B2BEA.org V1 Permission + Lifecycle Matrix
internal prototype · canonical JSON + Dreamborn Forge HTML
internal generated
permission-lifecycle-matrix · supabase_json

B2BEA.org V1 Permission + Lifecycle Matrix

permission-lifecycle-matrix artifact · for B2BEA.org Rebuild · status approved

Planning Surface

Use this to decide what happens next.

Status

approved

Agent Handoff
Start Here

permission-lifecycle-matrix artifact · for B2BEA.org Rebuild · status approved

Completion Evidence

No explicit evidence field yet. Require tests, screenshots, linked PRs, or reviewed outputs before marking complete.

Artifact Shape
  • roles: 10 items
  • title: B2BEA.org V1 Permission + Lifecycle Matrix
  • version: 1
  • decisions: 6 items
  • principle: Keep internal B2BEA admin simple; enforce external self-service, entitlements, ownership, lifecycle, and public visibility rules rigorously.
  • project id: a820dd0c-6cef-4133-bfbd-d802fd806e44
  • updated at: 2026-05-06T20:00:08.982Z
  • admin model: not_v1: object, v1_rule: string, core_admins: object, required_controls: object
  • artifact type: permission-lifecycle-matrix
  • next artifacts: 5 items
  • lifecycle matrix: 19 items
  • source artifacts: 2 items
Structured Payload

Machine-readable source fields

roles
roledescriptionaccess boundary
anonymousUnauthenticated public visitor.Public content, ungated forms, public surveys, vendor/person/job/event pages, signup/login.
memberAuthenticated individual with a profile.Own profile, own learning, own survey responses, member resources according to entitlements.
pro_memberMember with paid/pro entitlement.Pro gated resources, eligible academy/content/event benefits.
vendor_adminVendor user who manages a vendor account.Own vendor profile submissions, vendor team, content submissions, leads/analytics/billing when enabled.
vendor_memberVendor team member with limited vendor workspace access.Vendor workspace sections assigned by vendor admin.
company_adminPractitioner company user who manages company access.Own company employees, seats, academy/careers access, company entitlements, team reporting.
company_employeeEmployee under a practitioner company account.Assigned academy/career/resources benefits, own profile and progress.
authorContent contributor.Own drafts/submissions where enabled; public publishing controlled by B2BEA admin/editorial workflow.
b2bea_adminTrusted B2BEA core admin team.Full internal operations for V1; simple team trust model with audit for material changes.
systemAutomations, scheduled jobs, integrations.Narrow service actions for notifications, analytics, imports, syncs, and lifecycle events.
title

B2BEA.org V1 Permission + Lifecycle Matrix

version

1

decisions
idtopicdecisionrationale
DEC-001Public practitioner company profilesExclude from V1. Vendor public profiles are V1; practitioner company accounts are private workspace only.Practitioner company value in V1 is operational access for seats, academy, careers, entitlements, and team reporting. Public company pages would add a new public directory/moderation surface without being required for V1.
DEC-002Company-created jobsRequire B2BEA admin review before public publishing in V1.
DEC-003Sanity versus Supabase source of truthSanity owns editorial/public content. B2BEA Supabase owns application and operational data, including people, company, vendor, membership, course, survey, job, event, analytics, and notification records.
DEC-004NotificationsV1 is email-first with an internal notification event log. In-app notifications are designed for later unless a surface explicitly needs them.
DEC-005CRM source of truthHubSpot is the primary CRM for leads, pipeline, sales activity, and renewals. B2BEA Supabase owns website profiles and operational entities.
DEC-006Vendor and company analytics exportsV1 allows bounded own-account exports only. No raw platform-wide data, cross-account comparisons, or sensitive user-level data unless explicitly consented and permitted.
principle

Keep internal B2BEA admin simple; enforce external self-service, entitlements, ownership, lifecycle, and public visibility rules rigorously.

project id

a820dd0c-6cef-4133-bfbd-d802fd806e44

updated at

2026-05-06T20:00:08.982Z

admin model
not v1
  • granular internal admin privilege tiers
  • multi-step internal approval chains for the core team
v1 rule

All three can make core site/admin changes. Avoid complex internal admin tiers for V1.

core admins
  • Brett
  • Sarah
  • Justin
required controls
  • preview
  • status
  • publish/archive
  • rollback where feasible
  • audit events for public/material changes
  • required fields and validation
artifact type

