Merge remote-tracking branch 'origin/main' into feature/ui-for-adding-members-groups

docs/groups-architecture.md

@@ -4,7 +4,7 @@
 **Feature:** Groups Management  
 **Version:** 1.0  
 **Last Updated:** 2025-01-XX  
-**Status:** Architecture Design - Ready for Implementation
+**Status:** ✅ Implemented (authorization: see [roles-and-permissions-architecture.md](./roles-and-permissions-architecture.md))
 
 ---
 
@@ -427,15 +427,17 @@ lib/
 
 ## Authorization
 
+**Status:** ✅ Implemented. Group and MemberGroup resource policies and PermissionSets are in place. See [roles-and-permissions-architecture.md](./roles-and-permissions-architecture.md) for the full permission matrix and policy patterns.
+
 ### Permission Model (MVP)
 
-**Resource:** `groups`
+**Resource:** `Group` (and `MemberGroup`)
 
 **Actions:**
-- `read` - View groups (all users with member read permission)
-- `create` - Create groups (admin only)
-- `update` - Edit groups (admin only)
-- `destroy` - Delete groups (admin only)
+- `read` - View groups (all permission sets)
+- `create` - Create groups (normal_user and admin)
+- `update` - Edit groups (normal_user and admin)
+- `destroy` - Delete groups (normal_user and admin)
 
 **Scopes:**
 - `:all` - All groups (for all permission sets that have read access)
@@ -457,7 +459,7 @@ lib/
 **Own Data Permission Set:**
 - `read` action on `Group` resource with `:all` scope - granted
 
-**Note:** All permission sets use `:all` scope for groups. Groups are considered public information that all users with member read permission can view. Only admins can manage (create/update/destroy) groups.
+**Note:** All permission sets use `:all` scope for groups. Groups are considered public information that all users with member read permission can view. normal_user and admin can manage (create/update/destroy) groups.
 
 ### Member-Group Association Permissions