Story 2.6: Data-Level Access Control
| Field | Value |
|---|---|
| Story Points | 13 |
| Sprint | Sprint 6-7 |
User Story
As a Teacher
I want to only see students from my assigned classes
So that I don't have access to other teachers' students
Data Scope Types
| Scope | Description |
|---|---|
| SELF | User's own data only |
| CHILDREN | Parent's children only |
| ASSIGNED_CLASSES | Teacher's assigned classes |
| DEPARTMENT | Department staff |
| ALL_SCHOOL | Everyone in school |
Implementation
- PostgreSQL Row-Level Security (RLS)
- Application-level filtering
- JWT claims contain data scope