feat: ORV2-1887 Configure HQADMIN and FINANCE user groups in onRouteBC (

#1112) Co-authored-by: John Fletcher <[email protected]> Co-authored-by: Krishnan Subramanian <[email protected]>
bcgov · Jan 24, 2024 · d95fed6 · d95fed6
1 parent 7d2a67a
commit d95fed6
Show file tree

Hide file tree

Showing 17 changed files with 213 additions and 28 deletions.
diff --git a/database/mssql/scripts/versions/revert/v_13_ddl_revert.sql b/database/mssql/scripts/versions/revert/v_13_ddl_revert.sql
@@ -0,0 +1,34 @@
+SET ANSI_NULLS ON
+GO
+SET QUOTED_IDENTIFIER ON
+GO
+SET NOCOUNT ON
+GO
+
+DELETE FROM [access].[ORBC_GROUP_ROLE] WHERE USER_AUTH_GROUP_TYPE IN ('HQADMIN', 'FINANCE')
+GO
+UPDATE [dbo].[ORBC_IDIR_USER]
+SET USER_AUTH_GROUP_TYPE = 'IDIRBASIC'
+WHERE USER_AUTH_GROUP_TYPE IN ('HQADMIN', 'FINANCE')
+GO
+UPDATE [dbo].[ORBC_PENDING_IDIR_USER]
+SET USER_AUTH_GROUP_TYPE = 'IDIRBASIC'
+WHERE USER_AUTH_GROUP_TYPE IN ('HQADMIN', 'FINANCE')
+GO
+DELETE FROM [access].[ORBC_ROLE_TYPE] WHERE ROLE_TYPE IN (
+  'ORBC-READ-SPECIAL-AUTH',
+  'ORBC-READ-NOFEE',
+  'ORBC-WRITE-NOFEE',
+  'ORBC-READ-LCV-FLAG',
+  'ORBC-WRITE-LCV-FLAG',
+  'ORBC-READ-LOA',
+  'ORBC-WRITE-LOA'
+)
+GO
+DELETE FROM [access].[ORBC_USER_AUTH_GROUP_TYPE] WHERE USER_AUTH_GROUP_TYPE IN ('HQADMIN', 'FINANCE')
+GO
+
+DECLARE @VersionDescription VARCHAR(255)
+SET @VersionDescription = 'Removing auth groups HQADMIN and FINANCE'
+
+INSERT [dbo].[ORBC_SYS_VERSION] ([VERSION_ID], [DESCRIPTION], [RELEASE_DATE]) VALUES (12, @VersionDescription, getutcdate())
diff --git a/database/mssql/scripts/versions/v_13_ddl.sql b/database/mssql/scripts/versions/v_13_ddl.sql
@@ -0,0 +1,60 @@
+SET ANSI_NULLS ON
+GO
+SET QUOTED_IDENTIFIER ON
+GO
+SET NOCOUNT ON
+GO
+
+-- Add new auth groups
+INSERT [access].[ORBC_USER_AUTH_GROUP_TYPE] ([USER_AUTH_GROUP_TYPE], [DISPLAY_NAME], [DESCRIPTION], [STAFF_FLAG], [CONCURRENCY_CONTROL_NUMBER], [DB_CREATE_USERID], [DB_CREATE_TIMESTAMP], [DB_LAST_UPDATE_USERID], [DB_LAST_UPDATE_TIMESTAMP]) VALUES (N'HQADMIN', N'MOTI HQ Administrator', N'MOTI HQ administrator not part of the permit centre', 1, NULL, N'dbo', GETUTCDATE(), N'dbo', GETUTCDATE())
+INSERT [access].[ORBC_USER_AUTH_GROUP_TYPE] ([USER_AUTH_GROUP_TYPE], [DISPLAY_NAME], [DESCRIPTION], [STAFF_FLAG], [CONCURRENCY_CONTROL_NUMBER], [DB_CREATE_USERID], [DB_CREATE_TIMESTAMP], [DB_LAST_UPDATE_USERID], [DB_LAST_UPDATE_TIMESTAMP]) VALUES (N'FINANCE', N'Finance Staff', N'Finance team at the permit centre', 1, NULL, N'dbo', GETUTCDATE(), N'dbo', GETUTCDATE())
+GO
+
+-- Add new auth roles
