Collaborator Roles, Permissions & Account Management

🔍 Problem Statement

Pelcro's current collaborator permission model has two key issues: (1) any collaborator can delete other collaborators, which should be restricted to the Account Owner only; and (2) several roles lack capabilities they need — Sales cannot create/edit plans or export data for quoting and reporting, and Customer Service cannot void or cancel invoices, slowing issue resolution.

💡 User Story

As a Pelcro Account Owner, I want collaborator deletion restricted to my role only, and I want the Sales and Customer Service roles to have the specific capabilities they need (plan management, data export, invoice voiding/cancellation), so that permissions match real operational responsibilities without over-granting destructive rights.

🎯 Definition of Done (DoD)

A feature is done when:

✔️ Given the updated permission matrix, when a collaborator attempts to delete another collaborator, then only the Account Owner succeeds — all other roles receive a clear 'permission denied' error in both the UI and API.
✔️ When a Sales collaborator is logged in, then they can create/edit plans and export customers, subscriptions, and invoices — but cannot access access control, product settings, or delete any object.
✔️ When a support is logged in, then they can void and cancel invoices and update customer info — but cannot access plans, access controls, or delete any object.

✔️ As an Account Owner or Admin, I want to see the last login timestamp for each collaborator, so that I can identify dormant or inactive accounts during periodic security and compliance reviews.
✔️ Admins retain all existing delete permissions except collaborator deletion.