Identity Business Objects¶
Why This Exists¶
This document defines the main business objects owned or referenced by the Identity Domain.
Owner¶
The owner is the Chief Product Officer and Enterprise Architect.
Business Value¶
Clear business objects make access control understandable, auditable, and enforceable across Algosure.
Business Object Catalogue¶
| Object | Purpose | Ownership | Business value |
|---|---|---|---|
| Authentication Identity | Login identity or federated identity used to authenticate. | Identity | Proves who is accessing the platform. |
| User Account | Identity-owned account representing a person in Algosure. | Identity | Supports user lifecycle and access. |
| Organization Membership | Access relationship between user and organization tenant. | Identity references OrganizationId. | Enables team collaboration within tenant boundary. |
| Invitation | Controlled request to join an organization or role. | Identity | Supports secure onboarding. |
| Role | Named access bundle such as Owner, Admin, Member, Approver, Viewer, or API Operator. | Identity | Simplifies access management. |
| Permission | Specific allowed action or resource operation. | Identity | Enables fine-grained authorization. |
| Role Assignment | Assignment of role to user, service identity, or membership. | Identity | Grants scoped access. |
| Permission Assignment | Direct or policy-derived assignment of permission. | Identity | Supports fine control where needed. |
| Access Policy | Rule that governs authorization under context. | Identity | Enables consistent access decisions. |
| Authorization Decision | Result of evaluating actor, tenant, action, resource, role, permission, and entitlement. | Identity | Determines allow or deny. |
| Session | Authenticated interaction state for user or client. | Identity | Supports secure application access. |
| API Key | Secret-bearing credential for programmatic access. | Identity | Enables integrations with scoped access. |
| MFA Factor | Registered multi-factor authentication method. | Identity | Reduces account takeover risk. |
| Tenant Boundary | OrganizationId-based isolation boundary. | Identity references Organization. | Prevents cross-tenant access. |
| Identity Audit Event | Security-relevant identity event. | Identity | Supports investigation and compliance. |
Referenced Business Context¶
| Referenced object | Owning domain | Identity usage |
|---|---|---|
| OrganizationId | Organization | Tenant boundary and membership scope. |
| Entitlement | Billing | Subscription-aware access decisions. |
| Administration policy configuration | Administration | Policy inputs that Identity enforces. |
| Notification request | Notification | Delivery of identity-related messages. |
Object Relationship¶
flowchart TD
User[User Account]
Auth[Authentication Identity]
Membership[Organization Membership]
Invitation[Invitation]
Role[Role]
Permission[Permission]
Policy[Access Policy]
Session[Session]
ApiKey[API Key]
MFA[MFA Factor]
Decision[Authorization Decision]
User --> Auth
User --> Membership
Invitation --> Membership
Membership --> Role
Role --> Permission
Policy --> Decision
User --> Session
User --> ApiKey
User --> MFA
Session --> Decision
ApiKey --> Decision