Good, clear distinction - well said.
On authorization, I suggest thinking about admins and support people being NOT authorized to change data or transactions posted by regular users.
In some situations, that level of permission may be appropriate but it's worth thinking about.
I have worked in financial services (as lead user, primary on-site support person, and liaison with software techs) where internally changing data is a serious business. Therefore, the system/s we worked with deliberately precluded making data changes other than via the normal user-facing software.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.