Skip to content

B2B SaaS — Complete Feature Tree

OWNER: aimee ALSO_USED_BY: anna, eric (contract), hugo (auth), faye, sytske

This is the canonical feature decomposition for all B2B SaaS projects. During scoping, Aimee walks each item with the client and marks it:

  • REQUIRED — Must be in MVP
  • NICE_TO_HAVE — Include if budget allows
  • PHASE_2 — Defer to post-launch
  • OUT_OF_SCOPE — Will not be built

Every SCOPE_ITEM has sub-items (INCLUDES) and conditional logic (IF/THEN). Trailing detail pages are linked where deeper specification exists.

1. Authentication & SSO

Detail page: authentication-sso.md

SCOPE_ITEM: email_password_auth INCLUDES: Email + password registration and login INCLUDES: Password strength enforcement (min 12 chars, zxcvbn scoring) INCLUDES: Password reset via email link (time-limited, single-use) INCLUDES: Email verification (post-signup, non-blocking) CHECK: Confirm whether social login is needed (Google, Microsoft, GitHub)

SCOPE_ITEM: social_login INCLUDES: Google OAuth2 login INCLUDES: Microsoft Entra ID login OPTIONAL: GitHub, LinkedIn, Apple login CHECK: Each social provider requires app registration and redirect URI config

SCOPE_ITEM: multi_factor_authentication INCLUDES: TOTP (authenticator app) as second factor INCLUDES: Recovery codes (one-time use, 10 codes generated) OPTIONAL: WebAuthn / passkey support OPTIONAL: SMS-based MFA (discouraged — SIM swap risk) CHECK: MFA enforcement policy — per-org or platform-wide?

SCOPE_ITEM: corporate_sso INCLUDES: SAML 2.0 IdP integration (Okta, Entra ID, OneLogin, Google Workspace) INCLUDES: OIDC provider support INCLUDES: Per-organization SSO configuration INCLUDES: SP-initiated and IdP-initiated flows INCLUDES: JIT (Just-In-Time) user provisioning from SSO assertion OPTIONAL: SCIM 2.0 directory sync (user provisioning/deprovisioning) OPTIONAL: Automatic role mapping from IdP groups COMPLIANCE: SSO bypasses email/password — enforce org-level SSO-only policy CHECK: Enterprise SSO is a revenue unlock — price it into enterprise tier

SCOPE_ITEM: session_management INCLUDES: JWT or session-cookie-based auth INCLUDES: Configurable session duration per organization INCLUDES: Concurrent session limits (optional) INCLUDES: Force logout / session revocation INCLUDES: Session activity log (IP, user agent, last active) CHECK: Short-lived access tokens (15 min) + refresh tokens (7 days) recommended

SCOPE_ITEM: api_key_authentication INCLUDES: Per-organization API key generation INCLUDES: API key scoping (read-only, full access, custom scopes) INCLUDES: Key rotation without downtime INCLUDES: Usage tracking per API key OPTIONAL: Personal access tokens (per-user, not per-org)

2. Organization & Workspace Management

SCOPE_ITEM: organization_creation INCLUDES: Org creation during signup (name, slug, billing email) INCLUDES: Org profile settings (logo, display name, timezone, locale) INCLUDES: Org-level feature flags CHECK: Single-org or multi-org per user? Multi-org adds complexity.

SCOPE_ITEM: workspace_or_project_structure INCLUDES: Sub-organizational units (workspaces, projects, teams) INCLUDES: Workspace-level permissions separate from org permissions INCLUDES: Workspace creation, archiving, deletion OPTIONAL: Workspace templates (pre-configured for common use cases) CHECK: Only if the product domain requires sub-org grouping

SCOPE_ITEM: organization_invitations INCLUDES: Invite by email (generates secure token, 7-day expiry) INCLUDES: Invite with pre-assigned role INCLUDES: Bulk invite (CSV upload) INCLUDES: Pending invite management (resend, revoke) INCLUDES: Invite accept flow (new user signup or existing user join) IF: SSO enabled for org THEN: Invites may be replaced by JIT provisioning — clarify with client

