Identity Domain Events¶
Why This Exists¶
This document defines events published by the Identity Domain.
Owner¶
The owner is the Chief Product Officer and Enterprise Architect.
Business Value¶
Identity events allow Algosure to audit access, notify users, update analytics, and respond to security-relevant changes without exposing identity internals.
Event Metadata¶
Every Identity event should include:
- EventId.
- EventType.
- OccurredAt.
- UserId where applicable.
- OrganizationId where applicable.
- ActorId.
- CorrelationId.
- CausationId.
- IpAddress or device reference where appropriate.
- SchemaVersion.
Event Catalogue¶
| Event | Trigger | Payload | Consumers | Business value |
|---|---|---|---|---|
| UserAccountCreated | User account is created. | UserId, email, status. | Notification, Analytics. | Supports onboarding and audit. |
| AuthenticationIdentityLinked | External or local identity is linked. | UserId, provider, subject. | Analytics, Audit. | Tracks authentication sources. |
| UserSignedIn | User authenticates successfully. | UserId, session ID, tenant context. | Analytics, Audit. | Tracks access. |
| SignInFailed | Authentication attempt fails. | Email or subject reference, reason category. | Security, Analytics. | Supports attack detection. |
| SessionCreated | Session is created. | SessionId, UserId, expiry. | Audit. | Tracks active access. |
| SessionRevoked | Session is revoked. | SessionId, reason. | Audit, Notification. | Stops access. |
| InvitationCreated | Invitation is issued. | InvitationId, OrganizationId, email, roles. | Notification. | Starts onboarding. |
| InvitationAccepted | Invitation is accepted. | InvitationId, UserId, MembershipId. | Organization, Notification, Analytics. | Creates access. |
| MembershipActivated | Membership becomes active. | MembershipId, UserId, OrganizationId. | Analytics. | Enables tenant access. |
| MembershipSuspended | Membership is suspended. | MembershipId, reason. | Analytics, Notification. | Removes access. |
| RoleAssigned | Role is assigned. | AssignmentId, role, subject, scope. | Analytics, Audit. | Tracks access grants. |
| PermissionAssigned | Permission is assigned. | AssignmentId, permission, subject, scope. | Analytics, Audit. | Tracks direct access grants. |
| AuthorizationDecisionRecorded | Auditable authorization decision is recorded. | DecisionId, subject, action, resource, result. | Analytics, Audit. | Supports investigation. |
| ApiKeyCreated | API key is created. | ApiKeyId, prefix, scopes, expiry. | Notification, Audit. | Enables service access. |
| ApiKeyRevoked | API key is revoked. | ApiKeyId, reason. | Audit, Analytics. | Stops service access. |
| MfaEnabled | MFA factor is enabled. | UserId, factor type. | Notification, Audit. | Improves account protection. |
| MfaChallengeRequired | Access requires MFA challenge. | UserId, reason, risk level. | Identity, Notification. | Enforces step-up access. |
Event Flow¶
sequenceDiagram
participant User
participant Identity
participant Billing
participant Domain as Target Domain
participant Analytics
User->>Identity: Request action
Identity->>Billing: Check entitlement signal
Billing-->>Identity: Entitlement status
Identity->>Identity: Evaluate tenant, role, permission, entitlement
Identity-->>Domain: Allow or deny
Identity-->>Analytics: AuthorizationDecisionRecorded
Cross-Domain Rule¶
Identity events may tell other domains that access changed. Other domains must not create their own parallel identity state.