# Vuln Explorer RBAC & ABAC (Md.XI draft)

> Status: DRAFT — pending security review and GRAP0101. Do not publish until roles/claims verified.

## Scope
- Roles/scopes, ABAC policies, attachment encryption/CSRF considerations for Vuln Explorer.

## Dependencies
- Security review; GRAP0101 identifiers; attachment token wording from Authority.

## Outline
- Scopes: vuln:view/investigate/operate/audit (+ legacy read).
- ABAC filters: vuln_env, vuln_owner, vuln_business_tier; enforcement in tokens/permalinks.
- Attachment tokens: issuance/verify; encryption notes; CSRF protections.

### Hash Capture Checklist (post-review)
- `assets/vuln-explorer/rbac-scope-table.md` (scope/role matrix)
- `assets/vuln-explorer/abac-claims.json` (sample token claims)
- `assets/vuln-explorer/attachment-token-flow.json` (issuance/verify payloads)
_Last updated: 2025-12-05 (UTC)_