adminfront 및 백엔드: 전 메뉴 및 탭 수준 ReBAC 기반 접근 제어(Admin Control) 기능 추가 구현 완료

backend/internal/handler/auth_handler.go

@@ -4776,17 +4776,28 @@ func (h *AuthHandler) hydrateResolvedProfile(ctx context.Context, profile *domai
 
 		if profile.Role == "super_admin" {
 			sp = domain.SystemPermissions{
-				Overview:          true,
-				Tenants:           true,
-				OrgChart:          true,
-				Worksmobile:       true,
-				OrySSOT:           true,
-				DataIntegrity:     true,
-				Users:             true,
-				PermissionsDirect: true,
-				AuthGuard:         true,
-				ApiKeys:           true,
-				AuditLogs:         true,
+				Overview:                true,
+				Tenants:                 true,
+				OrgChart:                true,
+				Worksmobile:             true,
+				OrySSOT:                 true,
+				DataIntegrity:           true,
+				Users:                   true,
+				PermissionsDirect:       true,
+				AuthGuard:               true,
+				ApiKeys:                 true,
+				AuditLogs:               true,
+				ManageOverview:          true,
+				ManageTenants:           true,
+				ManageOrgChart:          true,
+				ManageWorksmobile:       true,
+				ManageOrySSOT:           true,
+				ManageDataIntegrity:     true,
+				ManageUsers:             true,
+				ManagePermissionsDirect: true,
+				ManageAuthGuard:         true,
+				ManageApiKeys:           true,
+				ManageAuditLogs:         true,
 			}
 		} else {
 			// Query Keto in parallel for maximum performance
@@ -4795,17 +4806,28 @@ func (h *AuthHandler) hydrateResolvedProfile(ctx context.Context, profile *domai
 				allowed bool
 			}
 			menus := map[string]string{
-				"overview":           "access_overview",
-				"tenants":            "access_tenants",
-				"org_chart":          "access_org_chart",
-				"worksmobile":        "access_worksmobile",
-				"ory_ssot":           "access_ory_ssot",
-				"data_integrity":     "access_data_integrity",
-				"users":              "access_users",
-				"permissions_direct": "access_permissions_direct",
-				"auth_guard":         "access_auth_guard",
-				"api_keys":           "access_api_keys",
-				"audit_logs":         "access_audit_logs",
+				"overview":                  "access_overview",
+				"manage_overview":           "manage_overview",
+				"tenants":                   "access_tenants",
+				"manage_tenants":            "manage_tenants",
+				"org_chart":                 "access_org_chart",
+				"manage_org_chart":          "manage_org_chart",
+				"worksmobile":               "access_worksmobile",
+				"manage_worksmobile":        "manage_worksmobile",
+				"ory_ssot":                  "access_ory_ssot",
+				"manage_ory_ssot":           "manage_ory_ssot",
+				"data_integrity":            "access_data_integrity",
+				"manage_data_integrity":     "manage_data_integrity",
+				"users":                     "access_users",
+				"manage_users":              "manage_users",
+				"permissions_direct":        "access_permissions_direct",
+				"manage_permissions_direct": "manage_permissions_direct",
+				"auth_guard":                "access_auth_guard",
+				"manage_auth_guard":         "manage_auth_guard",
+				"api_keys":                  "access_api_keys",
+				"manage_api_keys":           "manage_api_keys",
+				"audit_logs":                "access_audit_logs",
+				"manage_audit_logs":         "manage_audit_logs",
 			}
 			ch := make(chan checkResult, len(menus))
 			for m, rel := range menus {
@@ -4819,26 +4841,48 @@ func (h *AuthHandler) hydrateResolvedProfile(ctx context.Context, profile *domai
 				switch res.menu {
 				case "overview":
 					sp.Overview = res.allowed
+				case "manage_overview":
+					sp.ManageOverview = res.allowed
 				case "tenants":
 					sp.Tenants = res.allowed
+				case "manage_tenants":
+					sp.ManageTenants = res.allowed
 				case "org_chart":
 					sp.OrgChart = res.allowed
+				case "manage_org_chart":
+					sp.ManageOrgChart = res.allowed
 				case "worksmobile":
 					sp.Worksmobile = res.allowed
+				case "manage_worksmobile":
+					sp.ManageWorksmobile = res.allowed
 				case "ory_ssot":
 					sp.OrySSOT = res.allowed
+				case "manage_ory_ssot":
+					sp.ManageOrySSOT = res.allowed
 				case "data_integrity":
 					sp.DataIntegrity = res.allowed
+				case "manage_data_integrity":
+					sp.ManageDataIntegrity = res.allowed
 				case "users":
 					sp.Users = res.allowed
+				case "manage_users":
+					sp.ManageUsers = res.allowed
 				case "permissions_direct":
 					sp.PermissionsDirect = res.allowed
+				case "manage_permissions_direct":
+					sp.ManagePermissionsDirect = res.allowed
 				case "auth_guard":
 					sp.AuthGuard = res.allowed
+				case "manage_auth_guard":
+					sp.ManageAuthGuard = res.allowed
 				case "api_keys":
 					sp.ApiKeys = res.allowed
+				case "manage_api_keys":
+					sp.ManageApiKeys = res.allowed
 				case "audit_logs":
 					sp.AuditLogs = res.allowed
+				case "manage_audit_logs":
+					sp.ManageAuditLogs = res.allowed
 				}
 			}
 		}