Identity Database¶
Why This Exists¶
This document defines conceptual database responsibilities for the Identity Domain. It does not define physical SQL implementation.
Owner¶
The owner is the Chief Product Officer and Enterprise Architect.
Business Value¶
Identity storage must protect access state, tenant boundaries, sessions, API keys, MFA, roles, permissions, and security audit records.
Conceptual Tables Or Collections¶
| Table or collection | Responsibility |
|---|---|
| identity_user_accounts | User account identity, status, email verification, and lifecycle metadata. |
| identity_authentication_identities | Local or federated authentication identities and provider subjects. |
| identity_organization_memberships | User-to-OrganizationId membership and tenant access status. |
| identity_invitations | Invitation recipient, scope, roles, expiry, status, and acceptance metadata. |
| identity_roles | Role definitions, scope, status, and version. |
| identity_permissions | Permission definitions by resource, action, and scope. |
| identity_role_assignments | Role grants to users, memberships, or service identities. |
| identity_permission_assignments | Direct permission grants where explicitly allowed. |
| identity_access_policies | Policy definitions and enforcement metadata. |
| identity_sessions | Session state, expiry, revocation, device metadata, and risk context. |
| identity_api_keys | API key metadata, prefix, hash, scopes, expiry, last used, and revocation state. |
| identity_mfa_factors | MFA factor type, verification state, status, and recovery metadata. |
| identity_authorization_decisions | Auditable access decisions where recording is required. |
| identity_audit_log | Security-sensitive identity events. |
Indexing Considerations¶
Identity should support indexes for:
user_id.organization_id.email_normalized.providerandprovider_subject.membership_status.session_id.api_key_prefix.role_id.permission_code.occurred_at.
Security Storage Requirements¶
- API key secrets must be stored as hashes only.
- Password hashes, if supported, must use approved password hashing.
- MFA secrets and recovery codes require strong protection.
- Session secrets must not be logged.
- Audit logs must redact secrets and sensitive tokens.
Keycloak Data Boundary¶
If Keycloak stores authentication data, Identity still needs domain records for memberships, authorization semantics, tenant access, API keys, and audit events. Data synchronization must not make Keycloak the owner of Algosure domain access rules.