# Vuln Explorer RBAC & ABAC (Md.XI draft)

> Status: DRAFT — pending security review and GRAP0101. Do not publish until roles/claims verified.

## Scope
- Roles/scopes, ABAC policies, attachment encryption/CSRF considerations for Vuln Explorer.

## Dependencies
- Security review; GRAP0101 identifiers; attachment token wording from Authority.

## Outline
- Scopes: vuln:view/investigate/operate/audit (+ legacy read).
- ABAC filters: vuln_env, vuln_owner, vuln_business_tier; enforcement in tokens/permalinks.
- Attachment tokens: issuance/verify; encryption notes; CSRF protections.

_Last updated: 2025-12-05 (UTC)_