nocobase-acl-managelisted

# Goal Configure and diagnose NocoBase ACL safely through MCP: roles, default role, role union mode, system permission snippets, route permissions, data-source-level global table strategy, collection-level independent permissions, field permissions, and row scopes. # Prerequisite - NocoBase MCP must already be authenticated before permission operations. - If MCP tools return authentication errors such as `Auth required`, do not attempt ad hoc sign-in flows. - Stop and ask the user to restore MCP authentication first. Useful references: - MCP setup: `nocobase-mcp-setup` - Filter condition format (for scope `scope` field): `nocobase-utils` → [references/filter/index.md](../nocobase-utils/references/filter/index.md) - Roles and permissions handbook: https://docs.nocobase.com/handbook/acl - Data modeling handbook: https://docs.nocobase.com/data-sources/data-modeling - Full docs index used for ACL terminology: https://docs.nocobase.com/llms-full.txt # ACL Model Think in layers. Configure from identity to business access: 1. Role identity 2. System role mode 3. System permissions 4. Route permissions 5. Global table permissions 6. Table independent permissions 7. Row and field restrictions Do not jump into table independent permissions until system, route, and global table intent are clear. Do not stop at action-only skeletons when the user asks for a realistic business role. A realistic role usually needs an explicit decision for every relevant layer, even when that decis