Skip to content

Identity Domain

Why This Exists

The Identity Domain is responsible for authentication identity, users, organization membership, invitations, roles, permissions, access policies, sessions, API keys, MFA, tenant isolation, and authorization decisions.

Algosure is an AI Digital Procurement Company. Customers lead procurement work through a multi-tenant platform that contains company data, compliance records, tenders, bids, contracts, suppliers, funding information, learning records, notifications, analytics, and billing state. Identity ensures that only the right person, service, or integration can access the right tenant, resource, and action.

Owner

The owner is the Chief Product Officer and Enterprise Architect.

Identity owns authentication identity, user account, role assignment, permission assignment, organization membership access, session, API key, invitation, MFA state, and authorization decisions.

Business Value

Identity protects customer trust, tenant isolation, and operational integrity. It enables secure access, team collaboration, invitation workflows, role-based access, service access through API keys, and consistent authorization decisions across the Digital Procurement Company.

Domain Definition

The Identity Domain manages:

  • Authentication identities.
  • User accounts.
  • Organization memberships.
  • Invitations.
  • Roles.
  • Permissions.
  • Access policies.
  • Authorization decisions.
  • Sessions.
  • API keys.
  • Multi-factor authentication state.
  • Tenant isolation rules.

Ownership Boundaries

Concept Owning domain
Authentication identity, user account, organization membership access, role assignment, permission assignment, session, API key, invitation, MFA state, authorization decisions Identity
Organization business profile and organization facts Organization
Subscription entitlements and usage limits Billing
Platform-wide policy configuration Administration
Notification delivery for identity events Notification
Security analytics and audit reporting views Analytics
External identity provider implementation details Integration or Platform implementation

Keycloak Boundary

Identity must remain compatible with a future Keycloak integration. Keycloak is not the domain model. It may become an implementation component for authentication, federation, token issuance, or identity provider integration. The Algosure domain language remains User Account, Authentication Identity, Membership, Role, Permission, Session, API Key, MFA, and Authorization Decision.

Domain Relationship Overview

flowchart TD
    Identity[Identity Domain]
    Organization[Organization]
    Billing[Billing]
    Administration[Administration]
    Notification[Notification]
    Analytics[Analytics]
    Domains[Operational Domains]
    Keycloak[Future Keycloak Integration]

    Organization -->|OrganizationId for tenant boundary| Identity
    Billing -->|entitlement signals| Identity
    Administration -->|policy configuration| Identity
    Identity -->|access decisions| Domains
    Identity -->|identity notification requests| Notification
    Identity -->|security and access events| Analytics
    Keycloak -. implementation detail .-> Identity

Domain-Driven Design Position

Identity is a foundation domain because every user action, service action, and API integration must be authenticated and authorized before it can affect procurement work. Other domains rely on Identity for access decisions but retain ownership of their business facts.

Multi-Tenant Isolation

Multi-tenant isolation is a core rule. Identity must ensure that a user, session, API key, or service identity can only operate within organizations and resources they are authorized to access. OrganizationId is a tenant boundary reference, not organization profile ownership.