+INSERT [access].[ORBC_ROLE_TYPE] ([ROLE_TYPE], [ROLE_DESCRIPTION]) VALUES (N'ORBC-READ-SPECIAL-AUTH', NULL)
+INSERT [access].[ORBC_ROLE_TYPE] ([ROLE_TYPE], [ROLE_DESCRIPTION]) VALUES (N'ORBC-READ-NOFEE', NULL)
+INSERT [access].[ORBC_ROLE_TYPE] ([ROLE_TYPE], [ROLE_DESCRIPTION]) VALUES (N'ORBC-WRITE-NOFEE', NULL)
+INSERT [access].[ORBC_ROLE_TYPE] ([ROLE_TYPE], [ROLE_DESCRIPTION]) VALUES (N'ORBC-READ-LCV-FLAG', NULL)
+INSERT [access].[ORBC_ROLE_TYPE] ([ROLE_TYPE], [ROLE_DESCRIPTION]) VALUES (N'ORBC-WRITE-LCV-FLAG', NULL)
+INSERT [access].[ORBC_ROLE_TYPE] ([ROLE_TYPE], [ROLE_DESCRIPTION]) VALUES (N'ORBC-READ-LOA', NULL)
+INSERT [access].[ORBC_ROLE_TYPE] ([ROLE_TYPE], [ROLE_DESCRIPTION]) VALUES (N'ORBC-WRITE-LOA', NULL)
+GO
+
+-- Assign auth roles to new auth groups
+-- HQADMIN roles
+INSERT [access].[ORBC_GROUP_ROLE] ([USER_AUTH_GROUP_TYPE], [ROLE_TYPE]) VALUES (N'HQADMIN', N'ORBC-READ-SELF')
+INSERT [access].[ORBC_GROUP_ROLE] ([USER_AUTH_GROUP_TYPE], [ROLE_TYPE]) VALUES (N'HQADMIN', N'ORBC-READ-ORG')
+INSERT [access].[ORBC_GROUP_ROLE] ([USER_AUTH_GROUP_TYPE], [ROLE_TYPE]) VALUES (N'HQADMIN', N'ORBC-READ-SPECIAL-AUTH')
+INSERT [access].[ORBC_GROUP_ROLE] ([USER_AUTH_GROUP_TYPE], [ROLE_TYPE]) VALUES (N'HQADMIN', N'ORBC-READ-NOFEE')
+INSERT [access].[ORBC_GROUP_ROLE] ([USER_AUTH_GROUP_TYPE], [ROLE_TYPE]) VALUES (N'HQADMIN', N'ORBC-WRITE-NOFEE')
+INSERT [access].[ORBC_GROUP_ROLE] ([USER_AUTH_GROUP_TYPE], [ROLE_TYPE]) VALUES (N'HQADMIN', N'ORBC-READ-LCV-FLAG')
+INSERT [access].[ORBC_GROUP_ROLE] ([USER_AUTH_GROUP_TYPE], [ROLE_TYPE]) VALUES (N'HQADMIN', N'ORBC-WRITE-LCV-FLAG')
+INSERT [access].[ORBC_GROUP_ROLE] ([USER_AUTH_GROUP_TYPE], [ROLE_TYPE]) VALUES (N'HQADMIN', N'ORBC-READ-LOA')
+INSERT [access].[ORBC_GROUP_ROLE] ([USER_AUTH_GROUP_TYPE], [ROLE_TYPE]) VALUES (N'HQADMIN', N'ORBC-WRITE-LOA')
+INSERT [access].[ORBC_GROUP_ROLE] ([USER_AUTH_GROUP_TYPE], [ROLE_TYPE]) VALUES (N'HQADMIN', N'ORBC-GENERATE-REPORT')
+INSERT [access].[ORBC_GROUP_ROLE] ([USER_AUTH_GROUP_TYPE], [ROLE_TYPE]) VALUES (N'HQADMIN', N'ORBC-GENERATE-TRANSACTION-REPORT')
+INSERT [access].[ORBC_GROUP_ROLE] ([USER_AUTH_GROUP_TYPE], [ROLE_TYPE]) VALUES (N'HQADMIN', N'ORBC-GENERATE-TRANSACTION-REPORT-ALL')
+INSERT [access].[ORBC_GROUP_ROLE] ([USER_AUTH_GROUP_TYPE], [ROLE_TYPE]) VALUES (N'HQADMIN', N'ORBC-READ-BILLING')
+INSERT [access].[ORBC_GROUP_ROLE] ([USER_AUTH_GROUP_TYPE], [ROLE_TYPE]) VALUES (N'HQADMIN', N'ORBC-STAFF')
+INSERT [access].[ORBC_GROUP_ROLE] ([USER_AUTH_GROUP_TYPE], [ROLE_TYPE]) VALUES (N'HQADMIN', N'ORBC-READ-USER')
+-- FINANCE roles
