Skip to content

Identity Aggregates

Why This Exists

This document defines aggregate boundaries for the Identity Domain.

Owner

The owner is the Chief Product Officer and Enterprise Architect.

Business Value

Aggregate boundaries protect authentication state, membership, authorization, sessions, API keys, and MFA from inconsistent updates.

Aggregate Map

flowchart TD
    User[User Account Aggregate]
    Membership[Membership Aggregate]
    Invitation[Invitation Aggregate]
    Access[Access Control Aggregate]
    Session[Session Aggregate]
    ApiKey[API Key Aggregate]
    MFA[MFA Aggregate]
    Decision[Authorization Decision Aggregate]

    User --> Membership
    Invitation --> Membership
    Access --> Decision
    Membership --> Access
    User --> Session
    User --> ApiKey
    User --> MFA
    Session --> Decision
    ApiKey --> Decision

User Account Aggregate

The User Account aggregate owns account identity, status, authentication references, verified email state, profile access metadata, and account lifecycle.

Invariants

  • A user account must have a stable UserId.
  • Authentication identifiers must be unique within configured identity scope.
  • Disabled accounts cannot create new sessions or API keys.

Membership Aggregate

The Membership aggregate owns the relationship between UserId and OrganizationId, membership status, tenant role assignments, and access scope.

Invariants

  • Membership must reference one OrganizationId.
  • Membership must not store organization business profile data.
  • A user cannot access organization-scoped resources without active membership or approved service access.

Invitation Aggregate

The Invitation aggregate owns invitation recipient, inviting actor, organization scope, proposed roles, expiry, status, and acceptance.

Invariants

  • Invitations must expire.
  • Invitation acceptance must create or update membership through Identity rules.
  • Invitations must be tenant-scoped.

Access Control Aggregate

The Access Control aggregate owns roles, permissions, role assignments, permission assignments, and access policies.

Invariants

  • Roles must map to permissions.
  • Permissions must identify action and resource scope.
  • Access policies must fail closed when required context is missing.

Session Aggregate

The Session aggregate owns active sessions, refresh state, revocation state, device metadata, and expiry.

Invariants

  • Sessions must expire.
  • Sessions must be revocable.
  • Session context must include tenant scope when accessing tenant resources.

API Key Aggregate

The API Key aggregate owns key metadata, hashed secret, scopes, expiry, last-used metadata, and revocation state.

Invariants

  • API key plaintext must not be stored.
  • API keys must have scopes and tenant boundaries.
  • Revoked API keys cannot authorize requests.

MFA Aggregate

The MFA aggregate owns registered factors, verification state, recovery state, and enforcement requirements.

Invariants

  • MFA factors must be verified before use.
  • High-risk authorization may require recent MFA verification.
  • Recovery processes must be auditable.

Authorization Decision Aggregate

The Authorization Decision aggregate records decisions where audit is required. It owns subject, action, resource, tenant, context, entitlement signal, result, and reason.

Invariants

  • Decisions must include tenant context for tenant-scoped resources.
  • Deny must be the default when required context is missing.