What starts this process, where it ends, who acts and on which surface. Permission catalogs are per application (FED-9); the Permissions page is a role × permission matrix, with optional region or site scope overrides.
Top to bottom in sequence; lanes are the actors. The one decision is scope: leave the matrix organization-wide, or add a region or site override that narrows it — overrides may only narrow, never widen (FED-10). The effective set the gateway enforces is the role matrix intersected with the scope override. Node shape follows the master conventions.
Each row is one node on the swimlane: who acts, what happens, and the requirement or rule it traces to.
Every id, service and entity this process touches — each linked to the document that owns it.
The WF-rules that bind this workflow — the master holds the full set.
Surfaced by this process; not yet resolved in the model.
| Ref | Gap |
|---|---|
| FED-10 | Scope narrows, never widens. A region or site override replaces the org-wide default for that scope but can only remove permissions — the resolver must reject any override that would widen. Enforced server-side, not just in the UI. |
| — ⚠ | Partners app catalog. The Partners-app permission catalog is not yet drafted (Federation PRD §11) — the matrix for partner tenants is incomplete until it lands. |
| Version | Date | Changes |
|---|---|---|
| 0.1 | 14 Jun 2026 | First draft — the permission-matrix flow split out as its own process in the new Federation group (SPEC-PWF-FED). Configures the role × permission matrix and scope overrides for roles defined in Roles; traces to the Federation PRD permission catalogs (FED-9…10, ACC-2). |