PayCal Technologies Inc.

Organization Membership and Role Philosophy

This page explains the shift from loosely-coupled team semantics to an explicit Organization <-> Member relationship model, the current role policy, and the principles we use to keep permissions auditable and secure.

Published:

Why This Model Exists

Payroll collaboration has real security impact. A role model that is easy to read, test, and audit is safer than a model built from scattered one-off checks.

The Organization <-> Member structure gives every actor an explicit relationship to an organization with policy-aware status, role, and scope behavior.

Organization <-> Member Relationship Changes

  • Membership is represented as an explicit relationship rather than an implicit UI state.
  • Access-request, invite, approval, activation, and revocation lifecycle states are enforced by backend policy.
  • Organization panels and notifications now reflect relationship transitions and role outcomes more consistently.
  • Shared organization behavior is governed by membership state before privileged actions are processed.

Role Changes and Current Role Philosophy

Roles are capability-driven, with scope restrictions applied per operation. The current baseline:

  • owner: sovereign control including ownership transfer and high-trust governance actions.
  • manager: day-to-day operational control without ownership transfer authority.
  • contributor: trusted operator with write authority constrained by assigned scope.
  • member: limited self-service participation with restricted mutation rights.
  • viewer: read-only visibility without write permissions.

We favor explicit capability and scope composition over overloaded role flags. This keeps role outcomes easier to test and reason about.

Security and Encryption Philosophy

Organization collaboration intersects with encryption and consent controls. Membership and role checks gate shared organization envelope behavior so sensitive operations remain policy-bound.

  • Membership and consent state are validated before organization-shared secure operations proceed.
  • Role changes and membership transitions are treated as security-relevant events, not only UX events.
  • Access denial paths are expected behavior under policy mismatch and are surfaced for auditability.

Operational Philosophy Going Forward

  • Single policy source: role and scope decisions should originate from shared backend policy maps.
  • UI as projection: interfaces should display policy outcomes rather than duplicate authorization logic.
  • Traceable transitions: approvals, role changes, and revocations should remain observable and reviewable.
  • Release transparency: behavior changes in membership and roles are documented in changelogs and transparency pages.