SCOPE_ITEM: organization_switching INCLUDES: User can belong to multiple organizations INCLUDES: Org switcher in navigation INCLUDES: Context isolation (switching org clears local state) CHECK: Not all products need multi-org — many are single-org-per-user

3. User Management & RBAC

Detail page: rbac.md

SCOPE_ITEM: user_profiles INCLUDES: Profile fields (name, email, avatar, timezone, locale) INCLUDES: Profile editing by user INCLUDES: Admin can edit any user profile in their org CHECK: Identify custom profile fields needed for the domain

SCOPE_ITEM: role_based_access_control INCLUDES: Predefined roles (Owner, Admin, Member, Viewer, Billing) INCLUDES: Role assignment per user per organization INCLUDES: Permission matrix (role → resource → action) INCLUDES: Middleware enforcement on every API route OPTIONAL: Custom roles (org admin defines new roles) OPTIONAL: Attribute-based access control (ABAC) for field-level permissions OPTIONAL: Relationship-based access control (ReBAC) for data-level permissions CHECK: Start with RBAC. Only add ABAC/ReBAC if domain requires it.

SCOPE_ITEM: user_deactivation_and_removal INCLUDES: Deactivate user (preserve data, revoke access) INCLUDES: Remove user from organization INCLUDES: Data reassignment (transfer ownership of items to another user) INCLUDES: SCIM deprovisioning triggers deactivation automatically COMPLIANCE: Deactivation must be audit-logged

SCOPE_ITEM: team_management INCLUDES: Create teams within an organization INCLUDES: Assign users to teams INCLUDES: Team-level permissions (team sees only team data) OPTIONAL: Team leads with elevated permissions CHECK: Only if product has collaborative team-based workflows

4. Multi-Tenancy

Detail page: multi-tenancy.md

SCOPE_ITEM: tenant_data_isolation INCLUDES: Every database query scoped by tenant_id INCLUDES: Row-Level Security (RLS) policies in PostgreSQL INCLUDES: Middleware extracts tenant context from auth token or subdomain INCLUDES: Background jobs carry tenant context COMPLIANCE: Tenant A must NEVER see Tenant B's data — zero tolerance

SCOPE_ITEM: tenant_configuration INCLUDES: Per-tenant feature flags INCLUDES: Per-tenant branding (logo, primary color, favicon) INCLUDES: Per-tenant email sender config OPTIONAL: Per-tenant custom domain (CNAME + SSL provisioning) OPTIONAL: Per-tenant custom subdomain (slug.app.com) CHECK: Custom domains add ops complexity — only if enterprise clients require it

SCOPE_ITEM: tenant_aware_infrastructure INCLUDES: Tenant-scoped caching (Redis key prefixing) INCLUDES: Tenant-scoped rate limiting INCLUDES: Tenant-scoped file storage (S3 prefix per tenant) INCLUDES: Tenant context in all log entries OPTIONAL: Tenant-specific database schema (schema-per-tenant isolation) OPTIONAL: Dedicated database per tenant (enterprise tier) CHECK: Shared DB + RLS is the default. Escalate only for regulated industries.

5. Billing & Subscriptions

Detail page: billing.md

SCOPE_ITEM: subscription_management INCLUDES: Plan selection (free, starter, professional, enterprise) INCLUDES: Plan upgrade and downgrade with proration INCLUDES: Billing cycle (monthly / annual, annual = discount) INCLUDES: Subscription status lifecycle (trialing → active → past_due → cancelled → expired) INCLUDES: Grace period for failed payments (3 retries over 14 days) CHECK: Confirm pricing model — seat-based, usage-based, flat-rate, or hybrid

SCOPE_ITEM: seat_based_billing INCLUDES: Price per seat per month/year INCLUDES: Seat count auto-updated when users added/removed INCLUDES: Seat limit enforcement (cannot add user beyond plan limit) OPTIONAL: Tiered seat pricing (first 5 at price A, next 10 at price B) IF: Seat-based model selected THEN: Track active vs. deactivated seats for billing accuracy

SCOPE_ITEM: usage_based_billing INCLUDES: Usage metering (API calls, storage, compute, records, messages) INCLUDES: Real-time usage dashboard for customers INCLUDES: Usage alerts (80%, 90%, 100% thresholds) INCLUDES: Overage handling (block, allow with surcharge, auto-upgrade) IF: Usage-based model selected THEN: Metering infrastructure is a hard requirement — budget 40-80 hours

