Business Requirements: Core Module
Problem Statement
Modern business applications require robust identity and access management to support:
- Multi-tenant Operations: Separate user bases, roles, and permissions per tenant
- Flexible Access Control: Support for complex authorization patterns
- Secure Authentication: Safe credential management with session tracking
- Organizational Structure: User grouping and role hierarchy
- System Administration: Configuration and monitoring capabilities
The Core Module solves these challenges by providing a comprehensive authentication and authorization system built on DDD principles.
Target Audience
| Role | Use Cases |
| System Administrator | User management, role creation, permission assignment, system settings |
| Tenant Admin | User activation, role assignment, organization structure |
| Users | Login/logout, profile management, group membership |
| Developers | Integrate Core services, check permissions, manage sessions |
Domain Boundaries
┌─────────────────────────────────────────────────────────┐
│ CORE MODULE DOMAIN │
│ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ IDENTITY & AUTHENTICATION │ │
│ │ - User accounts and profiles │ │
│ │ - Password management │ │
│ │ - Session tokens │ │
│ │ - Login history │ │
│ └──────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ AUTHORIZATION & ACCESS CONTROL │ │
│ │ - Role definitions │ │
│ │ - Permission matrix │ │
│ │ - User-role assignments │ │
│ │ - Permission inheritance │ │
│ └──────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ ORGANIZATION & STRUCTURE │ │
│ │ - User groups │ │
│ │ - Group role assignments │ │
│ │ - Tenant configuration │ │
│ └──────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────┘
Provides Identity & Authorization for:
Finance, Warehouse, CRM, HRM, Projects
Entity Classifications
Aggregates (Root Entities)
| Entity | Responsibility | Constraints |
| User | User identity, authentication credentials, profile | Unique email/phone per tenant |
| Role | Permission bundling, access policy definition | Unique name per tenant |
| Group | User organization, collective permissions | Unique name per tenant |
Value Objects
| Object | Purpose | Properties |
| Email | Internet identifier | Validated format, unique per tenant |
| Phone | Contact information | International format support |
| Permission | Access control unit | Resource + Action + Modifier |
| TIN/PIN | Tax identification | Country-specific validation |
Supporting Entities
| Entity | Role | Notes |
| Session | User authentication state | Secure token-based tracking |
| Upload | File storage metadata | Image processing for avatars |
| Tenant | Multi-tenant boundary | Complete data isolation |
| Currency | Financial denomination | Shared across all tenants |
Business Rules
User Management
- Unique Identification
- Email must be unique per tenant
- Phone must be unique per tenant
- System users can have null passwords
- Authentication
- Passwords stored with bcrypt hashing (cost 10+)
- System users bypass password validation
- Super-admin users have special privileges
- Activation
- Users must be active to access the system
- Inactive users cannot authenticate
- Admin can deactivate users
- Profile Requirements
- First name and last name required
- Email required and validated
- UI language preference mandatory
Role & Permission Management
- Permission Hierarchy
- User permissions override role permissions
- Direct user permissions grant access if no role denies
- Group permissions apply to all group members
- Permission Structure
- Format:
Resource:Action:Modifier - Examples:
users:create:all, payments:read:own, roles:update:all - Modifiers:
all (any resource), own (user’s own resources)
- Role Constraints
- System roles cannot be deleted
- Role names unique per tenant
- Permissions must exist before assignment
Session Management
- Session Lifecycle
- Session created on successful login
- Session contains user ID, tenant ID, IP, user agent
- Session expires after configured duration (default 24 hours)
- Expired sessions automatically invalid
- Security Requirements
- IP tracking for anomaly detection
- User agent comparison for validation
- Single session per user (configurable)
- Login audit trail maintained
Group Management
- Group Membership
- Users can belong to multiple groups
- Groups can have multiple roles
- Group roles apply to all members
- Group Constraints
- Group names unique per tenant
- System groups cannot be deleted
- Cascading permission application
Business Constraints
Multi-tenancy
- Complete data isolation per tenant
- No cross-tenant user access
- Tenant-scoped permission context
- Isolated session tokens per tenant
Security
- All passwords must be hashed
- No plaintext credentials in logs
- Session tokens must be secure
- Permission checks on all protected operations
Scalability
- Support for 1000+ users per tenant
- Efficient permission resolution (cached where possible)
- Optimized role/permission queries
- Session cleanup for expired tokens
Success Criteria
Security
Usability
Auditability
Related Business Domains
The Core Module directly enables:
- Finance Module: Payment authorization, expense approvals
- Warehouse Module: Inventory access control
- CRM Module: Client data access permissions
- HRM Module: Employee organizational structure
- Projects Module: Team and project assignments