+INSERT [access].[ORBC_GROUP_ROLE] ([USER_AUTH_GROUP_TYPE], [ROLE_TYPE]) VALUES (N'FINANCE', N'ORBC-READ-SELF')
+INSERT [access].[ORBC_GROUP_ROLE] ([USER_AUTH_GROUP_TYPE], [ROLE_TYPE]) VALUES (N'FINANCE', N'ORBC-READ-ORG')
+INSERT [access].[ORBC_GROUP_ROLE] ([USER_AUTH_GROUP_TYPE], [ROLE_TYPE]) VALUES (N'FINANCE', N'ORBC-READ-SPECIAL-AUTH')
+INSERT [access].[ORBC_GROUP_ROLE] ([USER_AUTH_GROUP_TYPE], [ROLE_TYPE]) VALUES (N'FINANCE', N'ORBC-READ-NOFEE')
+INSERT [access].[ORBC_GROUP_ROLE] ([USER_AUTH_GROUP_TYPE], [ROLE_TYPE]) VALUES (N'FINANCE', N'ORBC-WRITE-NOFEE')
+INSERT [access].[ORBC_GROUP_ROLE] ([USER_AUTH_GROUP_TYPE], [ROLE_TYPE]) VALUES (N'FINANCE', N'ORBC-READ-PERMIT')
+INSERT [access].[ORBC_GROUP_ROLE] ([USER_AUTH_GROUP_TYPE], [ROLE_TYPE]) VALUES (N'FINANCE', N'ORBC-GENERATE-REPORT')
+INSERT [access].[ORBC_GROUP_ROLE] ([USER_AUTH_GROUP_TYPE], [ROLE_TYPE]) VALUES (N'FINANCE', N'ORBC-GENERATE-TRANSACTION-REPORT')
+INSERT [access].[ORBC_GROUP_ROLE] ([USER_AUTH_GROUP_TYPE], [ROLE_TYPE]) VALUES (N'FINANCE', N'ORBC-GENERATE-TRANSACTION-REPORT-ALL')
+INSERT [access].[ORBC_GROUP_ROLE] ([USER_AUTH_GROUP_TYPE], [ROLE_TYPE]) VALUES (N'FINANCE', N'ORBC-READ-BILLING')
+INSERT [access].[ORBC_GROUP_ROLE] ([USER_AUTH_GROUP_TYPE], [ROLE_TYPE]) VALUES (N'FINANCE', N'ORBC-READ-PAYMENT')
+INSERT [access].[ORBC_GROUP_ROLE] ([USER_AUTH_GROUP_TYPE], [ROLE_TYPE]) VALUES (N'FINANCE', N'ORBC-STAFF')
+INSERT [access].[ORBC_GROUP_ROLE] ([USER_AUTH_GROUP_TYPE], [ROLE_TYPE]) VALUES (N'FINANCE', N'ORBC-READ-USER')
+INSERT [access].[ORBC_GROUP_ROLE] ([USER_AUTH_GROUP_TYPE], [ROLE_TYPE]) VALUES (N'FINANCE', N'ORBC-READ-DOCUMENT')
+GO
+
+DECLARE @VersionDescription VARCHAR(255)
+SET @VersionDescription = 'Include auth groups HQADMIN and FINANCE'
+
+INSERT [dbo].[ORBC_SYS_VERSION] ([VERSION_ID], [DESCRIPTION], [UPDATE_SCRIPT], [REVERT_SCRIPT], [RELEASE_DATE]) VALUES (13, @VersionDescription, '$(UPDATE_SCRIPT)', '$(REVERT_SCRIPT)', getutcdate())
diff --git a/database/mssql/test/test-runner.sh b/database/mssql/test/test-runner.sh
@@ -48,12 +48,6 @@ while test -f "${SCRIPT_DIR}/versions/revert/v_${nextver}_ddl_revert.sql"; do
     #echo "Next migration file to check: ${SCRIPT_DIR}/versions/v_${nextver}_ddl.sql"
 done
 
-echo "Testing the full migrate db schema script..."
-migrate_db_current ${MSSQL_SA_USER} "${MSSQL_SA_PASSWORD}" "${MSSQL_HOST}" ${UNIT_TEST_DB_NAME}
-
-echo "Testing the full revert db schema script..."
-revert_db_complete ${MSSQL_SA_USER} "${MSSQL_SA_PASSWORD}" "${MSSQL_HOST}" ${UNIT_TEST_DB_NAME}
-
