Identity Entities¶
Why This Exists¶
This document defines Identity Domain entities with identity.
Owner¶
The owner is the Chief Product Officer and Enterprise Architect.
Business Value¶
Entity definitions make identity lifecycle, membership, authorization, sessions, API keys, and MFA consistent across Algosure.
Entity Catalogue¶
| Entity | Purpose | Key attributes | Business rules | Relationships | MVP status |
|---|---|---|---|---|---|
| User Account | Represents a person with platform access. | UserId, email, status, verified at, created at. | Disabled users cannot authenticate. | Has memberships, sessions, MFA, API keys. | MVP |
| Authentication Identity | Login or federated identity. | IdentityId, provider, subject, email, status. | Provider subject must be unique. | Belongs to user account. | MVP |
| Organization Membership | Tenant-scoped access relationship. | MembershipId, UserId, OrganizationId, status. | Must not own organization facts. | Has role assignments. | MVP |
| Invitation | Invite to organization or role. | InvitationId, email, OrganizationId, roles, expiry, status. | Must expire. | Creates membership on acceptance. | MVP |
| Role | Named access bundle. | RoleId, name, scope, status. | Must map to permissions. | Assigned to memberships. | MVP |
| Permission | Specific allowed action. | PermissionId, resource, action, scope. | Must be explicit and versioned. | Used by roles and policies. | MVP |
| Role Assignment | Assigned role to user or membership. | AssignmentId, role, subject, scope, effective dates. | Must be scoped. | Grants permissions. | MVP |
| Access Policy | Contextual authorization rule. | PolicyId, rule, priority, status. | Must fail closed. | Evaluated in decisions. | MVP |
| Session | Authenticated session. | SessionId, UserId, expiry, device, status. | Must expire and be revocable. | Authorizes user requests. | MVP |
| API Key | Programmatic access credential. | ApiKeyId, prefix, hash, scopes, status, expiry. | Store hash only. | Authorizes service requests. | MVP |
| MFA Factor | Registered second factor. | FactorId, type, verified, status. | Must verify before enforcement. | Belongs to user. | MVP |
| Authorization Decision | Decision record for access evaluation. | DecisionId, subject, action, resource, tenant, result. | Must include reason for deny. | Consumed by audit and analytics. | MVP |
Entity Design Notes¶
Identity entities are security-sensitive. They must avoid storing secrets in plaintext, must preserve audit context, and must enforce tenant boundaries consistently.