Access Control Policy

1. Purpose

This Access Control Policy defines how cleanScheduler grants, modifies, reviews, and revokes access to application features and production systems.

2. Authentication

All users authenticate through Supabase Auth:

• Email and password with optional Google OAuth.
• TOTP multi-factor authentication (MFA) required for tenant owner and admin roles before sensitive financial operations (Plaid bank connection).
• Platform administrators must enroll MFA for admin portal and infrastructure dashboard access.
• Sessions are cookie-bound JWT tokens refreshed by middleware; expired sessions redirect to sign-in.

3. Authorization model

Authorization combines Postgres row-level security (workspace isolation), JWT application roles, and server-side role checks.

• Tenant roles (owner, admin, employee, viewer) control in-workspace permissions.
• Platform roles (super_admin, admin, customer) control portal access.
• Feature entitlements (plan tier) gate premium capabilities such as Plaid reconciliation and API access.
• Machine access uses hashed API keys (tenant REST API) or Bearer CRON_SECRET (scheduled jobs).

4. Access provisioning

Access is granted through defined workflows:

• Tenant owners/admins invite employees via email; invite acceptance creates membership.
• Platform admin roles are assigned manually in Supabase Auth app_metadata by policy owner.
• Tenant API keys are created by owner/admin in workspace integrations settings; plain key shown once.
• Principle of least privilege: assign the minimum role required for job function.

5. Access modification and deprovisioning

Access is revoked or modified promptly when roles change or employment ends:

• Tenant members: owner/admin deactivates membership; sessions are invalidated globally; portal access blocked immediately.
• Role changes update membership, JWT claims, and are logged to the platform audit log.
• Workforce (company personnel): follow docs/security/workforce-access-runbook.md within 24 hours of departure.
• API keys: revoke in integrations settings when personnel with access leave; rotate if compromise suspected.

6. Privileged access

Privileged access includes platform administrator accounts, Supabase service role keys, Vercel/Stripe/Plaid dashboard access, and support masquerade sessions.

• Masquerade requires platform admin role, creates masquerade_sessions record, and logs start/end to audit_log_entries.
• Masquerade sessions expire after 60 minutes.
• Service role keys are used only in trusted server paths after application-level authorization checks.

7. Access reviews

Quarterly access reviews verify platform admin roster, open masquerade sessions, production dashboard access, and tenant API key inventory. Procedure: docs/security/access-review-runbook.md.