RiverSync
SPEC-APP-ACC · v0.7
27 June 2026
Owner: Platform team

Account — product requirements

account.riversync.com — where every tenant manages itself: customers and partners run their organization; the riversync tenant manages just its users. One sign-in surface serves all three.

DraftActively prototyped
Inherits the master PRD. Tenancy, identity, authorization and partner agreements are defined in SPEC-PRD (TEN-/ID-/AUTH-/PRT-). Requirements here are Account-app-scoped; on any conflict the master wins and the discrepancy is logged in both revision histories.

1One app, three tenant views

Tenant typeWhat the Account portal managesNavigation
CustomerThe organization — profile, people, structure, partners, moneyOverview · Users · Departments · Sites · Roles · Permissions · Partners · Billing · Invoices · Audit
PartnerSame organization surface (a partner org is also a company; Nera is also a customer)Mirrors the customer view; partner-specific pages reserved
riversyncIts own users only — no organization (master TEN-3, AUTH-4); user management is the standard surface setOverview · Users · Roles · Permissions

2Requirements

ACC-1

Customer organization management covers: company profile/branding/security, users with per-application roles, departments, sites (regions → sites), roles, permissions, partners, billing (THB), invoices and the audit log.

ACC-2

Roles and Permissions are separate surfaces. Roles defines the role set (Owner fixed-full, Administrator, Editor, Viewer + custom roles). Permissions is a per-application matrix with region/site scope overrides; gated apps (Partners, Pipeline, Admin) show locked with the reason.

ACC-3

Partners surface stays light: the list shows organization, partner tier and status only. Each partner opens a detail page — Devices (every covered device with its own agreement, tier, renewal and move-at-renewal action), Access (scope controls, effective immediately), Activity (the partner's audited actions). A partner-tenant org viewing its own Partners page never sees itself in the list (master PRT-8). Master PRT-1…8 govern the model.

ACC-4

riversync-tenant view: an Overview landing (headcount, role distribution, console shortcuts) plus the standard Users, Roles and Permissions surfaces — the same user management every tenant gets (master AUTH-4…7). The five default roles (admin · support · sales · accounting · engineer) are ordinary configurable roles; admin is fixed-full. No org pages whatsoever. Each tenant type has a default overview page — it is the landing target whenever a destination page doesn't exist for that tenant.

ACC-5

Sign-in offers Google · Microsoft · LinkedIn · email & password, org-level Entra ID SSO, and an account chooser when one email holds accounts in several tenants (master ID-2/3). Unverified email locks org surfaces with an explain-and-unlock state.

ACC-6

My Account is shared by every tenant type — profile, security, sessions, notifications.

ACC-7

DS components only — including the branded dropdown for every select; no native OS menus.

RiverSync Co., Ltd. · BangkokSPEC-APP-ACC · 1 of 3

3Navigation & menu visibility

The Account app serves three tenant types, each with its own sidebar model, and within each tenant every role sees only the menu items its permission set reaches. The sidebar is built from the shell nav model (NAV / STAFF_NAV); visibility is resolved by the role-access map (ROLE_ACCESS, Federation §1 layers 3–4). A menu item a role cannot reach is hidden from the sidebar and blocked on a direct visit (typed URL, bookmark, stale link) — it is not merely hidden.

Full visible, can act (create / edit) Read visible, read-only hidden & blocked on direct visit email-gated (locked until verification)

3.1App entitlement — which apps a tenant can open

Before role gating inside an app, the tenant type decides which of the platform's six apps appear in the product switcher at all (master AUTH-2; Application.Gating = open · partner · riversync).

AppCustomerPartnerriversync
OpenOpenOpen
PortalOpen
PartnersOpen
PipelineOpen
AdminOpen
FieldOpen

Partner members service devices in Partners, not Portal; riversync staff monitor every customer's devices in the Operations console (the staff side of Portal). Field is reached at field.riversync.com and is not in the switcher — engineer-gated (see SPEC-APP-FLD).

3.2Customer tenant

Sanyodenki
Organization
Overview
Users248
Departments
Sites34
Roles
Permissions
Partners2
Billing
Invoices
Account
My Account
Audit Log

Roles: Owner (fixed-full, FED-8) · Administrator · Editor · Viewer, plus any custom roles. The owner always reaches every surface; the others are gated by the per-application permission matrix on Permissions (the canonical role × permission grid, FED-9).

Items marked with the amber dot — Overview · Users · Departments · Sites · Roles · Billing · Audit Log — are email-gated: they show a lock until the signed-in user verifies their email (ACC-5), independent of role.

