Principal from School A cannot view School B
Login as Principal with School A, then open /school/north-atlanta and confirm redirect with deny notice.
Demo login
Select a role
This login issues short-lived mock JWTs and applies application-level RBAC enforcement so each role only sees allowed routes and role-scoped navigation.
School-scoped roles are also bound to a selected school context, so principals, teachers, counselors, parents, and students do not land in a different school’s data.
API base URL: https://wex9fzikz6.execute-api.us-east-1.amazonaws.com/demo/api
School-scoped roles will be bound to this school at login so they cannot pivot into another school’s data.
Ready
Scope acceptance checklist (live demo)
Teacher cannot view student outside roster scope
Login as Teacher for Booker T, then open /student/student-002 and confirm scope mismatch deny message.
School-scoped role cannot access district footprint
Login as Counselor or Principal with any school, then open /district-footprint and confirm district-only deny message.
Parent restricted to parent routes
Login as Parent, then open /teacher and confirm parent-scope deny message.
Denied decisions show in Governance audit evidence
After any deny redirect, open /governance and confirm access-denied audit evidence entries are present.