[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fcfd-af2cHRjeYL4mSYaDgft8UikxBt2l1RDqVo7f6dk":3,"$fG91H0FDD3CAFuK-YOL8kl5neaXL1I49nQHChF_QgrjE":14},{"slug":4,"locale":5,"title":6,"section":7,"orderIndex":8,"blocks":9,"seoTitle":7,"seoDescription":7,"updatedAt":13},"03-rollen","de","03 — Rollen & Berechtigungen",null,3,[10],{"type":11,"value":12},"markdown","# 03 — Rollen & Berechtigungen\n\nPartnerDesk kennt vier verschiedene Personenkreise mit jeweils eigenen Login-Domains und Berechtigungen.\n\n## Übersicht\n\n| Rolle | Login-URL | Was kann man? |\n|-------|-----------|---------------|\n| **Plattform-Admin** (PlatformUser) | `admin.partnerdesk.io` | Alle Tenants verwalten, Audit-Log einsehen, Webhook-Events replay'en, Failed Messages retry'en |\n| **Tenant-Admin** (TenantUser) | `app.partnerdesk.io` | Eigenen Tenant verwalten: Partner, Kampagnen, Transaktionen, Auszahlungen, Akademie, Branding |\n| **Partner** | `\u003Cslug>.partnerdesk.io` | Eigene Provisionen, Downline, Werbemittel, Akademie-Kurse |\n| **Hub-Account** | `partnerdesk.io\u002Fhub` | Mehrere Partner-Identitäten bündeln (cross-tenant) |\n\n## Rolle 1 — Plattform-Admin (PlatformUser)\n\n### Sichtbarkeit\nGlobale Sicht. **Nicht** an einen Tenant gebunden.\n\n### Aktionen\n- Tenants anlegen, suspendieren, reaktivieren.\n- Plan-Tier ändern.\n- Audit-Log durchsuchen.\n- Webhook-Events aller Tenants inspizieren und replay'en.\n- Failed-Messages retry'en oder discarden.\n- Plattform-weite Broadcasts an Tenant-Owner senden.\n- API-Docs einsehen.\n\n### Unter-Rollen\n- `ROLE_PLATFORM_OWNER` — kann alles, inkl. Anlage neuer Plattform-Admins.\n- `ROLE_PLATFORM_ADMIN` — operativ, aber kein User-Management auf Plattform-Ebene.\n\n### Anlage\nÜber die CLI: `app:platform-user:create \u003Cemail> \u003Cpassword> \u003Crole>`. **Kein Self-Signup** — Plattform-Admins werden nur vom Plattform-Owner-Bestand angelegt.\n\n## Rolle 2 — Tenant-Admin (TenantUser)\n\n### Sichtbarkeit\nNur eigener Tenant. Kann andere Tenants nicht sehen.\n\n### Aktionen (Standard `ROLE_ADMIN`)\n- Partner anlegen, bearbeiten, suspendieren.\n- Kampagnen + Provisionsstufen pflegen.\n- Transaktionen einsehen, approven, rejecten.\n- Auszahlungen generieren, approven, als bezahlt markieren.\n- Notification-Templates pflegen.\n- Branding & Email-Whitelabel konfigurieren.\n- Legal-Pages bearbeiten.\n- Webhook-Event-Log einsehen (tenant-scoped).\n\n### Sonderrolle `ROLE_OWNER`\nTenant-Owner kann zusätzlich:\n- Weitere TenantUser anlegen.\n- Subscription verwalten (Stripe-Billing).\n- Tenant-Anonymisierung beantragen (DSGVO Art. 17).\n\n### Anlage\nDrei Wege:\n- Self-Service-Signup auf `partnerdesk.io\u002Fsignup` (legt automatisch den ersten Owner an).\n- Plattform-Admin legt im Superadmin-UI an.\n- CLI: `app:tenant-user:create \u003Ctenant-slug> \u003Cemail> \u003Cpassword>`.\n\n## Rolle 3 — Partner\n\n### Sichtbarkeit\nNur eigene Daten + eigene direkte Downline.\n\n### Aktionen\n- Eigene Provisionen + Auszahlungen einsehen.\n- Tracking-Links und Werbemittel kopieren.\n- Eigene Landing-Page anlegen + pflegen.\n- Akademie-Kurse durchlaufen.\n- Profil + Bankdaten pflegen.\n- 2FA aktivieren.\n- Konto-Löschung beantragen (siehe **[93 — DSGVO](93-dsgvo.md)**).\n\n### Anlage\nVier Wege:\n- Tenant-Admin legt im Admin-Portal an.\n- Self-Registration auf `\u003Cslug>.partnerdesk.io\u002Fregister` (Status zunächst `pending`).\n- Invite-Flow: Admin sendet Mail mit Token-Link.