Menu itemOwnerAdminEditorViewer
Organization
OverviewFullFullReadRead
UsersFullFullRead
DepartmentsFullFullReadRead
SitesFullFullReadRead
RolesFull
PermissionsFull
PartnersFullFullRead
BillingFull
InvoicesFull
Account
My AccountFullFullFullFull
Audit LogReadRead

Billing, Invoices, Roles and Permissions are Owner-only in the prototype. My Account is ungoverned (FED-4) — always reachable for every role.

RiverSync Co., Ltd. · BangkokSPEC-APP-ACC · 2 of 3

3.3Partner tenant

A partner org is also a company, so it gets the same sidebar as a customer (Nera is also a customer). Roles differ by partner subtype: a reseller has Administrator · Service coordinator · Sales; a distributor has Administrator · Channel manager · Sales. Access is structurally identical between the two subtypes, so the coordinator and manager share a column below.

Menu itemAdministratorCoordinator / ManagerSales
Organization
OverviewFullFullRead
UsersFullFull
DepartmentsFullFull
SitesFullFull
RolesFull
PermissionsFull
PartnersFull
BillingFull
InvoicesFull
Account
My AccountFullFullFull
Audit LogReadRead

The partner Sales role works mainly in the Partners app (deal registration), so in Account it sees only the Overview. On the Partners menu item, a partner org never sees itself in its own partner list (master PRT-8) — a content rule, not a visibility one.

3.4riversync tenant

RiverSync
Organization
Overview
Users36
Roles
Permissions
Account
My Account
Audit Log

The riversync tenant manages no organization (TEN-3): no Departments, Sites, Partners, Billing or Invoices. Its users are managed like any tenant's, on the standard Users · Roles · Permissions surfaces behind an Overview landing (ACC-4).

Roles: admin (fixed-full) · support · sales · accounting · engineer — ordinary configurable roles, one per account. There is no email-gating here; the riversync view is always verified.

Menu itemAdminSupportSalesAcct.Engineer
Organization
OverviewFullReadReadReadRead
UsersFullRead
RolesFull
PermissionsFull
Account
My AccountFullFullFullFullFull
Audit LogReadRead

Only admin manages riversync users, roles and permissions; support additionally reaches Users (read) and the Audit Log. Sales, accounting and engineer land on the Overview and do their work in the Pipeline, Admin and Field apps respectively.

RiverSync Co., Ltd. · BangkokSPEC-APP-ACC · 3 of 3

4Prototype index

The working pages in this project, named by tenant-type prefix. Use this to cross-check the PRD against what's built.

PageCovers
Customer OrganizationACC-1 — profile, branding, security, regions
Customer Users · User DetailACC-1 — members, per-app roles, application access
Customer Departments · LocationsACC-1 — structure and sites
Customer Roles · PermissionsACC-2 — role set and per-app matrix
Customer Partners · Partner DetailACC-3 — partner list, devices · access · activity
Customer Billing · Invoices · AuditACC-1 — money and history
RiverSync Overview · Users · Roles · PermissionsACC-4 — riversync-tenant view
Sign In · AccountACC-5/6 — shared surfaces

5Open questions

6Revision history

VersionDateChanges
0.112 Jun 2026First extraction from the master PRD + prototypes: three tenant views, roles/permissions split, partners surface, staff view, sign-in
0.212 Jun 2026Staff Overview landing page; tenant switch lands on the same page when it exists, else the tenant's overview
0.312 Jun 2026Partners list excludes the viewing org itself (master PRT-8)
0.413 Jun 2026riversync-tenant users are managed like any tenant's (master v0.13) — ACC-4 reworked: standard Users · Roles · Permissions surfaces, ordinary single-role accounts, no multi-role mechanic; prototypes reworded to match
0.515 Jun 2026Site Locations menu → Sites. The customer nav item, page title, crumbs and the navigation list rename to Sites; ACC-1 wording follows. Backing entity SiteLocation → OrganizationSite (SPEC-ERD v0.16, spelled-out naming). No requirement-structure changes.
0.616 Jun 2026Structure entity OrganizationUnit → OrganizationDepartment (SPEC-ERD v0.17, spelled-out domain-context naming) — aligns the data model to the Account Departments surface (ACC-1). The EntityType catalog still types each node (company · division · department · team). No requirement-structure changes.
0.727 Jun 2026Navigation & menu visibility (new §3). Documents the Account sidebar for all three tenant types and a role × menu-item visibility matrix per tenant (customer · partner · riversync), grounded in the shell nav model and ROLE_ACCESS map. Adds the app-entitlement (product-switcher) matrix, the Full / Read / hidden / email-gated states, and the rule that an unreachable item is blocked on direct visit, not just hidden. Prototype index, open questions and revision history renumbered §4–§6. No requirement-structure changes.
RiverSync Co., Ltd. · BangkokSPEC-APP-ACC · 2 of 2