Identity Policies¶
Why This Exists¶
This document defines policies that govern Identity Domain behavior.
Owner¶
The owner is the Chief Product Officer and Enterprise Architect.
Business Value¶
Identity policies make authentication, authorization, tenant isolation, invitations, sessions, API keys, and MFA enforceable and auditable.
Policy Catalogue¶
| Policy | When it runs | Decision made | Outputs |
|---|---|---|---|
| Authentication Policy | During sign-in or token validation. | Whether authentication succeeds or fails. | SessionCreated, SignInFailed. |
| Tenant Isolation Policy | Before any organization-scoped access. | Whether actor may operate within OrganizationId. | Allow, deny, or audit decision. |
| Authorization Policy | Before protected action. | Whether subject can perform action on resource. | AuthorizationDecisionRecorded. |
| Entitlement-Aware Access Policy | During authorization when capability is subscription-gated. | Whether Billing entitlement signal permits access. | Allow, deny, or upgrade-required reason. |
| Invitation Policy | When invitation is created or accepted. | Whether invitation is valid, scoped, and unexpired. | InvitationCreated, InvitationAccepted. |
| Role Assignment Policy | When role is assigned or removed. | Whether actor may change access. | RoleAssigned or rejection. |
| Session Policy | When session is created, refreshed, or revoked. | Session expiry, refresh, revocation, and risk handling. | SessionCreated, SessionRevoked. |
| API Key Policy | When API key is created, used, rotated, or revoked. | Scope, expiry, allowed tenant, and revocation decision. | ApiKeyCreated, ApiKeyRevoked. |
| MFA Policy | During setup and high-risk access. | Whether MFA is required, verified, or challenged. | MfaEnabled, MfaChallengeRequired. |
| Security Audit Policy | After security-sensitive events. | What audit record is required. | Identity audit event. |
Tenant Isolation Policy¶
Tenant isolation must be evaluated before access to organization-scoped resources. The policy verifies:
- Actor is authenticated.
- Session or API key is active.
- OrganizationId is present.
- Membership or service access is active.
- Role and permission apply within that OrganizationId.
- Billing entitlement signal permits capability access where required.
Keycloak Integration Policy¶
If Keycloak is introduced, Identity policies still define the business decisions. Keycloak may perform authentication or token support, but Identity remains responsible for Algosure authorization semantics, tenant isolation, and domain events.
Policy Flow¶
flowchart LR
Request[Access request]
Authentication[Authentication policy]
Tenant[Tenant isolation policy]
Entitlement[Entitlement policy]
Authorization[Authorization policy]
Decision[Decision record]
Request --> Authentication
Authentication --> Tenant
Tenant --> Entitlement
Entitlement --> Authorization
Authorization --> Decision