Permission Blueprint
Blueprint ini adalah rekomendasi pemisahan otorisasi berdasarkan risiko route admin pada routes/admin.php.
Tujuan
- Meminimalkan single-point-of-failure pada aksi kritikal
- Memisahkan fungsi review vs execution
- Memudahkan audit akses role admin
Role baseline (rekomendasi)
| Role | Fokus kerja | Scope default |
|---|---|---|
super-admin | konfigurasi platform menyeluruh | semua route, termasuk emergency |
compliance-admin | KYC, regulator, risk, whitelist maintenance | users KYC + bappebti/report + maintenance read/write terbatas |
wallet-ops-l1 | verifikasi awal transaksi wallet | approve1/reject awal, monitoring |
wallet-ops-l2 | approval final transaksi wallet | approve2 + final reject |
finance-admin | laporan keuangan dan pajak | read finance/report + export/report actions |
content-admin | news/banner/content market | settings content CRUD terbatas |
support-admin | user support non-kritis | read user detail + action non-destruktif |
auditor-readonly | audit internal | read-only semua laporan/log |
Rule utama segregasi tugas
- Dual control:
- Route approval tahap 1 dan tahap 2 harus dipisah role (
wallet-ops-l1vswallet-ops-l2)
- Route approval tahap 1 dan tahap 2 harus dipisah role (
- No self-approval:
- User yang submit aksi tidak boleh approve/reject record yang sama
- Least privilege:
- Role support/content tidak boleh akses route delete/suspend/maintenance
- Emergency override:
- Hanya
super-adminuntuk route yang mengubah availability sistem
- Hanya
Matriks permission by risk
High risk (write/destructive)
| Kelompok route | Contoh route name | Role yang diizinkan |
|---|---|---|
| User lifecycle | user_detail.suspend, user_detail.reactivate, user_detail.delete | super-admin, compliance-admin |
| KYC decision | user_kyc.approve, user_kyc.reject, user_kyc.suspend | compliance-admin |
| Wallet approval | pending_deposit.approve1, pending_deposit.approve2, withdrawal.approve1, withdrawal.approve2, withdrawal.reject | wallet-ops-l1/wallet-ops-l2 sesuai tahap |
| System status | configuration.updateStatus, maintenance_mode.update_status | super-admin (opsional compliance-admin untuk maintenance) |
| Maintenance whitelist | maintenance_mode.add_whitelist, maintenance_mode.remove_whitelist | super-admin, compliance-admin |
| Admin IAM | administrator.delete, administrator_role.delete | super-admin |
| Broadcast | send (email blast) | super-admin, content-admin (dengan approval policy) |
| Global setting delete | settings.destroy | super-admin |
Medium risk (config mutation)
| Kelompok route | Contoh route name | Role yang diizinkan |
|---|---|---|
| Trading config | txpair.update, listed_coins.update, currency.update | super-admin, finance-admin (terbatas) |
| Wallet rules | withdrawal_setting.update | super-admin, wallet-ops-l2 |
| Infra fee | gas_fee.update, sync_gas_fee | super-admin, wallet-ops-l2 |
| Fireblock ops | fireblock.update_gas_station | super-admin |
Low risk (read/reporting)
| Kelompok route | Contoh route name | Role yang diizinkan |
|---|---|---|
| User and wallet monitoring | user_detail.index, withdrawal.index, deposit.index | semua role operasional + auditor |
| Financial report | operation.index, tax_report.* | finance-admin, super-admin, auditor-readonly |
| Regulator report | asset_transaction_report.*, quarterly_risk_assessment.index | compliance-admin, super-admin, auditor-readonly |
| Logs | log_history.activity.*, admin_login_log_history.index | super-admin, auditor-readonly |
Control checklist implementasi
- Mapping
route name-> permission key di sistem role/permission. - Tambahkan middleware gate per module/action (bukan hanya
google2fa). - Simpan audit trail:
who,when,before,after,reason. - Wajib field alasan (
reason) untuk aksi approve/reject/suspend/delete. - Aktifkan alert untuk:
- maintenance toggles
- whitelist changes
- bulk delete/import
- retry queue report regulator
Catatan adopsi
Blueprint ini baseline; finalisasi harus mengikuti struktur role internal dan kebijakan kepatuhan perusahaan.