namespace ZB.MOM.WW.OtOpcUa.Configuration.Enums;
///
/// Admin UI roles per admin-ui.md §"Admin Roles" and Phase 6.2 Stream A.
/// These govern Admin UI capabilities (cluster CRUD, draft → publish, fleet-wide admin
/// actions) — they do NOT govern OPC UA data-path authorization, which reads
/// joined against LDAP group memberships directly.
///
///
///
/// Per docs/v2/plan.md decision #150 the two concerns share zero runtime code path:
/// the control plane (Admin UI) consumes ; the
/// data plane consumes rows directly. Having them in one
/// table would collapse the distinction + let a user inherit tag permissions via their
/// admin-role claim path.
///
///
/// Task 1.7 standardized the member names on the canonical control-plane role vocabulary
/// (ZB.MOM.WW.Auth CanonicalRole): ConfigViewer → Viewer,
/// ConfigEditor → Designer, FleetAdmin → Administrator. The appsettings-only
/// DriverOperator string role likewise became Operator. These members persist
/// as their string names (EF HasConversion<string>); the rename is paired with
/// a data migration (CanonicalizeAdminRoles) that rewrites existing rows. This is a
/// rename, not a permission change — enforcement semantics are preserved.
///
///
public enum AdminRole
{
/// Read-only Admin UI access — can view cluster state, drafts, publish history. (Canonical: Viewer; was ConfigViewer.)
Viewer,
/// Can author drafts + submit for publish. (Canonical: Designer; was ConfigEditor.)
Designer,
/// Full Admin UI privileges including publish + fleet-admin actions. (Canonical: Administrator; was FleetAdmin.)
Administrator,
}