Access control · least privilege
Access control policy
RBAC 6 roles definidos · least privilege default · MFA mandatory production · permissions matrix 8 resources · 6 procedures (onboarding · review · offboarding · break-glass · incident response · vendor access) · audit logging immutable. Public policy para transparency + Enterprise procurement.
6 roles · RBAC definitions
| Role | Scope | Users actuales | Restrictions |
|---|---|---|---|
| Super Admin (founder) | Full system · production secrets · DB direct access · billing · vendor management | 1 (founder Jonatan) | MFA hardware key + soft token · session 2h max · audit logs immutable · cannot escalate own role |
| Engineer (post-tracción hire) | Code repo · staging full · production read-only · production write via PR + approval | 0 actual · planned 1-2 post-tracción | MFA mandatory · session 8h · 2-person rule production writes · NO direct DB modify production |
| Customer Support (post-tracción hire) | Admin dashboard read · client-specific impersonation con audit · ticket system · knowledge base | 0 actual · planned post-CIF | MFA mandatory · session 8h · impersonation logged + client notified · NO admin actions |
| Clinic Admin (per-tenant) | Own clinic config · own conversations view · own staff manage · own metrics | 2 demo clínicas (Jonatan + family) | MFA optional (recommended) · session 12h · cannot view other tenants · RLS enforced DB-level |
| Clinic Staff (per-tenant subset) | Own clinic conversations view · respond manual · escalation · cannot config | 0 actual · planned per-tenant | MFA optional · session 8h · per-role permissions clinic-defined |
| External Auditor | Read-only DB + code repo + Sentry + audit logs · NO production writes · NO PII access (anonymized) | 1 (ChatGPT auditor via bundle) | Time-limited access per audit cycle · IP whitelist · 0 PII raw · all activity logged |
Permissions matrix · 8 resources × 6 roles
| Resource | Super Admin | Engineer | Support | Clinic Admin | Clinic Staff | Auditor |
|---|---|---|---|---|---|---|
| Code repo (GitHub) | Full | Push branches · PR · merge after review | Read only | N/A | N/A | Read only |
| Production DB (Supabase) | Full read/write via tooling | Read-only direct · writes via migration PR | Read tenant via admin only | Own tenant via API only | Own tenant subset via API | Read anonymized only |
| Cloudflare Workers config | Full | Staging full · production via PR | N/A | N/A | N/A | Read config only |
| Stripe payment data | Full via dashboard | Read-only via Stripe test mode | View invoices · NO refunds without escalation | Own invoices view | N/A | Read aggregate only |
| Meta WhatsApp Manager | Full via Meta Business | Templates submission via PR · NO live changes | Read templates status | N/A | N/A | Read config docs |
| Sentry monitoring | Full | Project-level full | Read issues + resolve · NO project config | N/A | N/A | Read project access |
| Production secrets (Cloudflare env) | Read + rotate via wrangler | NO direct · rotation via runbook /rotate-secret | N/A | N/A | N/A | NO access · names only |
| Customer PII (patient_name, phone, medical_history) | Decrypt via pgsodium per-action audit | Encrypted only · NO decrypt direct | Decrypt for specific ticket per-action audit | Own tenant decrypt via API | Own tenant subset · per-conversation only | NO access · anonymized stats only |
6 procedures · access lifecycle
Onboarding new role
MFA setup mandatory · least-privilege assignment · 30d review post-onboarding · documented runbook · access audit trail from day 0
Access review
Trimestral · audit all active accounts · validate scope still necessary · remove dormant ≥90d · documented changes ADR si pattern
Offboarding
Immediate revocation upon notification · 24h max · all secrets reachable rotated · access logs preserved · exit interview re security incidents
Break-glass procedure
Emergency escalation if super admin unavailable · trustee 2-of-5 Shamir share access · 1h max activation · audit log post-event mandatory
Suspicious activity response
Immediate session termination · MFA challenge re-required · access logs review 90d · password rotation · postmortem si confirmed compromise
Third-party vendor access
Per-vendor minimum scope · time-limited tokens 30d max · DPA mandatory · audit trail vendor activity · revocation immediate post-engagement
Audit logging · 6 events tracked
- ALL authentication events · success + failure · IP · user agent · MFA method used
- ALL authorization decisions · resource accessed · action attempted · allow/deny outcome · WHY
- ALL PII access · who accessed which patient data · timestamp · purpose · audit trail forever
- ALL configuration changes · old value · new value · who · when · reason
- ALL secret access · secret name (NOT value) · who accessed · for what runbook execution
- Logs immutable · append-only · cryptographic chain · retention 7 años minimum compliance healthcare
Pre-revenue reality · single super admin
Actualmente 1 super admin solo (founder). NO 2-person rule active porque solo 1 persona. Mitigation: ALL critical actions audit-logged + break-glass trustees designated + automation crons reduce manual operations.
Multi-admin será obligatorio post-tracción cuando engineer/support hires se incorporen. 2-person rule activado para tier 4 changes (production data delete · secret rotation · vendor swap).
¿Tu security team necesita RBAC deep-dive?
Para Enterprise procurement · IAM architecture diagram · SSO/SAML integration plan · audit log sample · access review evidence disponibles bajo NDA Enterprise.