wri · roguenet · May 21, 2026 · May 21, 2026
diff --git a/libs/common/src/lib/policies/site-polygon.policy.spec.ts b/libs/common/src/lib/policies/site-polygon.policy.spec.ts
@@ -25,9 +25,9 @@ describe("SitePolygonPolicy", () => {
     jest.restoreAllMocks();
   });
 
-  it("allows service accounts with polygons-manage to read and create any polygon", async () => {
+  it("allows service accounts with polygons-manage-own to read and create any polygon", async () => {
     const user = await UserFactory.create();
-    mockRequestForUser(user, "polygons-manage");
+    mockRequestForUser(user, "polygons-manage-own");
 
     const sitePolygon = new SitePolygon();
     sitePolygon.createdBy = 999; // Different user
@@ -36,9 +36,9 @@ describe("SitePolygonPolicy", () => {
     await expectCan(service, "create", sitePolygon);
   });
 
-  it("allows service accounts with polygons-manage to update and delete only their own polygons", async () => {
+  it("allows service accounts with polygons-manage-own to update and delete only their own polygons", async () => {
     const user = await UserFactory.create();
-    mockRequestForUser(user, "polygons-manage");
+    mockRequestForUser(user, "polygons-manage-own");
 
     const ownPolygon = new SitePolygon();
     ownPolygon.createdBy = user.id;
@@ -52,6 +52,17 @@ describe("SitePolygonPolicy", () => {
     await expectCannot(service, "delete", otherPolygon);
   });
 
+  it("allows service accounts with polygons-manage to take any action on any polygon", async () => {
+    const user = await UserFactory.create();
+    mockRequestForUser(user, "polygons-manage");
+
+    const sitePolygon = new SitePolygon();
+    await expectCan(service, "read", sitePolygon);
+    await expectCan(service, "create", sitePolygon);
+    await expectCan(service, "update", sitePolygon);
+    await expectCan(service, "delete", sitePolygon);
+  });
+
   it("allows managing polygons within frameworks", async () => {
     const site = await SiteFactory.create({ frameworkKey: "ppc" });
 
@@ -152,12 +163,12 @@ describe("SitePolygonPolicy", () => {
     await expectCannot(service, "delete", sitePolygon);
   });
 
-  describe("service accounts with polygons-manage", () => {
+  describe("service accounts with polygons-manage-own", () => {
     it("allows service accounts to delete their own site polygons", async () => {
       const user = await UserFactory.create();
       const site = await SiteFactory.create();
 
-      mockRequestForUser(user, "polygons-manage");
+      mockRequestForUser(user, "polygons-manage-own");
 
       const sitePolygon = new SitePolygon();
       sitePolygon.siteUuid = site.uuid;
@@ -170,7 +181,7 @@ describe("SitePolygonPolicy", () => {
       const user = await UserFactory.create();
       const site = await SiteFactory.create();
 
-      mockRequestForUser(user, "polygons-manage");
+      mockRequestForUser(user, "polygons-manage-own");
 
       const sitePolygon = new SitePolygon();
       sitePolygon.siteUuid = site.uuid;
@@ -183,7 +194,7 @@ describe("SitePolygonPolicy", () => {
       const user = await UserFactory.create();
       const site = await SiteFactory.create();
 
-      mockRequestForUser(user, "polygons-manage");
+      mockRequestForUser(user, "polygons-manage-own");
 
       const sitePolygon = new SitePolygon();
       sitePolygon.siteUuid = site.uuid;

diff --git a/libs/common/src/lib/policies/site-polygon.policy.ts b/libs/common/src/lib/policies/site-polygon.policy.ts
@@ -7,6 +7,10 @@ export class SitePolygonPolicy extends UserPermissionsPolicy {
     const user = await this.getUser();
 
     if (this.permissions.includes("polygons-manage")) {
+      // Research persona
+      this.builder.can("manage", SitePolygon);
+    } else if (this.permissions.includes("polygons-manage-own")) {
+      // Greenhouse
       this.builder.can(["read", "create"], SitePolygon);
       this.builder.can(["update", "delete"], SitePolygon, { createdBy: this.userId });
     }
@@ -60,7 +64,7 @@ export class SitePolygonPolicy extends UserPermissionsPolicy {
 
     return (this._user = await User.findOne({
       where: { id: this.userId },
-      attributes: ["organisationId"],
+      attributes: ["emailAddress", "organisationId"],
       include: [{ association: "projects", attributes: ["id"] }]
     }));
   }

diff --git a/libs/database/src/lib/constants/permissions.ts b/libs/database/src/lib/constants/permissions.ts
@@ -21,6 +21,7 @@ export const PERMISSIONS = {
   "manage-own": "Manage own",
   "projects-read": "Read all projects",
   "polygons-manage": "Manage polygons",
+  "polygons-manage-own": "Manage own polygons",
   "media-manage": "Manage media",
   "view-dashboard": "View dashboard",
   "projects-manage": "Manage projects"
@@ -73,7 +74,7 @@ export const ROLES: Dictionary<Permission[]> = {
   ],
   "project-developer": ["manage-own"],
   "project-manager": ["projects-manage"],
-  "greenhouse-service-account": ["projects-read", "polygons-manage", "media-manage"],
+  "greenhouse-service-account": ["projects-read", "polygons-manage-own", "media-manage"],
   "research-service-account": ["projects-read", "polygons-manage"],
   government: ["view-dashboard"],
   funder: ["view-dashboard"]