SCOPE_ITEM: payment_processing INCLUDES: Mollie (NL, PRIMARY) or Stripe (US, secondary — sovereignty risk) integration INCLUDES: Credit card and SEPA direct debit INCLUDES: iDEAL (mandatory for NL market) INCLUDES: Invoice generation (PDF, auto-sent) INCLUDES: Payment receipt emails INCLUDES: Tax handling (VAT reverse charge for B2B EU, VAT for B2C) COMPLIANCE: PCI DSS compliance via Mollie/Stripe (no raw card data)

SCOPE_ITEM: billing_portal INCLUDES: Self-service billing portal (plan management, payment methods, invoices) INCLUDES: Billing contact separate from technical contact INCLUDES: Billing history and invoice download OPTIONAL: Custom invoicing (enterprise clients, manual approval) CHECK: If using Stripe, Customer Portal covers 80% of needs — custom only if required. Mollie requires more custom billing UI.

6. Onboarding

Detail page: onboarding.md

SCOPE_ITEM: setup_wizard INCLUDES: Post-signup guided setup (3-5 steps max) INCLUDES: Org name, invite teammates, choose use case INCLUDES: Progress indicator (step X of Y) INCLUDES: Skip option with ability to resume later CHECK: Target < 2 minutes to first value ("aha moment")

SCOPE_ITEM: data_import INCLUDES: CSV import with column mapping UI INCLUDES: Validation and error reporting (row-level errors, preview) INCLUDES: Async import with progress bar (for large files) OPTIONAL: API-based migration tool (import from competitor) OPTIONAL: Concierge import service ("send us your spreadsheet") CHECK: Data import is the #1 onboarding blocker — invest here

SCOPE_ITEM: starter_templates INCLUDES: Pre-built templates for common use cases INCLUDES: Template gallery with preview INCLUDES: One-click apply template to workspace OPTIONAL: Community templates (user-submitted) CHECK: Templates reduce time-to-value by 40-60%

SCOPE_ITEM: product_tours INCLUDES: First-use tooltips on key UI elements INCLUDES: Interactive walkthrough for core workflow INCLUDES: Dismissable, remembers completion state OPTIONAL: Video tutorials embedded in-app OPTIONAL: Contextual help sidebar CHECK: Use product analytics to identify drop-off points

SCOPE_ITEM: trial_management INCLUDES: Time-limited trial (14 or 30 days) INCLUDES: Trial expiry warnings (7 days, 3 days, 1 day, expired) INCLUDES: Trial extension capability (admin or sales-triggered) INCLUDES: Post-trial state (read-only or full lockout) OPTIONAL: Feature-limited free tier (no trial expiry) CHECK: Trial-to-paid conversion target > 15% (self-serve) or > 25% (sales-assisted)

7. Dashboard & Reporting

SCOPE_ITEM: main_dashboard INCLUDES: Organization-level overview (key metrics, recent activity) INCLUDES: Role-aware dashboard (admin sees org metrics, member sees personal) INCLUDES: Configurable widgets (drag-and-drop optional) INCLUDES: Date range picker CHECK: Dashboard must load in < 2 seconds — design queries accordingly

SCOPE_ITEM: reporting_engine INCLUDES: Pre-built reports for common metrics INCLUDES: Date range and filter controls INCLUDES: Chart visualizations (bar, line, pie, table) INCLUDES: Report export (CSV, PDF) OPTIONAL: Custom report builder (user-defined fields, grouping, aggregation) OPTIONAL: Scheduled report delivery via email CHECK: Custom report builder is 80-120 hours — confirm ROI

SCOPE_ITEM: activity_feed INCLUDES: Chronological feed of actions in the org INCLUDES: Filterable by user, entity type, action type INCLUDES: Linked to audit trail for compliance CHECK: Activity feed is NOT the audit trail — audit trail is append-only, tamper-proof

