Identity Relationships¶
Why This Exists¶
This document explains how Identity relates to other Algosure domains and future identity integrations.
Owner¶
The owner is the Chief Product Officer and Enterprise Architect.
Business Value¶
Relationship clarity ensures Identity enforces access without duplicating organization profiles, billing facts, administration configuration, or operational domain facts.
Relationship Diagram¶
flowchart TD
Organization[Organization]
Billing[Billing]
Administration[Administration]
Notification[Notification]
Analytics[Analytics]
Intelligence[Intelligence]
Operational[Operational Domains]
Keycloak[Future Keycloak]
Identity[Identity]
Organization -->|OrganizationId tenant boundary| Identity
Billing -->|entitlement and plan access signals| Identity
Administration -->|policy configuration inputs| Identity
Identity -->|identity notification requests| Notification
Identity -->|access and security events| Analytics
Intelligence -->|risk explanation support where approved| Identity
Identity -->|authorization decisions| Operational
Keycloak -. auth implementation .-> Identity
Relationship Catalogue¶
| Domain or system | Relationship | Data ownership rule |
|---|---|---|
| Organization | Provides OrganizationId and business profile owned by Organization. | Identity uses OrganizationId for membership and tenant boundary only. |
| Billing | Provides entitlement and subscription access signals. | Billing owns commercial state. Identity enforces access decisions. |
| Administration | May configure platform policy settings. | Administration owns configuration workflows. Identity owns enforcement. |
| Notification | Delivers invitation, security, and access-related notifications. | Notification owns delivery state. Identity owns identity event facts. |
| Analytics | Reports access, security, invitation, and usage-related metrics. | Analytics owns reporting models. Identity owns source identity events. |
| Intelligence | May explain access requirements or risk signals. | Intelligence owns reasoning output. Identity owns decisions. |
| Operational Domains | Rely on Identity for authorization. | Operational domains own business facts and must not duplicate identity state. |
| Keycloak | Possible future implementation for authentication and identity provider integration. | Keycloak is not the domain model. |
Cross-Domain Authorization Rule¶
Operational domains must check Identity authorization for protected actions. They may also enforce local business invariants, but they must not create parallel user, role, or tenant access models.