIGNEE
if (actor.roles.includes('VENDOR') && workOrder) {
if (workOrder.vendor_id !== actor.id) return false;
}
// 3. Separation of duties
if (permission === 'wo:approve' && workOrder) {
if (workOrder.assignee_id === actor.id) return false; // Cannot self-approve
}
return true;
}
This RBAC model enforces least-privilege access aligned with FDA 21 CFR Part 11 §11.10(d) requirements for authority checks, and SOC 2 CC6.1 logical access security. Agent roles are explicitly constrained to prevent autonomous compliance decisions.