UMS-specific: No Evolith upstream. The semantic client contract (code-first, ID-optional) is specific to UMS’s Authorization Graph SDK surface. Related to ADR-0073 and ADR-0074.
Status: Accepted
Date: 2026-06-04
Decision Owner: Architecture
Related:
UMS’s long-term goal is to act as a clear authorization graph provider for client systems. Clients should be able to activate, deactivate, execute, or deny options based on a contract that is stable, human-readable, and business-semantic.
The current graph already contains rich authorization data, but it also exposes internal technical identifiers (Guid values) in multiple sections. Those identifiers are useful inside the backend, for correlation, and for diagnostic workflows, but they are not ideal as the primary contract for downstream client systems.
The product direction is to make the client-facing graph:
UMS will treat the client-facing authorization graph as the current semantic contract and keep IDs out of the default client surface.
The graph exposed to client systems should rely primarily on:
codevaluedescriptioneffectsourcescopevalidUntilschemaVersionTechnical GUIDs remain internal implementation details unless a diagnostic or migration scenario requires them.
The following identifiers should not be required by standard clients:
user.idtenant.idsystemSuite.idrole.idprofile.idbranch.idThese values may still exist in backend models, audit records, and internal admin views, but they should not be necessary for normal client authorization decisions.
An optional diagnostic contract can expose GUIDs only when:
includeIds=true or an equivalent support-only flagThis mode exists for troubleshooting, correlation, and migration support, not for standard client consumption.
Client systems must use stable business codes to interpret the graph:
This keeps client logic independent from database-generated identifiers.
UMS does not introduce a separate refresh token contract for the semantic graph. The graph remains valid until its validUntil value. When it expires, the client re-authenticates and receives a fresh graph snapshot.
This avoids partial refresh states where a token is renewed but the authorization model is stale or mismatched.
For client systems, the graph should be the authoritative decision payload during its validity window. The client should not need to infer access from backend GUIDs or re-query UMS for each action.
{
"schemaVersion": "1.0.0",
"graphId": "optional-support-correlation-id",
"context": {
"tenant": {
"code": "TECHNO",
"value": "Techno Logistics",
"status": "ACTIVE",
"isManagementOwner": false
},
"systemSuite": {
"code": "WMS_SUITE",
"value": "Warehouse Management Suite",
"status": "PUBLISHED"
},
"role": {
"code": "WAREHOUSE_SUPERVISOR",
"value": "Warehouse Supervisor",
"hierarchyLevel": 3
},
"profile": {
"scope": "BranchScoped",
"isActive": true
},
"branch": {
"code": "LIM-01",
"value": "Lima Main Branch"
}
},
"permissions": [
{
"resourceCode": "INVENTORY",
"actionCode": "VIEW",
"effect": "Allow",
"source": "Template"
}
],
"scopes": [
"INVENTORY.VIEW"
],
"featureFlags": [
{
"flagCode": "NEW_MENU_EXPERIMENT",
"isEnabled": true
}
],
"effectiveConfig": {
"sessionTimeoutMinutes": 60,
"accessTokenDurationMs": 3600000
},
"generatedAt": "2026-06-04T12:00:00Z",
"validUntil": "2026-06-04T13:00:00Z"
}
The exact structure can evolve, but the contract must remain semantically readable and stable for client systems.
| Area | Guidance |
|---|---|
| Graph builder | Produce semantic fields as the default client projection |
| Internal model | Keep GUIDs in backend aggregates and audit records |
| Client endpoints | Prefer code/value/description-based responses |
| Diagnostic mode | Expose IDs only to authenticated internal support flows |
| SDKs | Consume semantic fields as the canonical decision surface |
| Documentation | Keep English and Spanish contract docs synchronized |