/** * Built-in role seeds */ export interface RoleSeed { name: string; code: string; description: string; isBuiltIn: true; permissions: string[]; // resource:action format } export const ROLE_SEEDS: RoleSeed[] = [ { name: 'MeetingManager', code: 'MeetingManager', description: 'Meeting attendance administrator', isBuiltIn: true, permissions: [ 'meeting_attendance:*', 'user:read', 'user:list', 'department:read', 'department:list', 'role:read', 'organization:read', 'org:read', ], }, { name: 'Leader', code: 'Leader', description: 'Team leader with read and approval view permissions', isBuiltIn: true, permissions: [ 'user:read', 'user:list', 'department:read', 'department:list', 'role:read', 'approval:read', 'work_record:read', 'meeting_attendance:read', 'meeting_attendance:report', // 绩效管理(团队级) 'performance:cycle:view', 'performance:cycle:read', 'performance:kpi:view', 'performance:kpi:view:team', 'performance:kpi:self-evaluate', 'performance:kpi:evaluate:self', 'performance:kpi:evaluate:team', 'performance:kpi:manager-evaluate', 'performance:kpi:confirm', 'performance:kpi:assign', 'performance:360:view', 'performance:360:view:own', 'performance:360:view:team', 'performance:360:submit', 'performance:360:create', 'performance:360:update', 'performance:result:view', 'performance:result:view:own', 'performance:calibration:view', 'performance:calibration:participate', 'performance:grade:view', ], }, { name: 'Administrator', code: 'Administrator', description: 'System administrator with full access', isBuiltIn: true, permissions: [ 'user:*', 'role:*', 'department:*', 'position:*', 'org:*', // 组织架构查看 'organization:*', // 组织管理 'region:*', // 区域管理 'hr:*', // HR管理 'parts:*', 'approval:*', 'audit:*', 'notification:*', 'automation:*', 'work_record:*', 'meeting_attendance:*', 'form:*', 'feedback:*', 'ticket:*', // 工单管理 'system:*', 'workflow:*', 'log:*', 'devtracker:*', 'performance:*', // 绩效管理 'ai_tool:*', // AI 工具授权管理 'robot-manager:*', // 机器人管理 'iam_admin:*', // IAM 治理后台 'm365-dormant:*', // 运营中心 / M365 休眠账号 'flow:*', // AI 流程图 ], }, { name: 'IT Admin', code: 'ITAdmin', description: 'IT operations admin: M365 dormant accounts identification, future IT operational tooling', isBuiltIn: true, permissions: [ 'user:read', 'user:list', 'department:read', 'department:list', 'role:read', 'organization:read', 'org:read', 'm365-dormant:*', // 运营中心 / M365 休眠账号(read + sync + export) ], }, { name: 'HR Manager', code: 'HrManager', description: 'Human Resources Manager', isBuiltIn: true, permissions: [ 'user:read', 'user:update', 'user:create', 'user:list', 'department:*', 'position:*', 'organization:sync', 'approval:read', 'approval:approve', 'approval:reject', // ⭐ 新增:拒绝审批权限 'approval:forward', // ⭐ 新增:转交审批权限 'work_record:read', 'work_record:read_all', 'work_record:export', 'work_record:manage', 'hr:report:read', 'performance:*', // 绩效管理(全部) ], }, { name: 'Department Manager', code: 'DepartmentManager', description: 'Department manager with team management and approval permissions', isBuiltIn: true, permissions: [ 'user:read', 'user:list', 'department:read', 'department:list', 'role:read', // 需要查看角色信息以管理团队 'position:read', // 需要查看岗位信息 'organization:read', // ⭐ 新增:查看组织信息 'region:read', // ⭐ 新增:查看区域信息 'form:read', // 查看表单列表(审批中心需要,但不能管理表单) 'form:use', // 使用表单(发起表单实例) 'form:instance:read', // 查看表单实例(审批任务) 'approval:read', 'approval:approve', 'approval:reject', // ⭐ 新增:拒绝审批权限 'approval:forward', // ⭐ 新增:转交审批权限 'work_record:read', 'work_record:export', 'devtracker:read', 'devtracker:create', 'devtracker:update', 'devtracker:review', // 绩效管理(部门级) 'performance:cycle:view', 'performance:cycle:read', 'performance:kpi:view', 'performance:kpi:view:team', 'performance:kpi:self-evaluate', 'performance:kpi:evaluate:self', 'performance:kpi:evaluate:team', 'performance:kpi:manager-evaluate', 'performance:kpi:confirm', 'performance:kpi:assign', 'performance:kpi:manage', 'performance:360:view', 'performance:360:view:own', 'performance:360:view:team', 'performance:360:view:results', 'performance:360:submit', 'performance:360:create', 'performance:360:update', 'performance:result:view', 'performance:result:view:own', 'performance:result:view:all', 'performance:calibration:view', 'performance:calibration:participate', 'performance:calibration:read', 'performance:grade:view', 'performance:analytics:read', ], }, { name: 'Employee', code: 'Employee', description: 'Regular employee with basic view and create