# Intro
Roles will be split into two categories: **System Roles** and **Organizations Roles**. 
System roles are global and apply to the entire system, while Organizations roles are specific to individual Organizations.

## System Roles
System roles are global and apply to the entire system. They include:
- **System Super Admin**: Has full access to all system features and settings. Can manage users, projects, organizations and applications. (SI)
- **System Admin**: Has access to most system features and settings. Can manage users, organizations, applications authorizations by projects. (BE)
- **System User**: Has limited access to system features and settings. Can view projects and applications, can manage own information, and organization where they are admin. (Others)

### System Super Admin
Get Access to the following with the following authorisations:
- **Users**: READ, CREATE, UPDATE, DELETE
- **Projects**: READ, CREATE, UPDATE, DELETE
- **Organizations**: READ, CREATE, UPDATE, DELETE
- **Applications**: READ, UPDATE

### System Admin
Get Access to the following with the following authorisations:
- **Users**: READ, CREATE, UPDATE, DELETE 
- **Organizations**: READ, UPDATE
- **Applications**: READ

### System User
Get Access to the following with the following authorisations:
- **Users**: READ, UPDATE (own information only), READ (organization where they are admin), CREATE ( organization where they are admin), UPDATE (organization where they are admin), DELETE (organization where they are admin)
- **Projects**: READ ( of organization they are part of)
- **Organizations**: READ
- **Applications**: READ

## Organizations Roles
Organizations roles are specific to individual Organizations. They include:
- **Organization Admin**: Has full access to all organization features and settings. Can manage users of the organizations.
- **Organization User**: Has limited access to organization features and settings. Can view projects and applications, can manage own information


# Set up
Like for the sso, we need to create roles in the system. create the following command and the create the roles.
``` php

#[AsCommand(
    name: 'app:create-role',
    description: 'Creates a new role in the database'
)]
class CreateRoleCommand extends Command
{
    private EntityManagerInterface $entityManager;

    public function __construct(EntityManagerInterface $entityManager)
    {
        parent::__construct();
        $this->entityManager = $entityManager;
    }

    protected function configure(): void
    {
        $this
            ->addArgument('name', InputArgument::REQUIRED, 'The name of the role'); // role name required
    }

    protected function execute(InputInterface $input, OutputInterface $output): int
    {
        $roleName = trim($input->getArgument('name'));
        $roleName = strtoupper($roleName); // Normalize to uppercase

        // Ensure not empty
        if ($roleName === '') {
            $output->writeln('<error>The role name cannot be empty</error>');
            return Command::FAILURE;
        }

        // Check if role already exists
        $existing = $this->entityManager->getRepository(Roles::class)
            ->findOneBy(['name' => $roleName]);

        if ($existing) {
            $output->writeln("<comment>Role '{$roleName}' already exists.</comment>");
            return Command::SUCCESS; // not failure, just redundant
        }

        // Create and persist new role
        $role = new Roles();
        $role->setName($roleName);

        $this->entityManager->persist($role);
        $this->entityManager->flush();

        $output->writeln("<info>Role '{$roleName}' created successfully!</info>");

        return Command::SUCCESS;
    }
}
```
```php
#[AsCommand(
    name: 'app:delete-role',
    description: 'Deletes a role from the database'
)]
class DeleteRoleCommand extends Command
{
    private EntityManagerInterface $entityManager;

    public function __construct(EntityManagerInterface $entityManager)
    {
        parent::__construct();
        $this->entityManager = $entityManager;
    }

    protected function configure(): void
    {
        $this
            ->addArgument('name', InputArgument::REQUIRED, 'The name of the role to delete');
    }

    protected function execute(InputInterface $input, OutputInterface $output): int
    {
        $roleName = trim($input->getArgument('name'));
        $roleName = strtoupper($roleName); // Normalize to uppercase

        if ($roleName === '') {
            $output->writeln('<error>The role name cannot be empty</error>');
            return Command::FAILURE;
        }

        // Find the role
        $role = $this->entityManager->getRepository(Roles::class)
            ->findOneBy(['name' => $roleName]);

        if (!$role) {
            $output->writeln("<error>Role '{$roleName}' not found.</error>");
            return Command::FAILURE;
        }

        // Check if role is being used (optional safety check)
        $usageCount = $this->entityManager->getRepository(\App\Entity\UsersOrganizations::class)
            ->count(['role' => $role]);

        if ($usageCount > 0) {
            $output->writeln("<error>Cannot delete role '{$roleName}' - it is assigned to {$usageCount} user(s).</error>");
            $output->writeln('<comment>Remove all assignments first, then try again.</comment>');
            return Command::FAILURE;
        }

        // Confirmation prompt
        $helper = $this->getHelper('question');
        $question = new ConfirmationQuestion(
            "Are you sure you want to delete role '{$roleName}'? [y/N] ",
            false
        );

        if (!$helper->ask($input, $output, $question)) {
            $output->writeln('<comment>Operation cancelled.</comment>');
            return Command::SUCCESS;
        }

        // Delete the role
        $this->entityManager->remove($role);
        $this->entityManager->flush();

        $output->writeln("<info>Role '{$roleName}' deleted successfully!</info>");

        return Command::SUCCESS;
    }
}
```
``` bash
    php bin/console app:create-role USER
    php bin/console app:create-role ADMIN
```