Formalize identity/account/function/role/right semantic access model #9

Closed
opened 2026-07-09 15:04:39 +02:00 by zemion · 1 comment
Owner

Make the access model explicitly separate identity, account, tenant membership, organization unit, function, role, and right so directory facts do not silently become business authority.

Source concept/wiki doc: govoplan-access/docs/IDENTITY_ACCOUNT_FUNCTION_MODEL.md.

Acceptance criteria:

  • Access docs and DTOs name the semantic layers clearly.
  • Explain responses can show identity/account/function/role/right provenance for access decisions.
  • Postbox, portal service directory, delegation, and workflow authorization can consume the model through stable contracts.

Context recovered from previous GovOPlaN planning chats and consolidated into the roadmap/docs on 2026-07-09.

Make the access model explicitly separate identity, account, tenant membership, organization unit, function, role, and right so directory facts do not silently become business authority. Source concept/wiki doc: `govoplan-access/docs/IDENTITY_ACCOUNT_FUNCTION_MODEL.md`. Acceptance criteria: - [ ] Access docs and DTOs name the semantic layers clearly. - [ ] Explain responses can show identity/account/function/role/right provenance for access decisions. - [ ] Postbox, portal service directory, delegation, and workflow authorization can consume the model through stable contracts. Context recovered from previous GovOPlaN planning chats and consolidated into the roadmap/docs on 2026-07-09. <!-- govoplan-recovered-concept:971964642a3f9961 -->
Author
Owner

Codex State: done

Summary

  • Formalized identity/account/function/role/right semantics with explicit IDM boundary and organization-unit function scope.
  • Added kernel DTO/protocol groundwork for identities, organization units, functions, function assignments, delegations, and access-decision provenance.
  • Extended principal serialization with optional identity, role, function assignment, delegation, and acting-in-place fields for future runtime population.

Changed Files

  • ../govoplan-core/src/govoplan_core/core/access.py
  • ../govoplan-core/src/govoplan_core/api/v1/schemas.py
  • ../govoplan-core/webui/src/types.ts
  • ../govoplan-core/tests/test_access_contracts.py
  • README.md
  • docs/ACCESS_MODULE_BOUNDARY.md
  • docs/IDENTITY_ACCOUNT_FUNCTION_MODEL.md

Verification

  • cd /mnt/DATA/git/govoplan-core && ./.venv/bin/python -m unittest tests.test_access_contracts
  • cd /mnt/DATA/git/govoplan-core/webui && npm run build

Next / Blocked

  • Storage migrations, admin CRUD, principal population, and consumer retrofits are the next implementation phase after this semantic contract issue.
## Codex State: done ### Summary - Formalized identity/account/function/role/right semantics with explicit IDM boundary and organization-unit function scope. - Added kernel DTO/protocol groundwork for identities, organization units, functions, function assignments, delegations, and access-decision provenance. - Extended principal serialization with optional identity, role, function assignment, delegation, and acting-in-place fields for future runtime population. ### Changed Files - `../govoplan-core/src/govoplan_core/core/access.py` - `../govoplan-core/src/govoplan_core/api/v1/schemas.py` - `../govoplan-core/webui/src/types.ts` - `../govoplan-core/tests/test_access_contracts.py` - `README.md` - `docs/ACCESS_MODULE_BOUNDARY.md` - `docs/IDENTITY_ACCOUNT_FUNCTION_MODEL.md` ### Verification - `cd /mnt/DATA/git/govoplan-core && ./.venv/bin/python -m unittest tests.test_access_contracts` - `cd /mnt/DATA/git/govoplan-core/webui && npm run build` ### Next / Blocked - Storage migrations, admin CRUD, principal population, and consumer retrofits are the next implementation phase after this semantic contract issue.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: add-ideas/govoplan-access#9
No description provided.