Identity Value Objects¶
Why This Exists¶
This document defines immutable or value-based concepts used by the Identity Domain.
Owner¶
The owner is the Chief Product Officer and Enterprise Architect.
Business Value¶
Value objects make authentication, authorization, tenant isolation, sessions, API keys, and MFA precise and enforceable.
Value Object Catalogue¶
| Value object | Purpose | Validation rules |
|---|---|---|
| UserId | Identifies a user account. | Must be unique. |
| AuthenticationIdentityId | Identifies a login identity. | Must be unique. |
| OrganizationId | References tenant and organization boundary. | Must be treated as reference only. |
| MembershipId | Identifies organization membership. | Must be unique and tenant-scoped. |
| EmailAddress | Login or invitation email address. | Must be normalized and validated. |
| RoleCode | Identifies a role. | Must use approved role catalogue. |
| PermissionCode | Identifies a permission. | Must include resource and action semantics. |
| ResourceReference | Identifies target resource for authorization. | Must include resource type and ID where applicable. |
| ActionCode | Identifies requested action. | Must map to permission model. |
| TenantScope | Defines organization or platform scope. | Required for tenant-scoped resources. |
| SessionId | Identifies a session. | Must be unique and revocable. |
| SessionStatus | Tracks session state. | Allowed values: active, expired, revoked, blocked. |
| ApiKeyPrefix | Non-secret key display prefix. | Must not reveal full key. |
| ApiKeyHash | Stored hash of API key secret. | Plaintext key must not be stored. |
| MfaFactorType | Classifies MFA method. | Allowed values may include authenticator_app, sms, email, hardware_key, recovery_code. |
| AuthorizationResult | Decision result. | Allowed values: allow, deny, challenge, error. |
| AuthorizationReason | Explainable decision reason. | Must be structured for audit. |
| RiskLevel | Access risk classification. | Allowed values: low, medium, high, critical. |
Security Validation Principles¶
- Passwords must be hashed with an approved password hashing algorithm when password authentication is supported.
- Session and API key secrets must be generated with secure randomness.
- API key plaintext must be shown only at creation time.
- Authorization must fail closed when context is missing.
- Tenant scope must be present for organization-owned resources.