 echo "Testing the full reset script (including sample data)..."
 migrate_db_current ${MSSQL_SA_USER} "${MSSQL_SA_PASSWORD}" "${MSSQL_HOST}" ${UNIT_TEST_DB_NAME}
 export TEST_MOTI_USER=${MSSQL_SA_USER}

diff --git a/database/mssql/test/versions/v_12_test.sh b/database/mssql/test/versions/v_12_test.sh
@@ -35,3 +35,5 @@ if [[ $TEST_12_4_RESULT -eq 1 ]]; then
 else
     echo "******** Test 12.4 failed: Previous revisions not being marked SUPERSEDED"
 fi
+
+/opt/mssql-tools/bin/sqlcmd -U ${USER} -P "${PASS}" -S ${SERVER} -v DB_NAME=${DATABASE} -h -1 -i ${TESTS_DIR}/v_12_test_cleanup.sql
diff --git a/database/mssql/test/versions/v_12_test_cleanup.sql b/database/mssql/test/versions/v_12_test_cleanup.sql
@@ -0,0 +1,9 @@
+SET ANSI_NULLS ON
+GO
+SET QUOTED_IDENTIFIER ON
+GO
+SET NOCOUNT ON
+GO
+DELETE FROM $(DB_NAME).tps.ORBC_TPS_MIGRATED_PERMITS
+DELETE FROM $(DB_NAME).permit.ORBC_PERMIT_DATA
+DELETE FROM $(DB_NAME).permit.ORBC_PERMIT
diff --git a/database/mssql/test/versions/v_13_1_test.sql b/database/mssql/test/versions/v_13_1_test.sql
@@ -0,0 +1,5 @@
+-- Test that the auth groups have been inserted correctly
+SET NOCOUNT ON
+
+SELECT COUNT(*) FROM $(DB_NAME).[access].[ORBC_USER_AUTH_GROUP_TYPE] 
+WHERE USER_AUTH_GROUP_TYPE IN ('HQADMIN', 'FINANCE')
diff --git a/database/mssql/test/versions/v_13_2_test.sql b/database/mssql/test/versions/v_13_2_test.sql
@@ -0,0 +1,13 @@
+-- Test that the auth roles have been inserted correctly
+SET NOCOUNT ON
+
+SELECT COUNT(*) FROM $(DB_NAME).[access].[ORBC_ROLE_TYPE] 
+WHERE ROLE_TYPE IN (
+  'ORBC-READ-SPECIAL-AUTH',
+  'ORBC-READ-NOFEE',
+  'ORBC-WRITE-NOFEE',
+  'ORBC-READ-LCV-FLAG',
+  'ORBC-WRITE-LCV-FLAG',
+  'ORBC-READ-LOA',
+  'ORBC-WRITE-LOA'
+)
diff --git a/database/mssql/test/versions/v_13_3_test.sql b/database/mssql/test/versions/v_13_3_test.sql
@@ -0,0 +1,5 @@
+-- Test that the auth groups have been inserted correctly
+SET NOCOUNT ON
+
+SELECT COUNT(*) FROM $(DB_NAME).[access].[ORBC_GROUP_ROLE] 
+WHERE USER_AUTH_GROUP_TYPE IN ('HQADMIN', 'FINANCE')
diff --git a/database/mssql/test/versions/v_13_test.sh b/database/mssql/test/versions/v_13_test.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# Retrieve arguments
+source ${SCRIPT_DIR}/utility/getopt.sh
+USAGE="-u USER -p PASS -s SERVER -d DATABASE"
+parse_options "${USAGE}" ${@}
+
+# All database tests for database version 13 are run from this shell script.
+# TESTS_DIR variable set by the calling test-runner script.
+
+TEST_13_1_RESULT=$(/opt/mssql-tools/bin/sqlcmd -U ${USER} -P "${PASS}" -S ${SERVER} -v DB_NAME=${DATABASE} -h -1 -i ${TESTS_DIR}/v_13_1_test.sql | xargs)