8. API & Integrations

Detail page: integrations.md

SCOPE_ITEM: rest_api INCLUDES: RESTful API for all core resources INCLUDES: OpenAPI 3.1 specification (auto-generated) INCLUDES: Versioned API (v1, v2 via URL path) INCLUDES: Rate limiting per API key (configurable per plan) INCLUDES: Pagination (cursor-based for lists) INCLUDES: Filtering, sorting, field selection OPTIONAL: GraphQL API (only if client's customers are developers) CHECK: API-first design — UI and API use the same endpoints

SCOPE_ITEM: webhook_system INCLUDES: Outbound webhooks (event → HTTP POST to customer URL) INCLUDES: Webhook configuration UI (URL, events, secret) INCLUDES: Webhook signing (HMAC-SHA256) INCLUDES: Delivery log with retry status INCLUDES: Automatic retry (exponential backoff, 3 attempts) INCLUDES: Webhook test endpoint ("send test event") CHECK: Webhooks are table stakes for B2B SaaS — always include

SCOPE_ITEM: oauth2_app_marketplace INCLUDES: OAuth2 authorization code flow for third-party apps INCLUDES: App registration portal (client ID, secret, redirect URIs, scopes) INCLUDES: User consent screen INCLUDES: Token management (access + refresh tokens) OPTIONAL: Public app marketplace (listing, review, install) CHECK: Marketplace is 200+ hours — only if platform play is core to product

SCOPE_ITEM: native_integrations INCLUDES: Slack notifications INCLUDES: Microsoft Teams notifications OPTIONAL: Jira issue sync OPTIONAL: CRM sync (HubSpot, Salesforce) OPTIONAL: ERP sync (Exact Online, Twinfield for NL market) OPTIONAL: Email integration (shared inbox, forwarding) CHECK: Identify top 3 integrations from client's customer research

SCOPE_ITEM: zapier_make_integration INCLUDES: Zapier app with triggers and actions INCLUDES: Make (Integromat) module INCLUDES: n8n community node (open-source alternative) CHECK: Zapier app submission requires specific webhook format and OAuth2 support

9. Notifications

SCOPE_ITEM: email_notifications INCLUDES: Transactional emails (invite, password reset, payment receipt) INCLUDES: Notification emails (assignment, mention, status change) INCLUDES: Email templates with org branding INCLUDES: Unsubscribe per notification type INCLUDES: Email delivery tracking (sent, delivered, bounced) CHECK: Use Brevo (FR) or Mailjet (FR) preferred — never raw SMTP. Resend/Postmark secondary (US-based — EU data sovereignty risk).

SCOPE_ITEM: in_app_notifications INCLUDES: Notification bell with unread count INCLUDES: Notification list with mark-as-read INCLUDES: Click-through to relevant resource INCLUDES: Real-time delivery (WebSocket or SSE) OPTIONAL: Notification preferences (per-type enable/disable) CHECK: In-app + email should be unified — single notification dispatch

SCOPE_ITEM: push_notifications INCLUDES: Browser push notifications (Web Push API) OPTIONAL: Mobile push (requires native app — see mobile scope) CHECK: Push notifications need explicit user consent — track opt-in rate

10. Audit Trail

SCOPE_ITEM: audit_logging INCLUDES: Append-only audit log for all state changes INCLUDES: Fields: timestamp, actor (user/system/API key), action, resource, old_value, new_value, IP, user_agent INCLUDES: Immutable storage (no delete, no update) INCLUDES: Retention policy (configurable, default 2 years) INCLUDES: Audit log viewer in admin panel (filterable, searchable) INCLUDES: Audit log export (CSV, JSON) COMPLIANCE: Required for ISO 27001 and SOC 2 Type II COMPLIANCE: GDPR right of access includes audit data about the requester CHECK: Audit log table grows fast — partition by month, archive strategy needed

SCOPE_ITEM: login_audit INCLUDES: All login attempts (success and failure) INCLUDES: IP address, user agent, geo-location (approximate) INCLUDES: Failed login alerting (5+ failures triggers notification) COMPLIANCE: Login audit is separate from action audit — different retention rules

11. Data Import & Export

SCOPE_ITEM: data_export INCLUDES: Per-entity CSV export INCLUDES: Full account data export (GDPR data portability) INCLUDES: Async export for large datasets (email download link) INCLUDES: API-based export (same as API read endpoints) COMPLIANCE: GDPR Article 20 — data portability in machine-readable format

