Access Control

Entity	Purpose	Managed by
user	Account, profile, and login session — the identity layer (passwords externalized)	Sysadmin / Security Officer
application-role	BU-scoped named role + role-permission and user-role joins	Sysadmin
permission	Atomic `(resource, action)` permission catalogue	Sysadmin (seed-managed)
business-unit-user	Per-BU access membership + email-invitation staging	Sysadmin / BU Admin
department-user	User↔department membership + Head of Department (HOD) designation for approval routing	Sysadmin / Product Admin
user-location	Tenant-side per-user location scope	Sysadmin / BU Admin

¶ Access Control