From ed409b7f1d79112f2243f6916837732cc94d0e4e Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Mon, 18 May 2026 20:01:40 -0700 Subject: [PATCH] Session log: GuruRMM Client Portal and three-level identity hierarchy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Documented completion of Client Portal feature work for GuruRMM. Extended multi-tenancy architecture from two levels (Dev → Partner) to three levels (Dev → Partner → Client). Session work included: - Added comprehensive Client Portal section to GuruRMM roadmap (~200 lines) - Updated Multi-Tenancy section for three-level hierarchy - Integrated Client Portal with PSA/CRM module - Removed "customer portal" from PSA out-of-scope list - Documented database schema (clients table, client_users table, client_id columns) - Defined authentication/authorization for client users - Specified UI/dashboard requirements for client portal - Documented impersonation chain: Dev → Partner → Client Commits referenced: - guru-rmm be7b2ce: Client Portal feature - ClaudeTools 201dfb1: Submodule update This session was a continuation of earlier roadmap work that included PSA/CRM module, standalone PSA capability, multi-tenancy identity model (ADR-001), MSPBackups integration, and Integration Catalog. Co-Authored-By: Claude Sonnet 4.5 --- session-logs/2026-05-18-session.md | 175 +++++++++++++++++++++++++++++ 1 file changed, 175 insertions(+) diff --git a/session-logs/2026-05-18-session.md b/session-logs/2026-05-18-session.md index 4027d3e..d4fd698 100644 --- a/session-logs/2026-05-18-session.md +++ b/session-logs/2026-05-18-session.md @@ -358,3 +358,178 @@ tail -20 /data/unifi-core/logs/cloud.log # (inside container) - Jupiter /boot/config/go: persistent startup script for custom iptables rules - Jupiter /boot/config/docker.cfg: Docker image path and size config - Jupiter /boot/config/ident.cfg: `USE_SSL="no"` — Unraid web UI is HTTP-only on port 80 +--- + +## Update: 20:00 MST — GuruRMM Client Portal & Three-Level Identity Hierarchy + +## User +- **User:** Mike Swanson (mike) +- **Machine:** Mikes-MacBook-Air +- **Role:** admin +- **Session span:** ~19:30–20:00 MST + +## Session Summary + +This session completed the Client Portal feature work for GuruRMM, extending the multi-tenancy architecture from two levels (Dev → Partner) to three levels (Dev → Partner → Client). The work was a continuation from a previous conversation that was summarized due to context limits. + +### Key Accomplishments + +1. **Added comprehensive Client Portal section to GuruRMM roadmap** + - Documented three-level identity hierarchy: Dev/Admin (Level 1) → Partners/MSPs (Level 2) → Clients/End Customers (Level 3) + - Defined impersonation chain: Dev can impersonate Partners; Partners can impersonate Clients + - Specified client portal features: dashboard, asset list, active alerts, ticketing integration, documentation library + - Documented access patterns for dev support and partner support workflows + - Defined partner features for client management: client creation, access provisioning, impersonation controls + +2. **Updated Multi-Tenancy & Partner Management section** + - Extended from two-level to three-level architecture + - Added Level 3 documentation (Clients/End Customers) + - Updated data isolation section to include `client_id` column filtering + - Cross-referenced Client Portal section + - Documented query layer enforcement for both `partner_id` and `client_id` + +3. **Integrated Client Portal with PSA/CRM Module** + - Added Client Portal integration to built-in PSA features list + - Updated PSA dependencies to reference Client Portal (three-level identity hierarchy requirement) + - Removed "Customer portal" from PSA "Out of scope (v1)" list (now in scope) + - Cross-referenced Client Portal for PSA ticketing and documentation integration + +4. **Database Schema Documentation** + - Added `clients` table specification: `client_id`, `partner_id`, `name`, `domain`, `logo_url`, `branding_config` + - Added `client_users` table specification: `client_user_id`, `client_id`, `email`, `password_hash`, `role` (view_only, admin) + - Specified `client_id` column requirements for existing tables: `sites`, `agents`, `alerts`, `tickets`, `documentation` + - Defined index requirements: `(partner_id, client_id)` for query performance + +5. **Authentication & Authorization Design** + - Documented client user authentication flow (separate from partner auth) + - Specified client-scoped JWT tokens with `client_id` claim + - Defined permission model: clients have read-only access by default, can create tickets + - Documented impersonation controls: Dev → Partner → Client chain with audit logging + +6. **UI/Dashboard Requirements** + - Specified client portal landing page: client-branded with logo and colors + - Defined client dashboard widgets: agent status summary, active alerts, recent tickets, documentation links + - Documented partner client management UI: client list, create client, configure access, impersonate client + - Specified impersonation banner: "Viewing as [Client Name] [Exit