SCOPE_ITEM: data_import INCLUDES: CSV import with column mapping INCLUDES: Validation preview before commit INCLUDES: Error log (row-level, downloadable) INCLUDES: Duplicate detection (configurable: skip, overwrite, create new) OPTIONAL: API-based bulk import OPTIONAL: Competitor migration tool CHECK: Import is critical for onboarding and switching cost reduction

SCOPE_ITEM: data_deletion INCLUDES: Account deletion request flow INCLUDES: Data erasure within 30 days (GDPR) INCLUDES: Confirmation email with grace period INCLUDES: Backup exclusion after deletion COMPLIANCE: GDPR Article 17 — right to erasure CHECK: Clarify what "deletion" means — soft delete + 30-day purge is standard

12. Collaboration

SCOPE_ITEM: comments_and_mentions INCLUDES: Comments on entities (tasks, records, documents) INCLUDES: @mention users (triggers notification) INCLUDES: Rich text in comments (Markdown or WYSIWYG) INCLUDES: Edit and delete own comments OPTIONAL: Threaded replies CHECK: Only if the product domain has collaborative workflows

SCOPE_ITEM: real_time_collaboration INCLUDES: Presence indicators (who is viewing this page) INCLUDES: Real-time updates (WebSocket — other users see changes live) OPTIONAL: Collaborative editing (CRDT/OT — e.g., Yjs) CHECK: Real-time collab is 100-200 hours — confirm it is core to product

SCOPE_ITEM: sharing_and_links INCLUDES: Share entity via link (public or org-internal) INCLUDES: Permission-controlled sharing (view, edit, comment) INCLUDES: Expiring share links OPTIONAL: Guest access (external users with limited permissions) CHECK: Guest access model needs careful RBAC integration

13. Settings & Configuration

SCOPE_ITEM: organization_settings INCLUDES: General settings (name, logo, timezone, locale) INCLUDES: Security settings (MFA enforcement, session duration, IP allowlist) INCLUDES: Notification preferences (org-wide defaults) INCLUDES: Integration settings (connected apps, API keys) INCLUDES: Billing settings (plan, payment method, invoices) CHECK: Settings page is often the last thing built — allocate time

SCOPE_ITEM: user_settings INCLUDES: Profile settings (name, avatar, password change) INCLUDES: Notification preferences (per-type overrides) INCLUDES: Theme preference (light/dark/system) INCLUDES: Language preference INCLUDES: Connected accounts (social login, SSO) CHECK: User settings are separate from org settings — different permissions

SCOPE_ITEM: custom_fields INCLUDES: Admin-defined custom fields on entities INCLUDES: Field types (text, number, date, select, multi-select, URL) INCLUDES: Custom fields in list views, filters, exports OPTIONAL: Calculated fields (formulas) CHECK: Custom fields add 60-100 hours — confirm requirement

14. Admin Panel

SCOPE_ITEM: platform_admin_panel INCLUDES: System-wide dashboard (total orgs, users, MRR, usage) INCLUDES: Organization management (view, impersonate, suspend) INCLUDES: User management (search, view, reset password, force logout) INCLUDES: Plan and billing management (override plans, apply credits) INCLUDES: Feature flag management (global and per-org) INCLUDES: System health monitoring (error rates, queue depth, API latency) OPTIONAL: Support ticket view (if built-in support system exists) CHECK: Admin panel is the CLIENT's admin panel, not GE's admin panel CHECK: Impersonation must be audit-logged and time-limited

SCOPE_ITEM: platform_admin_rbac INCLUDES: Platform admin roles (super admin, support, billing, read-only) INCLUDES: Separate from org-level RBAC — platform admins are the client's staff INCLUDES: All platform admin actions audit-logged COMPLIANCE: Platform admin access must follow least-privilege principle

15. Mobile & Responsive

SCOPE_ITEM: responsive_web INCLUDES: Fully responsive web application (mobile, tablet, desktop) INCLUDES: Touch-friendly interactions INCLUDES: Mobile-optimized navigation (hamburger menu, bottom nav) CHECK: Responsive web is default — always included