+if [[ $TEST_13_1_RESULT -eq 2 ]]; then
+    echo "Test 13.1 passed: User auth groups inserted correctly"
+else
+    echo "******** Test 13.1 failed: User auth groups not inserted correctly"
+fi
+
+TEST_13_2_RESULT=$(/opt/mssql-tools/bin/sqlcmd -U ${USER} -P "${PASS}" -S ${SERVER} -v DB_NAME=${DATABASE} -h -1 -i ${TESTS_DIR}/v_13_2_test.sql | xargs)
+if [[ $TEST_13_2_RESULT -eq 7 ]]; then
+    echo "Test 13.2 passed: User auth roles inserted correctly"
+else
+    echo "******** Test 13.2 failed: User auth roles not inserted correctly"
+fi
+
+TEST_13_3_RESULT=$(/opt/mssql-tools/bin/sqlcmd -U ${USER} -P "${PASS}" -S ${SERVER} -v DB_NAME=${DATABASE} -h -1 -i ${TESTS_DIR}/v_13_3_test.sql | xargs)
+if [[ $TEST_13_3_RESULT -eq 25 ]]; then
+    echo "Test 13.3 passed: Correct number of role mappings inserted"
+else
+    echo "******** Test 13.3 failed: Incorrect number of role mappings inserted"
+fi
diff --git a/dops/src/enum/roles.enum.ts b/dops/src/enum/roles.enum.ts
@@ -38,4 +38,11 @@ export enum Role {
   GENERATE_TRANSACTION_REPORT_ALL = 'ORBC-GENERATE-TRANSACTION-REPORT-ALL',
   GENERATE_TRANSACTION_REPORT_SELF = 'ORBC-GENERATE-TRANSACTION-REPORT-SELF',
   GENERATE_TRANSACTION_REPORT = 'ORBC-GENERATE-TRANSACTION-REPORT',
+  READ_SPECIAL_AUTH = 'ORBC-READ-SPECIAL-AUTH',
+  READ_NOFEE = 'ORBC-READ-NOFEE',
+  WRITE_NOFEE = 'ORBC-WRITE-NOFEE',
+  READ_LCV_FLAG = 'ORBC-READ-LCV-FLAG',
+  WRITE_LCV_FLAG = 'ORBC-WRITE-LCV-FLAG',
+  READ_LOA = 'ORBC-READ-LOA',
+  WRITE_LOA = 'ORBC-WRITE-LOA',
 }
diff --git a/dops/src/enum/user-auth-group.enum.ts b/dops/src/enum/user-auth-group.enum.ts
@@ -7,4 +7,6 @@ export enum UserAuthGroup {
   PUBLIC_VERIFIED = 'PUBLIC',
   SYSTEM_ADMINISTRATOR = 'SYSADMIN',
   ENFORCEMENT_OFFICER = 'EOFFICER',
+  HQ_ADMINISTRATOR = 'HQADMIN',
+  FINANCE = 'FINANCE',
 }
diff --git a/frontend/src/common/authentication/auth-walls/IDIRAuthWall.tsx b/frontend/src/common/authentication/auth-walls/IDIRAuthWall.tsx
@@ -5,8 +5,8 @@ import { Navigate, Outlet, useLocation, useNavigate } from "react-router-dom";
 import { LoadIDIRUserContext } from "../LoadIDIRUserContext";
 import { LoadIDIRUserRoles } from "../LoadIDIRUserRoles";
 import OnRouteBCContext from "../OnRouteBCContext";
-import { IDIRUserAuthGroupType, UserRolesType } from "../types";
-import { DoesUserHaveAuthGroup, DoesUserHaveRole } from "../util";
+import { IDIRUserAuthGroupType } from "../types";
+import { DoesUserHaveAuthGroup } from "../util";
 import { Loading } from "../../pages/Loading";