permission-lifecycle-matrix

next artifacts
  • design-system-spec
  • publishing-model-spec
  • data-model-spec
  • surface-specs
  • security-privacy-spec
lifecycle matrix
ownerentitystatesapproval rulesource of truthpublic visibility
b2bea_adminSanity standard page- draft - preview - scheduled - published - archivedCore admin can publish directly; audit material public changes.Sanitypublished only
b2bea_adminCustom HTML landing/resource page- draft - preview - published - archived - rolled_backCore admin can publish directly; rollback/archive required.code/import registrypublished only
b2bea_admin or author/vendor by submissionArticle/resource/guide/report- draft - submitted - in_review - approved - scheduled - published - rejected - archivedVendor/author submissions require B2BEA review.Sanity plus Supabase tracking as neededpublished only
vendor_admin plus b2bea_adminVendor profile- unclaimed - claimed - update_submitted - in_review - approved - published - rejected - archivedVendor changes submit for admin approval before public projection changes.Supabaseapproved/published fields only
memberMember profile- incomplete - active - public_profile_enabled - hidden - suspendedMember edits own profile; public display rules validated by system.Supabasepublic projection only when enabled/eligible
company_admin plus b2bea_adminCompany workspace/account- prospect - active - suspended - expired - archivedCompany admin manages own workspace within entitlement limits; no public profile publishing in V1.SupabasePrivate workspace only in V1. No public practitioner company profiles.
company_adminCompany employee seat- invited - active - removed - expiredCompany admin manages seats within purchased/assigned entitlement.Supabaseprivate
b2bea_adminCourse- draft - preview - published - retired - archivedCore admin can publish directly.Supabase/Sanity decision neededcatalog visibility by status and entitlement
member/company_admin/b2bea_adminEnrollment/course assignment- assigned - enrolled - in_progress - completed - expired - revokedAssignment must pass entitlement checks.Supabaseprivate to learner/company/admin
member plus b2bea_adminCertificate- eligible - issued - revoked - expiredSystem/admin issues only when completion criteria pass.Supabaseprivate unless member shares/public enabled
b2bea_adminSurvey- draft - preview - published - closed - archivedCore admin can publish; audience and result visibility required.Supabasepublished surveys according to audience
respondentSurvey response- started - submitted - invalidated - deletedRespondent can submit; admin can analyze/export according to privacy rules.Supabaseprivate/aggregated unless explicit results display
b2bea_adminForm- draft - preview - published - closed - archivedCore admin can publish directly.Supabase or Sanity decision neededpublished only
submitter plus b2bea_adminForm submission- submitted - triaged - assigned - in_progress - resolved - spam - archivedAdmin reviews and assigns.Supabaseprivate
b2bea_admin or company_adminJob posting- draft - submitted - in_review - published - closed - rejected - archivedCompany-created jobs require B2BEA admin review before public publishing in V1.Supabasepublished only
b2bea_adminEvent- draft - preview - published - registration_open - sold_out - completed - archivedCore admin can publish directly.Supabase/Sanity decision neededpublished and registration states
vendor_admin plus b2bea_adminVendor sponsorship- draft - submitted - in_review - approved - active - fulfilled - rejected - archivedVendor submissions require B2BEA approval.Supabaseactive/approved sponsor assets only
systemNotification- queued - sent - delivered - failed - suppressedTriggered by lifecycle events and user preferences.Supabase plus provider logsprivate to recipient/admin logs
b2bea_adminLead/opportunity- new - assigned - contacted - qualified - converted - lost - archivedInternal sales/admin workflow in HubSpot; B2BEA.org routes qualified intake to CRM.HubSpot primary CRM; B2BEA Supabase stores site intake/submission references as neededprivate admin only
source artifacts
versionartifact idartifact type
3c889a1fe-c3ce-4b0d-873c-af4e0ec8dfe4capability-map
180328220-3deb-4cf9-a68f-d440b41a38daproduction-readiness-gap-register
enforcement rules
  • Public read paths can be static/client-rendered when data is already public.
  • Any mutation by members, vendors, companies, or anonymous users needs server-side validation and ownership checks.
  • Entitlement decisions should not rely only on client-side checks.
  • Vendor/company/member data updates must validate ownership before write.
  • Public projection changes should be auditable even when the core admin team can publish directly.
  • Billing, membership, course access, survey assignment, and company seats require explicit entitlement checks.
  • Export actions require role checks and audit events because they can expose sensitive data.
permission matrix
areamemberanonymouspro memberb2bea adminvendor admin
Public pages and directoriesreadreadreadcreate/update/publish/archiveread
Custom HTML landing/resource pagesread by gateread when publishedread by gateimport/preview/publish/archive/rollbacknone unless sponsor workflow
Sanity standard pagesread by gateread when publishedread by gatecreate/update/preview/schedule/publish/archivesubmit where enabled
Member profileread/update ownread public projection onlyread/update ownread/update/supportread own person only
Vendor profileread publishedread publishedread publishedcreate/update/approve/publish/archivesubmit updates for own vendor
Vendor content submissionsnonenonenonereview/approve/reject/publish/archivecreate/update own submissions
Company workspacenone unless employeenonenone unless employeecreate/update/support/auditnone
Academy coursesenroll/take if entitledbrowse public catalogenroll/take if entitledcreate/update/enroll/managemanage vendor-submitted courses when enabled
Surveystake assigned/member surveystake public surveystake assigned/member surveyscreate/publish/analyze/exportview vendor-owned results if enabled
Jobs and careersapply/manage own activityread published jobs/apply where publicapply/manage own activitycreate/review/publish/archivenone unless sponsor/employer flow
Events and sponsorshipregister/manage own registrationsread/register public eventsregister/manage eligible benefitscreate/manage/publish/exportsponsor/manage own sponsorship assets
Billing and membershipsmanage own membership where enabledstart checkout/applicationmanage own membershipsupport/manage/administermanage own vendor billing
Analytics and reportingown history onlynoneown history onlyplatform analytics/exportown vendor analytics/leads
unresolved decisions

No items captured.