\n- CLI (für Imports): siehe **[20 — Partner anlegen](20-partner-anlegen.md)**.\n\n### Status-Lebenszyklus\n`pending` → `active` → optional `suspended` → optional `terminated` → optional `deletion_pending` → `anonymized` (Daten weichen anonymen Werten).\n\nDetails: **[21 — Partner-Status](21-partner-status.md)**.\n\n## Rolle 4 — Hub-Account\n\n### Zweck\nEin Partner, der für mehrere Tenants aktiv ist, kann sich einen Hub-Account anlegen. Der Hub verknüpft alle Partner-Identitäten unter einer Email.\n\n### Sichtbarkeit\nCross-Tenant: kombinierte KPIs + getrennte Listen pro Tenant.\n\n### Aktionen\n- Hub-Login (`partnerdesk.io\u002Fhub`).\n- Bestehende Partner-Accounts „claimen\" via Email-Verification.\n- Cross-Tenant-Dashboard (kumulierte Provisionen, einzelne Programme).\n\n### Anlage\n- Self-Service auf `partnerdesk.io\u002Fhub\u002Fregister`.\n- Anschließend Claim-Wizard für jeden Partner-Account, den der Hub bündeln soll.\n\nDetails: **[121 — Cross-Tenant-Hub](121-cross-tenant-hub.md)**.\n\n## Authentifizierung & Sicherheit\n\nAlle vier Rollen haben:\n\n- **JWT-Token-basierte Auth** (LocalStorage im Browser).\n- **Eigene Token-Keys** pro Rolle — parallele Logins in verschiedenen Rollen sind möglich.\n- **2FA** optional aktivierbar (Plattform-Admin und Tenant-Admin; bei Partner geplant).\n- **Rate-Limiting** auf allen Login-Endpoints (5 Versuche pro Minute).\n- **Audit-Log**: jeder Login (erfolgreich oder fehlgeschlagen) wird protokolliert.\n\n## Tenant-Boundary\n\nDie wichtigste Sicherheits-Eigenschaft: **kein Tenant-Admin kann jemals Daten eines anderen Tenants sehen oder verändern**. Diese Garantie wird durch:\n\n- Die `TenantResolver`-Komponente (jeder Request kennt seinen Tenant).\n- Der `TenantUserProvider` (User wird tenant-scoped geladen).\n- Foreign-Key-Constraints (alle Domain-Entities haben `tenant_id`).\n- Repository-Methoden, die `tenant_id` immer im `WHERE` haben.\n\n… auf vier Ebenen abgesichert. Plus: ein dediziertes Test-Set deckt jede API-Route gegen Cross-Tenant-Lookups ab.\n\n## Verwandte Kapitel\n\n- **[90 — 2FA](90-2fa.md)**\n- **[91 — Rate-Limiting](91-rate-limiting.md)**\n- **[92 — Audit-Log](92-audit-log.md)**\n\n---\n\n**Technische Tiefen-Doku**: [`..\u002F001-initial-setup.md`](..\u002F001-initial-setup.md), [`..\u002F005-campaign-management.md`](..\u002F005-campaign-management.md) (TenantUserProvider), [`..\u002F021-superadmin-cicd.md`](..\u002F021-superadmin-cicd.md) (PlatformUser), [`..\u002F110-cross-tenant-hub.md`](..\u002F110-cross-tenant-hub.md)\n","2026-06-01T21:39:08+02:00",{"data":15},[16,20,24,25,29,33,37,41,45,49,53,57,61,65,69,73,77,81,85,89,93,97,101,105,109,113,117,121,125,129,133,137,141,145,149,153,157,161,165,169,173,177,181,185,189,193,197,201,205,209,213,217,221,225,229,233,237,241,245,249,253,257,261,265,269],{"slug":17,"locale":5,"title":18,"section":7,"orderIndex":19},"01-ueberblick","01 — Kurzüberblick & Architektur",1,{"slug":21,"locale":5,"title":22,"section":7,"orderIndex":23},"02-schnellstart","02 — Schnellstart für neue Tenants",2,{"slug":4,"locale":5,"title":6,"section":7,"orderIndex":8},{"slug":26,"locale":5,"title":27,"section":7,"orderIndex":28},"10-kampagnen","10 — Kampagnen verwalten",10,{"slug":30,"locale":5,"title":31,"section":7,"orderIndex":32},"11-provisionen","11 — Provisionsmodelle (Tiers & Gruppen)",11,{"slug":34,"locale":5,"title":35,"section":7,"orderIndex":36},"12-mlm","12 — MLM-Struktur & Downline",12,{"slug":38,"locale":5,"title":39,"section":7,"orderIndex":40},"13-bonus","13 — Bonusprogramme",13,{"slug":42,"locale":5,"title":43,"section":7,"orderIndex":44},"14-holdback-reserve","14 — Reifezeit & Reserve (Schutz vor Rückbuchungen)",14,{"slug":46,"locale":5,"title":47,"section":7,"orderIndex":48},"15-programm-bewertungen","15 — Programm-Bewertungen im Marktplatz",15,{"slug":50,"locale":5,"title":51,"section":7,"orderIndex":52},"16-externe-bewertungen","16 — Externe Bewertungen verbinden (Anbieter)",16,{"slug":54,"locale":5,"title":55,"section":7,"orderIndex":56},"17-joint-venture-partner","17 — Joint-Venture-Partner",17,{"slug":58,"locale":5,"title":59,"section":7,"orderIndex":60},"18-vertriebsmitarbeiter","18 — Vertriebsmitarbeiter (VM)",18,{"slug":62,"locale":5,"title":63,"section":7,"orderIndex":64},"19-profitabilitaet","19 — Profitabilität einer Kampagne",19,{"slug":66,"locale":5,"title":67,"section":7,"orderIndex":68},"20-partner-anlegen","20 — Partner anlegen",20,{"slug":70,"locale":5,"title":71,"section":7,"orderIndex":72},"21-partner-status","21 — Partner-Status & Lifecycle",21,{"slug":74,"locale":5,"title":75,"section":7,"orderIndex":76},"22-partner-profile","22 — Partner-Profile & Stammdaten",22,{"slug":78,"locale":5,"title":79,"section":7,"orderIndex":80},"23-customers","23 — Customers (Endkunden)",23,{"slug":82,"locale":5,"title":83,"section":7,"orderIndex":84},"24-partner-merge","24 — Doppelte Partner zusammenführen",24,{"slug":86,"locale":5,"title":87,"section":7,"orderIndex":88},"30-webhooks","30 — Webhook-Übersicht",30,{"slug":90,"locale":5,"title":91,"section":7,"orderIndex":92},"31-stripe","31 — Stripe-Integration",31,{"slug":94,"locale":5,"title":95,"section":7,"orderIndex":96},"32-digistore24","32 — Digistore24-Integration",32,{"slug":98,"locale":5,"title":99,"section":7,"orderIndex":100},"33-copecart","33 — CopeCart-Integration",33,{"slug":102,"locale":5,"title":103,"section":7,"orderIndex":104},"34-ablefy","34 — Ablefy-Integration (vormals elopage)",34,{"slug":106,"locale":5,"title":107,"section":7,"orderIndex":108},"35-easybill","35 — easybill-Integration",35,{"slug":110,"locale":5,"title":111,"section":7,"orderIndex":112},"36-lexoffice","36 — lexoffice-Integration",36,{"slug":114,"locale":5,"title":115,"section":7,"orderIndex":116},"37-custom-webhook","37 — Custom Webhook (Zapier, Make, n8n, eigene Systeme)",37,{"slug":118,"locale":5,"title":119,"section":7,"orderIndex":120},"40-auszahlungen","40 — Auszahlungs-Workflow",40,{"slug":122,"locale":5,"title":123,"section":7,"orderIndex":124},"41-gutschriften","41 — Gutschriften (§14 UStG)",41,{"slug":126,"locale":5,"title":127,"section":7,"orderIndex":128},"42-sepa","42 — SEPA-XML-Export",42,{"slug":130,"locale":5,"title":131,"section":7,"orderIndex":132},"43-stripe-connect","43 — Stripe Connect (Express-Auszahlungen)",43,{"slug":134,"locale":5,"title":135,"section":7,"orderIndex":136},"44-buchhaltung-sync","44 — Externe Buchhaltung-Sync (easybill \u002F lexoffice)",44,{"slug":138,"locale":5,"title":139,"section":7,"orderIndex":140},"50-tracking","50 — Tracking-Cookie & Klick-Erfassung",50,{"slug":142,"locale":5,"title":143,"section":7,"orderIndex":144},"51-attribution","51 — Attribution-Modelle",51,{"slug":146,"locale":5,"title":147,"section":7,"orderIndex":148},"52-utm-subid","52 — UTM, Sub-IDs & Fingerprint",52,{"slug":150,"locale":5,"title":151,"section":7,"orderIndex":152},"53-werbemittel","53 — Werbemittel: Banner & Coupons",53,{"slug":154,"locale":5,"title":155,"section":7,"orderIndex":156},"54-links-landingpages","54 — Short-Links & Landing-Pages",54,{"slug":158,"locale":5,"title":159,"section":7,"orderIndex":160},"60-marketing-site","60 — Marketing-Site (Apex-Domain)",60,{"slug":162,"locale":5,"title":163,"section":7,"orderIndex":164},"61-popup-widget","61 — Popup-Widget für Tenant-Sites",61,{"slug":166,"locale":5,"title":167,"section":7,"orderIndex":168},"62-cross-promotion","62 — PartnerDesk Cross-Promotion (PartnerDesk empfehlen)",62,{"slug":170,"locale":5,"title":171,"section":7,"orderIndex":172},"63-lead-aff","63 — Lead-Affiliate-Programm (Partner werben Partner)",63,{"slug":174,"locale":5,"title":175,"section":7,"orderIndex":176},"70-notifications","70 — Notification-System",70,{"slug":178,"locale":5,"title":179,"section":7,"orderIndex":180},"71-email-whitelabel","71 — Email-Whitelabel",71,{"slug":182,"locale":5,"title":183,"section":7,"orderIndex":184},"72-email-templates","72 — Email-Templates",72,{"slug":186,"locale":5,"title":187,"section":7,"orderIndex":188},"73-lifecycle-mails","73 — Lifecycle-Mails",73,{"slug":190,"locale":5,"title":191,"section":7,"orderIndex":192},"80-akademie","80 — Akademie: Kurse & Lektionen",80,{"slug":194,"locale":5,"title":195,"section":7,"orderIndex":196},"81-quiz","81 — Quiz-System",81,{"slug":198,"locale":5,"title":199,"section":7,"orderIndex":200},"82-zertifikate","82 — Zertifikate nach Kurs-Komplettierung",82,{"slug":202,"locale":5,"title":203,"section":7,"orderIndex":204},"90-2fa","90 — Two-Factor-Authentication (2FA)",90,{"slug":206,"locale":5,"title":207,"section":7,"orderIndex":208},"91-rate-limiting","91 — Rate-Limiting",91,{"slug":210,"locale":5,"title":211,"section":7,"orderIndex":212},"92-audit-log","92 — Audit-Log",92,{"slug":214,"locale":5,"title":215,"section":7,"orderIndex":216},"93-dsgvo","93 — DSGVO-Tools",93,{"slug":218,"locale":5,"title":219,"section":7,"orderIndex":220},"94-legal","94 — Legal-Pages",94,{"slug":222,"locale":5,"title":223,"section":7,"orderIndex":224},"95-cookie-consent","95 — Cookie-Consent",95,{"slug":226,"locale":5,"title":227,"section":7,"orderIndex":228},"100-billing-plaene","100 — Stripe-Billing-Pläne",100,{"slug":230,"locale":5,"title":231,"section":7,"orderIndex":232},"101-trial","101 — Trial & Subscription-Status",101,{"slug":234,"locale":5,"title":235,"section":7,"orderIndex":236},"102-customer-portal","102 — Stripe Customer-Portal",102,{"slug":238,"locale":5,"title":239,"section":7,"orderIndex":240},"110-superadmin","110 — Plattform-Admin (Superadmin)",110,{"slug":242,"locale":5,"title":243,"section":7,"orderIndex":244},"111-health","111 — Health-Endpoints",111,{"slug":246,"locale":5,"title":247,"section":7,"orderIndex":248},"112-webhook-event-log","112 — Webhook-Event-Log",112,{"slug":250,"locale":5,"title":251,"section":7,"orderIndex":252},"113-failed-messages","113 — Failed-Messages",113,{"slug":254,"locale":5,"title":255,"section":7,"orderIndex":256},"120-pwa-partner","120 — PWA Partner-Portal",120,{"slug":258,"locale":5,"title":259,"section":7,"orderIndex":260},"121-cross-tenant-hub","121 — Cross-Tenant-Hub",121,{"slug":262,"locale":5,"title":263,"section":7,"orderIndex":264},"130-public-api","130 — Public-API (für Tenant-Integratoren)",130,{"slug":266,"locale":5,"title":267,"section":7,"orderIndex":268},"131-outgoing-webhooks","131 — Outgoing-Webhooks",131,{"slug":270,"locale":5,"title":271,"section":7,"orderIndex":272},"132-exports","132 — Datenexporte (CSV, PDF-Report)",132]