M3 - RBAC AuthZ - New authoring roles, taxonomy permissions, publishing isolated #183
Description
Purpose
Introduce the new authoring roles you already defined, include taxonomy permissions in the model, and isolate publishing as an explicit permission boundary.
Definition of Done
- New authoring roles exist and are assignable.
- Roles are created in AuthZ, show up in the Admin Console, and can be assigned and revoked using the M2 scopes.
- Role descriptions and boundaries are documented, so admins understand what each role can and cannot do.
- Permissions are mapped and enforced for in scope Studio surfaces.
- All actions in the in scope surfaces are mapped to permissions.
- Enforcement in Studio respects those permissions when the flag is enabled, and remains safe to iterate on main.
- Taxonomy permissions are included.
- Taxonomy related actions are mapped to permissions and enforced consistently with the new roles.
- Any taxonomy actions that remain legacy only are explicitly listed as limitations.
- Publishing is isolated as a permission boundary.
- Publishing is not included in any new role in this phase.
- Legacy Staff and Admin retain existing publishing behavior.
- The separation is explicit in the permission mapping and enforcement logic, so publishing does not leak through other capabilities.
- Known limitations and operational notes are documented.
- Clear list of what is still legacy only, and how admins should reason about access during the transition.
- Troubleshooting and escalation path for access issues.
Dependencies
- M2 Admin Console flows and scopes are live.
- Staging is available for validation.
- Tech confirms publishing isolation approach.