Identity Business Rules¶
Why This Exists¶
This document defines business rules for the Identity Domain.
Owner¶
The owner is the Chief Product Officer and Enterprise Architect.
Business Value¶
Rules protect tenant isolation, account security, least privilege, and consistent authorization across Algosure.
Rules¶
| Rule ID | Rule | Rationale |
|---|---|---|
| ID-RULE-001 | Identity owns authentication identity, user account, role assignment, permission assignment, organization membership access, session, API key, invitation, MFA state, and authorization decisions. | Maintains domain ownership. |
| ID-RULE-002 | Organization owns organization business profile and organization facts. Identity references OrganizationId only for membership and tenant boundary. | Preserves Organization ownership. |
| ID-RULE-003 | Multi-tenant isolation must be enforced for every organization-scoped request. | Prevents cross-tenant data access. |
| ID-RULE-004 | Authorization must fail closed when user, tenant, resource, entitlement, or policy context is missing. | Protects access by default. |
| ID-RULE-005 | Billing may restrict entitlement access, but Identity enforces access decisions using entitlement signals. | Separates commercial state from enforcement. |
| ID-RULE-006 | Administration may configure platform policies, but Identity owns enforcement. | Separates policy configuration from identity enforcement. |
| ID-RULE-007 | Keycloak is an implementation or integration detail and must not replace Identity domain language. | Protects domain model portability. |
| ID-RULE-008 | Invitations must expire and be scoped to an organization and intended access. | Prevents stale access grants. |
| ID-RULE-009 | Sessions must expire and be revocable. | Limits account compromise impact. |
| ID-RULE-010 | API keys must store hashes only, must have scopes, and must be revocable. | Protects programmatic access. |
| ID-RULE-011 | MFA factors must be verified before enforcement and required for configured high-risk actions. | Reduces takeover risk. |
| ID-RULE-012 | Role and permission assignments must be auditable. | Supports accountability. |
| ID-RULE-013 | Direct permission assignments should be exceptional and justified. | Maintains manageable access model. |
| ID-RULE-014 | Authentication failure messaging must not reveal whether an account exists. | Reduces enumeration risk. |
| ID-RULE-015 | Security-sensitive events must be logged without storing secrets. | Supports investigation safely. |
Enforcement Model¶
Identity evaluates actor, authentication state, session or API key validity, tenant scope, role, permission, access policy, MFA requirement, and Billing entitlement signal before allowing access.