Identity Capabilities¶
Why This Exists¶
This document maps the Identity Domain to Business Capabilities.
Owner¶
The owner is the Chief Product Officer and Enterprise Architect.
Business Value¶
Identity capabilities make secure access, membership, authorization, tenant isolation, API access, MFA, and session management stable and governable.
Capability Map¶
| Capability ID | Capability | Purpose | Owner Practice | Primary Digital Professional | Inputs | Outputs | KPIs | Dependencies | Maturity |
|---|---|---|---|---|---|---|---|---|---|
| ID-001 | User Account Management | Manage user account lifecycle. | Executive Office | Ava | Email, identity provider, status. | User account. | Account activation rate. | Notification. | 1 |
| ID-002 | Authentication Identity Management | Manage local or federated authentication identities. | Executive Office | Ava | Provider, subject, verification. | Authentication identity. | Sign-in success rate. | Future Keycloak integration. | 1 |
| ID-003 | Organization Membership Management | Manage user access to organization tenants. | Executive Office | Ava | UserId, OrganizationId, membership status. | Membership. | Membership accuracy. | Organization. | 1 |
| ID-004 | Invitation Management | Invite users into organizations and roles. | Executive Office | Ava | Recipient, OrganizationId, role proposal. | Invitation. | Invitation acceptance rate. | Notification, Organization. | 1 |
| ID-005 | Role And Permission Management | Manage roles, permissions, and assignments. | Executive Office | Ava | Role definitions, permission definitions, assignments. | Access grants. | Permission coverage. | Administration. | 1 |
| ID-006 | Authorization Decisioning | Evaluate access decisions. | Executive Office | Ava | Actor, tenant, action, resource, policy, entitlement. | Allow, deny, challenge. | Decision latency, deny accuracy. | Billing, Administration. | 1 |
| ID-007 | Session Management | Manage session lifecycle, expiry, and revocation. | Executive Office | Ava | Authentication event, device context. | Session state. | Revocation effectiveness. | Platform. | 1 |
| ID-008 | API Key Management | Manage scoped programmatic access. | Executive Office | Ava | Owner, scopes, expiry, tenant. | API key metadata. | Key rotation and revocation rate. | Platform. | 1 |
| ID-009 | MFA Management | Manage MFA factors and challenges. | Executive Office | Ava | Factor type, verification, risk context. | MFA state. | MFA adoption, challenge success. | Notification. | 1 |
| ID-010 | Tenant Isolation Enforcement | Enforce organization boundary on access. | Executive Office | Ava | OrganizationId, membership, resource context. | Tenant authorization result. | Cross-tenant denial coverage. | Organization. | 1 |
| ID-011 | Identity Audit Management | Record security-sensitive identity events. | Executive Office | Ava | Identity events and decisions. | Audit records. | Audit completeness. | Analytics. | 1 |
Capability Flow¶
flowchart LR
User[ID-001 User]
Auth[ID-002 Auth Identity]
Membership[ID-003 Membership]
Roles[ID-005 Roles]
Session[ID-007 Session]
Entitlement[Billing Entitlement]
Decision[ID-006 Authorization]
Tenant[ID-010 Tenant Isolation]
User --> Auth
User --> Membership
Membership --> Roles
Auth --> Session
Session --> Tenant
Roles --> Decision
Entitlement --> Decision
Tenant --> Decision
Capability Ownership¶
The Executive Office Practice owns Identity capabilities as a platform governance function. Ava is the primary Digital Professional for access administration workflow coordination.