SCOPE_ITEM: native_mobile_app INCLUDES: iOS app (Swift/SwiftUI — GE stack policy) INCLUDES: Push notifications INCLUDES: Offline capability (read-only cache) INCLUDES: Biometric authentication OPTIONAL: Android app (evaluate market need) CHECK: Native mobile adds 300-600 hours — confirm market need CHECK: Start with responsive web, add native mobile in Phase 2

SCOPE_ITEM: global_search INCLUDES: Search across all entities (users, records, documents, comments) INCLUDES: Instant results (< 200ms) INCLUDES: Search result ranking by relevance INCLUDES: Tenant-scoped results (never leak cross-tenant data) OPTIONAL: Full-text search (PostgreSQL FTS for simple, Meilisearch for complex) OPTIONAL: Search filters and facets CHECK: PostgreSQL FTS handles 80% of cases — only add Meilisearch if UX demands it

Detail page: compliance.md

SCOPE_ITEM: gdpr_compliance INCLUDES: Privacy policy and terms of service pages INCLUDES: Cookie consent banner (if applicable) INCLUDES: Data processing agreement (DPA) template INCLUDES: Sub-processor list (public page) INCLUDES: Data subject access request (DSAR) workflow INCLUDES: Data deletion request workflow INCLUDES: Data export (portability) workflow COMPLIANCE: All personal data processing documented in processing register

SCOPE_ITEM: security_compliance INCLUDES: Encryption at rest (AES-256) and in transit (TLS 1.3) INCLUDES: Secrets management (HashiCorp Vault or cloud KMS) INCLUDES: Dependency vulnerability scanning (CI/CD pipeline) INCLUDES: Penetration testing (annual, before enterprise launch) INCLUDES: Security headers (CSP, HSTS, X-Frame-Options) COMPLIANCE: ISO 27001 aligned by default COMPLIANCE: SOC 2 Type II audit-ready controls

Scope Summary Template

Use this table during scoping sessions. Copy and fill in per client.

| # | Feature | Status | Hours Est | Phase | Notes |
|---|---------|--------|-----------|-------|-------|
| 1 | Email/password auth | | | | |
| 2 | Social login | | | | |
| 3 | MFA | | | | |
| 4 | Corporate SSO | | | | |
| 5 | Session management | | | | |
| 6 | API key auth | | | | |
| 7 | Org creation | | | | |
| 8 | Workspaces | | | | |
| 9 | Org invitations | | | | |
| 10| Org switching | | | | |
| 11| User profiles | | | | |
| 12| RBAC | | | | |
| 13| User deactivation | | | | |
| 14| Teams | | | | |
| 15| Tenant isolation | | | | |
| 16| Tenant config | | | | |
| 17| Tenant infra | | | | |
| 18| Subscriptions | | | | |
| 19| Seat billing | | | | |
| 20| Usage billing | | | | |
| 21| Payment processing | | | | |
| 22| Billing portal | | | | |
| 23| Setup wizard | | | | |
| 24| Data import | | | | |
| 25| Templates | | | | |
| 26| Product tours | | | | |
| 27| Trial management | | | | |
| 28| Dashboard | | | | |
| 29| Reporting | | | | |
| 30| Activity feed | | | | |
| 31| REST API | | | | |
| 32| Webhooks | | | | |
| 33| OAuth2 marketplace | | | | |
| 34| Native integrations | | | | |
| 35| Zapier/Make | | | | |
| 36| Email notifications | | | | |
| 37| In-app notifications | | | | |
| 38| Push notifications | | | | |
| 39| Audit logging | | | | |
| 40| Login audit | | | | |
| 41| Data export | | | | |
| 42| Data import (bulk) | | | | |
| 43| Data deletion | | | | |
| 44| Comments/mentions | | | | |
| 45| Real-time collab | | | | |
| 46| Sharing/links | | | | |
| 47| Org settings | | | | |
| 48| User settings | | | | |
| 49| Custom fields | | | | |
| 50| Platform admin | | | | |
| 51| Platform admin RBAC | | | | |
| 52| Responsive web | | | | |
| 53| Native mobile | | | | |
| 54| Global search | | | | |
| 55| GDPR compliance | | | | |
| 56| Security compliance | | | | |