 import { IDPS } from "../../types/idp";
 import { ERROR_ROUTES, HOME } from "../../../routes/constants";
@@ -19,10 +19,8 @@ const isIDIR = (identityProvider: string) => identityProvider === IDPS.IDIR;
  *
  */
 export const IDIRAuthWall = ({
-  requiredRole,
   allowedAuthGroups,
 }: {
-  requiredRole?: UserRolesType;
   /**
    * The collection of auth groups allowed to have access to a page or action.
    * IDIR System Admin is assumed to be allowed regardless of it being passed.
@@ -89,7 +87,7 @@ export const IDIRAuthWall = ({
       DoesUserHaveAuthGroup<IDIRUserAuthGroupType>({
         userAuthGroup: idirUserDetails?.userAuthGroup,
         allowedAuthGroups,
-      }) && DoesUserHaveRole(userRoles, requiredRole);
+      });
 
     if (doesUserHaveAccess) {
       return <Outlet />;

diff --git a/frontend/src/common/authentication/types.ts b/frontend/src/common/authentication/types.ts
@@ -108,6 +108,13 @@ export const ROLES = {
   GENERATE_TRANSACTION_REPORT_ALL: "ORBC-GENERATE-TRANSACTION-REPORT-ALL",
   GENERATE_TRANSACTION_REPORT_SELF: "ORBC-GENERATE-TRANSACTION-REPORT-SELF",
   GENERATE_TRANSACTION_REPORT: "ORBC-GENERATE-TRANSACTION-REPORT",
+  READ_SPECIAL_AUTH: "ORBC-READ-SPECIAL-AUTH",
+  READ_NOFEE: "ORBC-READ-NOFEE",
+  WRITE_NOFEE: "ORBC-WRITE-NOFEE",
+  READ_LCV_FLAG: "ORBC-READ-LCV-FLAG",
+  WRITE_LCV_FLAG: "ORBC-WRITE-LCV-FLAG",
+  READ_LOA: "ORBC-READ-LOA",
+  WRITE_LOA: "ORBC-WRITE-LOA",
 } as const;
 
 /**
@@ -126,6 +133,8 @@ export const USER_AUTH_GROUP = {
   PPC_CLERK: "PPCCLERK",
   SYSTEM_ADMINISTRATOR: "SYSADMIN",
   ENFORCEMENT_OFFICER: "EOFFICER",
+  HQ_ADMINISTRATOR: "HQADMIN",
+  FINANCE: "FINANCE",
 } as const;
 
 /**
@@ -155,6 +164,8 @@ export const IDIR_USER_AUTH_GROUP = {
   PPC_CLERK: "PPCCLERK",
   SYSTEM_ADMINISTRATOR: "SYSADMIN",
   ENFORCEMENT_OFFICER: "EOFFICER",
+  HQ_ADMINISTRATOR: "HQADMIN",
+  FINANCE: "FINANCE",
 } as const;
 
 /**

diff --git a/frontend/src/features/idir/reporting/forms/PaymentAndRefundDetail.tsx b/frontend/src/features/idir/reporting/forms/PaymentAndRefundDetail.tsx
@@ -36,9 +36,11 @@ import { UserSelect } from "./subcomponents/UserSelect";
 export const PaymentAndRefundDetail = () => {
   const { idirUserDetails } = useContext(OnRouteBCContext);
   const { user: idirUserFromAuthContext } = useAuth();
-  const isSysAdmin =
+  const canSelectPermitIssuers =
     idirUserDetails?.userAuthGroup ===
-    IDIR_USER_AUTH_GROUP.SYSTEM_ADMINISTRATOR;
+      IDIR_USER_AUTH_GROUP.SYSTEM_ADMINISTRATOR ||
+    idirUserDetails?.userAuthGroup === IDIR_USER_AUTH_GROUP.HQ_ADMINISTRATOR ||