Impersonation]" + +### Key Decisions + +- **Three-level hierarchy confirmed**: Dev → Partner → Client is the canonical identity model for GuruRMM +- **Client Portal is in scope for v1**: Removed from PSA "out of scope" list, integrated with PSA ticketing and documentation +- **Data isolation at all three levels**: `partner_id` and `client_id` columns enforce logical isolation +- **Client users have limited permissions**: View-only by default, can create tickets, cannot modify config +- **Impersonation chain**: Dev can impersonate any Partner and any Client (through Partner context); Partners can impersonate their own Clients only + +### Configuration Changes + +**Files modified:** +- `projects/msp-tools/guru-rmm/docs/FEATURE_ROADMAP.md` (261 insertions, 10 deletions) + - Added Client Portal section (~200 lines) + - Updated Multi-Tenancy section for three-level hierarchy + - Updated PSA module built-in features and dependencies + - Removed "Customer portal" from PSA out-of-scope list + +**Commits:** +- guru-rmm submodule: `be7b2ce` — "feat: add Client Portal feature with three-level identity hierarchy" +- ClaudeTools: `201dfb1` — "chore: update guru-rmm submodule for Client Portal feature" + +### Commands & Outputs + +```bash +# Updated FEATURE_ROADMAP.md with Client Portal integration +cd projects/msp-tools/guru-rmm +git status # Modified: docs/FEATURE_ROADMAP.md + +# Committed changes to guru-rmm submodule +git add docs/FEATURE_ROADMAP.md +git commit -m "feat: add Client Portal feature with three-level identity hierarchy" +# [main be7b2ce] feat: add Client Portal feature with three-level identity hierarchy +# 1 file changed, 261 insertions(+), 10 deletions(-) + +# Pushed to Gitea +git push origin main +# remote: Processed 1 references in total +# To http://172.16.3.20:3000/azcomputerguru/gururmm.git +# cc7dce0..be7b2ce main -> main + +# Updated submodule reference in ClaudeTools +cd /Users/azcomputerguru/ClaudeTools +git add projects/msp-tools/guru-rmm +git commit -m "chore: update guru-rmm submodule for Client Portal feature" +# [main 201dfb1] chore: update guru-rmm submodule for Client Portal feature +# 1 file changed, 1 insertion(+), 1 deletion(-) + +# Pushed to Gitea +git push origin main +# remote: Processed 1 references in total +# To http://172.16.3.20:3000/azcomputerguru/claudetools.git +# 095ee95..201dfb1 main -> main +``` + +## Credentials & Secrets + +No new credentials or secrets were used or created in this session. All work was documentation and roadmap updates. + +## Infrastructure & Servers + +No infrastructure changes. All work was documentation in the GuruRMM roadmap. + +## Pending / Incomplete Tasks + +None — all Client Portal documentation completed: +- [x] Add Client Portal feature to roadmap +- [x] Update multi-tenancy architecture for three-level hierarchy +- [x] Link client portals to PSA module +- [x] Commit and push client portal documentation + +## Reference Information + +### GuruRMM Roadmap Sections Updated + +1. **Multi-Tenancy & Partner Management** (lines ~752–890) + - Now documents three-level hierarchy (Dev → Partner → Client) + - Cross-references Client Portal section + - Documents `client_id` column requirements + +2. **Client Portal** (lines ~892–1133, new section) + - Full feature specification for client portals + - Identity hierarchy and access patterns + - Database schema requirements + - Authentication/authorization design + - UI/dashboard requirements + - Partner client management features + +3. **PSA/CRM Module & Plugin Architecture** (lines ~1409–1496) + - Updated built-in PSA features to include Client Portal integration + - Updated dependencies to reference Client Portal + - Removed "Customer portal" from out-of-scope list + +### Cross-References + +- ARCHITECTURE_DECISIONS.md ADR-001 — Multi-tenancy identity model (dev team with partner impersonation) +- FEATURE_ROADMAP.md Multi-Tenancy section — Two-level extended to three-level +- FEATURE_ROADMAP.md PSA module — Client Portal integration for ticketing and documentation + +### Git References + +- GuruRMM commit: `be7b2ce` — Client Portal feature +- ClaudeTools commit: `201dfb1` — Submodule update +- Previous commits in this roadmap work: + - `687753d` — PSA/CRM Module initial entry + - `49260e6` — Standalone deployment capability for PSA + - `423e0af` — Multi-tenancy architecture (ADR-001) + - `cc7dce0` — MSPBackups integration and Integration Catalog + +### Context from Previous Work (Earlier in Session) + +This session was a continuation of earlier roadmap work that included: +1. Multiple `/sync` attempts (network issues from office power failure) +2. PSA/CRM feature added to roadmap with plugin architecture +3. Standalone PSA capability defined (can run without GuruRMM RMM) +4. Multi-tenancy identity model finalized (ADR-001: Dev team with partner impersonation) +5. MSPBackups integration added +6. Integration Catalog/Marketplace created +7. Client Portal feature added (this update) + +All documentation now reflects the three-level identity model and is cross-referenced appropriately. +