Security Diagrams¶
Executive Summary¶
Security Diagrams provides Mermaid diagrams for the Algosure security and multi-tenant architecture. The diagrams cover Zero Trust flow, Keycloak authentication, authorization, tenant isolation, secure AIOS access, secure integrations, data protection, audit, and secrets management.
Why This Exists¶
Security spans every architecture layer. Diagrams make the control model reviewable without defining implementation configuration or code.
Owner¶
The owner is the Chief Product Officer and Enterprise Architect.
Business Value¶
The diagrams give architecture, engineering, security, AI, data, and integration teams a shared control baseline.
Zero Trust Diagram¶
flowchart LR
Request[Request]
Authenticate[Authenticate]
Context[Resolve Tenant, Organization, User Context]
Authorize[Authorize]
Entitlement[Check Entitlement]
Approve[Approval Gate When Required]
Execute[Execute Domain Action]
Audit[Audit]
Request --> Authenticate
Authenticate --> Context
Context --> Authorize
Authorize --> Entitlement
Entitlement --> Approve
Approve --> Execute
Execute --> Audit
Keycloak Authentication Diagram¶
flowchart TB
User[User]
Client[Mobile or Web Client]
Keycloak[Keycloak Identity Provider]
API[Algosure API]
Identity[Identity Domain]
Organization[Organization Domain]
User --> Client
Client --> Keycloak
Keycloak --> Client
Client --> API
API --> Keycloak
API --> Identity
Identity --> Organization
Keycloak Client Architecture Diagram¶
flowchart TB
Keycloak[Keycloak Algosure Realm]
Mobile[Mobile App Client]
Web[Web App Client]
Backend[Spring Boot Backend Resource Server]
Internal[Internal Service Clients]
ServiceAccounts[Service Accounts]
Federation[Future Enterprise SSO / Social Login]
Mobile --> Keycloak
Web --> Keycloak
Internal --> Keycloak
ServiceAccounts --> Keycloak
Federation --> Keycloak
Keycloak --> Backend
Token Validation Diagram¶
sequenceDiagram
participant Client as Mobile, Web, or Service Client
participant Keycloak as Keycloak
participant Spring as Spring Security
participant Identity as Identity Domain
participant Domain as Owning Domain
Client->>Keycloak: Authenticate or use service account
Keycloak-->>Client: JWT access token and approved refresh token
Client->>Spring: API request with access token
Spring->>Spring: Validate issuer, signature, audience, expiry
Spring->>Identity: Map roles, groups, tenant, organization, permissions
Identity-->>Spring: Authorization context
Spring->>Domain: Execute authorized request
Authorization Diagram¶
flowchart TB
Actor[Actor]
Identity[Identity Domain]
Organization[Organization Domain]
Billing[Billing Domain]
Administration[Administration Domain]
OwningDomain[Owning Domain]
Decision[Authorization Decision]
Actor --> Identity
Identity --> Organization
Identity --> Billing
Identity --> Administration
Organization --> Decision
Billing --> Decision
Administration --> Decision
OwningDomain --> Decision
Tenant Isolation Diagram¶
flowchart LR
TenantA[Tenant A]
TenantB[Tenant B]
API[Secure API]
Row[Row-Level Tenant Filtering]
Docs[Document Access Control]
AI[AIOS Tenant-Scoped Memory]
Audit[Audit Separation]
TenantA --> API
TenantB --> API
API --> Row
API --> Docs
API --> AI
API --> Audit
Secure AIOS Access Diagram¶
sequenceDiagram
participant AIOS as AIOS
participant API as Governed Internal API
participant Security as Security Controls
participant Domain as Owning Domain
participant Audit as Audit
AIOS->>API: Request scoped tool call
API->>Security: Check tenant, organization, permission, entitlement
Security->>Domain: Execute through application service
Domain-->>API: Return governed result
API->>Audit: Record access and result
API-->>AIOS: Return scoped response
Secure Integration Diagram¶
flowchart LR
External[External System]
Gateway[Integration Gateway]
Secrets[Secrets Boundary]
Security[Security Controls]
Domain[Owning Domain]
Event[Domain or Integration Event]
Audit[Audit]
External <--> Gateway
Gateway --> Secrets
Gateway --> Security
Security --> Domain
Domain --> Event
Gateway --> Audit
Data Protection Diagram¶
flowchart TB
Data[Data and Documents]
Classify[Classification]
Access[Access Control]
Transit[Encryption in Transit]
Rest[Encryption at Rest]
Retention[Retention]
Audit[Audit]
Data --> Classify
Classify --> Access
Access --> Transit
Access --> Rest
Classify --> Retention
Transit --> Audit
Rest --> Audit
Secrets Management Diagram¶
flowchart LR
Secret[Secret]
Vault[Approved Secrets Store]
Service[Authorized Service]
Rotate[Rotation]
Audit[Access Audit]
Secret --> Vault
Vault --> Service
Vault --> Rotate
Service --> Audit
Rotate --> Audit
Diagram Notes¶
- Keycloak is the official Identity Provider platform.
- Identity Domain owns business identity and authorization decisions.
- Organization owns organization facts.
- Billing owns entitlement facts.
- Security Architecture defines cross-cutting controls, not source ownership.
- AIOS and integrations use governed APIs and cannot bypass tenant, authorization, entitlement, audit, or secrets controls.