+    idirUserDetails?.userAuthGroup === IDIR_USER_AUTH_GROUP.FINANCE;
   // GET the permit types.
   const permitTypesQuery = usePermitTypesQuery();
   const { setSnackBar } = useContext(SnackBarContext);
@@ -67,7 +69,7 @@ export const PaymentAndRefundDetail = () => {
     },
     keepPreviousData: true,
     // Only query the permit issuers when the user is sysadmin.
-    enabled: isSysAdmin,
+    enabled: canSelectPermitIssuers,
     staleTime: ONE_HOUR,
     retry: false,
     refetchOnWindowFocus: false, // prevents unnecessary queries
@@ -90,7 +92,7 @@ export const PaymentAndRefundDetail = () => {
       permitType: Object.keys(permitTypes ?? []),
       // permitIssuers is a <userName, userGUID> record.
       // So, Object.values is what we need.
-      users: isSysAdmin
+      users: canSelectPermitIssuers
         ? Object.values(permitIssuers ?? {})
         : // If user is not a sys admin, only their own guid is populated.
           [idirUserFromAuthContext?.profile?.idir_user_guid as string],
@@ -237,7 +239,7 @@ export const PaymentAndRefundDetail = () => {
               <Stack>
                 <PaymentMethodSelect />
               </Stack>
-              {isSysAdmin && (
+              {canSelectPermitIssuers && (
                 <Stack direction="row">
                   <UserSelect
                     permitIssuers={permitIssuers}

diff --git a/frontend/src/routes/Routes.tsx b/frontend/src/routes/Routes.tsx
@@ -77,10 +77,11 @@ export const AppRoutes = () => {
       <Route
         element={
           <IDIRAuthWall
-            requiredRole={ROLES.STAFF}
             allowedAuthGroups={[
               IDIR_USER_AUTH_GROUP.ENFORCEMENT_OFFICER,
               IDIR_USER_AUTH_GROUP.PPC_CLERK,
+              IDIR_USER_AUTH_GROUP.FINANCE,
+              IDIR_USER_AUTH_GROUP.HQ_ADMINISTRATOR,
             ]}
           />
         }
@@ -98,7 +99,6 @@ export const AppRoutes = () => {
       <Route
         element={
           <IDIRAuthWall
-            requiredRole={ROLES.STAFF}
             allowedAuthGroups={[IDIR_USER_AUTH_GROUP.PPC_CLERK]}
           />
         }
@@ -114,7 +114,17 @@ export const AppRoutes = () => {
       </Route>
 
       {/* IDIR System Admin Routes */}
-      <Route element={<IDIRAuthWall requiredRole={ROLES.STAFF_ADMIN} />}>
+      <Route
+        element={
+          <IDIRAuthWall
+            allowedAuthGroups={[
+              IDIR_USER_AUTH_GROUP.PPC_CLERK,
+              IDIR_USER_AUTH_GROUP.FINANCE,
+              IDIR_USER_AUTH_GROUP.HQ_ADMINISTRATOR,
