Assign and Revoke User Roles Within the Organization

Role assignment and revocation is a high-stakes admin action that must be accurate, audited, and immediately effective. The Admin User Management Screen exposes role controls per user, delegating execution to the Admin Management Service which validates the action against Role Authorization Service policies before persisting. Every role change is intercepted by the Admin Audit Edge Function which appends an immutable audit record server-side, preventing client-side tampering. Role changes take effect immediately via Supabase session invalidation patterns so that a revoked user loses access without waiting for token expiry.

CRITICAL story-admin-portal-organization-administrator-003 3 pts

Story Points

Critical

Priority

Admin Portal

Feature

User Story

As a Organization Administrator

I want to assign roles (coordinator, peer mentor) to users and revoke roles when access should be removed

So that So that the right people have the right level of access at all times, and departing or suspended users are promptly locked out of sensitive functionality

Acceptance Criteria

Given I am viewing a user profile, when I assign a role, then the Admin Management Service validates the assignment against Role Authorization Service policies before saving
Given a role is successfully assigned, when the change is persisted, then the Admin Audit Edge Function records actor, timestamp, old role, new role, and affected user
Given I revoke a role from a user, when the revocation is confirmed, then the user's active session is invalidated and they are redirected to the no-access screen on next navigation
Given I attempt to assign a role that exceeds my own permission scope, when the request is validated, then the Permission Guard rejects the action and displays a clear error message
Given the audit edge function is triggered for a role change, when the record is written, then it is immutable and cannot be modified or deleted by any client-side operation

Business Value

Accurate role management is foundational to the entire permission model of the platform. Without a reliable mechanism for role assignment and revocation, unauthorized users could access sensitive peer mentor data, encrypted assignments, and financial reimbursement records — constituting a GDPR violation and potential security incident. Immediate revocation with server-side audit logging provides the accountability that multi-tenant governance requires.

Components

Admin User Management Screen ui
Admin Management Service service
Admin Repository data
Admin Audit Edge Function infrastructure

Admin Portal

Related Feature

Organization Administrator

User Role