permissions', isBuiltIn: true, permissions: [ 'user:read', 'department:read', 'role:read', // 员工也应该能查看角色信息(查看组织架构时需要) 'approval:create', 'approval:read', 'approval:start', 'approval:withdraw', // ⭐ 新增:撤回自己发起的审批 'work_record:create', 'work_record:read', 'work_record:update', 'meeting_attendance:read', 'meeting_attendance:checkin', 'form:read', 'form:use', 'form:instance:create', 'form:instance:read', 'form:instance:update', 'devtracker:read', 'devtracker:create', 'devtracker:update', // 绩效管理(个人级) 'performance:cycle:view', 'performance:cycle:read', 'performance:kpi:view', 'performance:kpi:self-evaluate', 'performance:kpi:evaluate:self', 'performance:kpi:confirm', 'performance:360:view', 'performance:360:view:own', 'performance:360:submit', 'performance:360:create', 'performance:360:update', 'performance:result:view', 'performance:result:view:own', 'performance:grade:view', ], }, { name: 'Finance Approver', code: 'FinanceApprover', description: 'Finance approval personnel', isBuiltIn: true, permissions: [ 'approval:read', 'approval:approve', 'approval:reject', // ⭐ 新增:拒绝审批权限 'approval:forward', // ⭐ 新增:转交审批权限 'parts:read', 'parts:approve', ], }, { name: 'Parts Manager', code: 'PARTS', description: 'Parts inventory manager with full parts management permissions', isBuiltIn: true, permissions: [ 'parts:create', 'parts:read', 'parts:update', 'parts:delete', 'parts:write', 'parts:export', 'parts:checkin', 'parts:checkout', 'parts:transfer', 'parts:adjust', 'parts:label', 'parts:alert', 'parts:manage', 'parts:approve', ], }, { name: 'Form Designer', code: 'FormDesigner', description: 'Form designer with form design and management permissions', isBuiltIn: true, permissions: [ 'form:create', 'form:read', 'form:update', 'form:delete', 'form:design', 'form:review', 'form:publish', 'form:use', 'form:definition:*', 'form:version:*', 'form:template:*', 'form:translation:*', ], }, { name: 'Form Admin', code: 'FormAdmin', description: 'Form administrator with full form management permissions', isBuiltIn: true, permissions: [ 'form:*', ], }, { name: 'Approval Admin', code: 'ApprovalAdmin', description: 'Approval workflow administrator', isBuiltIn: true, permissions: [ 'approval:*', ], }, // ==================== Robot Manager ==================== { name: 'Robot Manager - Lifecycle Engineer', code: 'RobotManagerRLE', description: 'Robot lifecycle engineer — full ownership of the robot lifecycle', isBuiltIn: true, permissions: [ 'robot-manager:read', 'robot-manager:create', 'robot-manager:update', 'robot-manager:delete', 'robot-manager:change-status', 'robot-manager:import', 'robot-manager:export', 'robot-manager:write:identity', 'robot-manager:write:supply-chain', 'robot-manager:write:sales', 'robot-manager:write:finance', 'robot-manager:write:after-sales', 'robot-manager:write:compliance', 'robot-manager:manage:fields', 'robot-manager:manage:models', 'robot-manager:manage:suppliers', 'robot-manager:manage:customers', 'robot-manager:manage:partners', 'robot-manager:manage:locations', ], }, { name: 'Robot Manager - Supply Chain', code: 'RobotManagerSupplyChain', description: 'Supply chain — PO / import / receiving; maintains suppliers and warehouse/supplier locations', isBuiltIn: true, permissions: [ 'robot-manager:read', 'robot-manager:create', 'robot-manager:change-status', 'robot-manager:import', 'robot-manager:export', 'robot-manager:write:identity', 'robot-manager:write:supply-chain', 'robot-manager:manage:suppliers', 'robot-manager:manage:locations', ], }, { name: 'Robot Manager - Sales', code: 'RobotManagerSales', description: 'Sales — customer binding / contract / delivery; maintains customers and customer sites', isBuiltIn: true, permissions: [ 'robot-manager:read', 'robot-manager:change-status', 'robot-manager:export', 'robot-manager:write:sales', 'robot-manager:manage:customers', 'robot-manager:manage:partners', 'robot-manager:manage:locations', ], }, { name: 'Robot Manager - Finance', code: 'RobotManagerFinance', description: 'Finance — reconciliation / invoice / cost / collection', isBuiltIn: true, permissions: [ 'robot-manager:read', 'robot-manager:export', 'robot-manager:write:finance', ], }, { // v2.2 权限 MVP:OpenClaw 同步脚本的专用服务账号角色。 // 只读权限:查用户 + 查 AI 工具授权。不允许任何写操作。 name: 'Sync Bot', code: 'SyncBot', description: 'Service account role for the OpenClaw ai-tool sync script (read-only)', isBuiltIn: true, permissions: [ 'user:read', 'user:list', 'ai_tool:read', ], }, ];