+            ]}
+          />
+        }
+      >
         {/* Only IDIR System Admins can access the reports page */}
         <Route
           path={routes.IDIR_ROUTES.REPORTS}
@@ -138,25 +148,19 @@ export const AppRoutes = () => {
           <Route
             path={`${routes.VEHICLES_ROUTES.TRAILER_DETAILS}/:vehicleId`}
             element={
-              <EditVehicleDashboard
-                editVehicleMode={VEHICLE_TYPES.TRAILER}
-              />
+              <EditVehicleDashboard editVehicleMode={VEHICLE_TYPES.TRAILER} />
             }
           />
           <Route
             path={routes.VEHICLES_ROUTES.ADD_POWER_UNIT}
             element={
-              <AddVehicleDashboard
-                addVehicleMode={VEHICLE_TYPES.POWER_UNIT}
-              />
+              <AddVehicleDashboard addVehicleMode={VEHICLE_TYPES.POWER_UNIT} />
             }
           />
           <Route
             path={routes.VEHICLES_ROUTES.ADD_TRAILER}
             element={
-              <AddVehicleDashboard
-                addVehicleMode={VEHICLE_TYPES.TRAILER}
-              />
+              <AddVehicleDashboard addVehicleMode={VEHICLE_TYPES.TRAILER} />
             }
           />
         </Route>

diff --git a/vehicles/src/common/enum/roles.enum.ts b/vehicles/src/common/enum/roles.enum.ts
@@ -38,4 +38,11 @@ export enum Role {
   GENERATE_TRANSACTION_REPORT_ALL = 'ORBC-GENERATE-TRANSACTION-REPORT-ALL',
   GENERATE_TRANSACTION_REPORT_SELF = 'ORBC-GENERATE-TRANSACTION-REPORT-SELF',
   GENERATE_TRANSACTION_REPORT = 'ORBC-GENERATE-TRANSACTION-REPORT',
+  READ_SPECIAL_AUTH = 'ORBC-READ-SPECIAL-AUTH',
+  READ_NOFEE = 'ORBC-READ-NOFEE',
+  WRITE_NOFEE = 'ORBC-WRITE-NOFEE',
+  READ_LCV_FLAG = 'ORBC-READ-LCV-FLAG',
+  WRITE_LCV_FLAG = 'ORBC-WRITE-LCV-FLAG',
+  READ_LOA = 'ORBC-READ-LOA',
+  WRITE_LOA = 'ORBC-WRITE-LOA',
 }
diff --git a/vehicles/src/common/enum/user-auth-group.enum.ts b/vehicles/src/common/enum/user-auth-group.enum.ts
@@ -7,4 +7,6 @@ export enum UserAuthGroup {
   PUBLIC_VERIFIED = 'PUBLIC',
   SYSTEM_ADMINISTRATOR = 'SYSADMIN',
   ENFORCEMENT_OFFICER = 'EOFFICER',
+  HQ_ADMINISTRATOR = 'HQADMIN',
+  FINANCE = 'FINANCE',
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -35,3 +35,5 @@ if [[ $TEST_12_4_RESULT -eq 1 ]]; then @@
     else
         echo "******** Test 12.4 failed: Previous revisions not being marked SUPERSEDED"
     fi
+    /opt/mssql-tools/bin/sqlcmd -U ${USER} -P "${PASS}" -S ${SERVER} -v DB_NAME=${DATABASE} -h -1 -i ${TESTS_DIR}/v_12_test_cleanup.sql