linuxfoundation · emsearcy · Mar 31, 2026 · Apr 1, 2026 · Apr 13, 2026
@@ -177,3 +177,41 @@ role assignment.
 - ***Auditor***: inherited from Project Auditor, Committee Auditor
 
 ---
+
+### B2B Organization
+
+Access to a B2B Organization object is controlled via three directly-assignable
+roles: **Owner**, **Writer**, and **Auditor**. No job-to-be-done actions are
+documented for this type yet; this section will be expanded as API coverage
+grows.
+
+#### Permission Inheritance
+
+- **Writer**: also granted to Owner; inherited from global org-admin team
+- **Auditor**: also granted to Writer
+
+---
+
+### Project Membership
+
+Access to a Project Membership object is fully inherited — there are no
+directly-assignable roles on this type. Write access is scoped to B2B
+Organization writers; read access is additionally available to Project auditors.
+
+#### Permission Inheritance
+
+- ***Writer***: inherited from B2B Organization Writer
+- ***Auditor***: inherited from B2B Organization Auditor, Project Auditor
+
+---
+
+### Key Contact
+
+Access to a Key Contact object is fully inherited — there are no
+directly-assignable roles on this type. Both write and read access are
+available to either the parent B2B Organization or the parent Project.
+
+#### Permission Inheritance
+
+- ***Writer***: inherited from B2B Organization Writer, Project Writer
+- ***Auditor***: inherited from B2B Organization Auditor, Project Auditor
@@ -23,8 +23,8 @@ spec:
   @fgadoc:hide, @fgadoc:alias, @fgadoc:collapse tags are managed manually.
 */}}
     - version:
-        major: 10
-        minor: 1
+        major: 11
+        minor: 0
         patch: 0
       authorizationModel: |
         model
@@ -419,10 +419,42 @@ spec:
             # we just use the "owner" relation in our access checks!
             define auditor: owner or auditor from survey
 
-        # @fgadoc:hide
-        # This type is used for access to membership apis, not to define someone as a project member
-        # eventually it needs to be expanded as we index objects
-        type member
+        # @fgadoc:alias B2B Organization
+        # The b2b_org type represents a Salesforce Account (B2B company). The UID is
+        # an invertible UUID v8 encoded from the Salesforce Account SFID.
+        # global_org_admin is written to every b2b_org at creation time by the member
+        # service, providing writer (and transitively auditor) access to all org admins
+        # without requiring a hierarchical root object.
+        type b2b_org
+          relations
+            # @fgadoc:hide
+            define global_org_admin: [team#member]
+            define owner: [user]
+            define writer: [user] or owner or global_org_admin
+            define auditor: [user, team#member] or writer
+
+        # @fgadoc:alias Project Membership
+        # The project_membership type represents a Salesforce Asset record: one active
+        # (or expired) membership term for a b2b_org within a project. Access is derived
+        # from the caller's relationship to the parent b2b_org or parent project.
+        # writer is intentionally scoped to b2b_org only: project-level writers (LF staff)
+        # can audit memberships but cannot create or modify them.
+        type project_membership
           relations
-            define auditor: [user, team#member]
+            define b2b_org: [b2b_org]
+            define project: [project]
+            define writer: writer from b2b_org
+            define auditor: auditor from b2b_org or auditor from project
+
+        # @fgadoc:alias Key Contact
+        # The key_contact type represents a Salesforce Project_Role__c record: a named
+        # contact role assigned to a b2b_org for a specific project membership. Write
+        # access is granted to b2b_org writers (owners and global org-admin team) and to
+        # project-level writers (LF staff managing contacts on behalf of members).
+        type key_contact
+          relations
+            define b2b_org: [b2b_org]
+            define project: [project]
+            define writer: writer from b2b_org or writer from project
+            define auditor: auditor from b2b_org or auditor from project
 {{- end }}