This document describes the business-readable conceptual data model for the User Management System (UMS).
It intentionally uses business-friendly names, but every concept must map to the DDD aggregate model and to the physical ER model.
Authoritative implementation note: The code-aligned physical ER model is maintained in Database Design ER. The DDD aggregate catalog is maintained in the Domain Aggregate Index. Use Data Model Consistency Review to validate alignment across conceptual, domain, physical, and persistence views.
The following table prevents ambiguity between early business terminology and the current DDD / physical model.
| Conceptual Name | DDD / Physical Name | Notes |
|---|---|---|
ORGANIZATION |
TENANT / Tenant |
Business organization maps to the tenant aggregate and tenant-scoped persistence model. |
USER |
USER_ACCOUNT / UserAccount |
User identity and lifecycle are governed by the UserAccount aggregate. |
BRANCH |
BRANCH / Tenant.Branch |
Branch is an owned child entity inside Tenant. |
PROFILE |
PROFILE / Profile |
User role assignment and scoped authorization profile. |
AUTH_TEMPLATE |
PERMISSION_TEMPLATE / PermissionTemplate |
Template-based permission blueprint. |
AUTHORIZATION |
PERMISSION_TEMPLATE_ITEM / PROFILE_PERMISSION |
Authorization is materialized through template items and profile permissions. |
SYSTEM |
SYSTEM_SUITE / SystemSuite |
Application suite or product surface governed by Authorization BC. |
MODULE |
FUNCTIONAL_MODULE / SystemSuite.Module |
Functional module under a system suite. |
MENU |
FUNCTIONAL_MENU / SystemSuite.Menu |
Functional menu under a module. |
SUBMENU |
FUNCTIONAL_SUBMENU / SystemSuite.SubMenu |
Required level in the physical and DDD hierarchy. |
OPTION |
FUNCTIONAL_OPTION / SystemSuite.Option |
Functional option under a submenu. |
ACTION |
ACTION / SystemSuite.Action |
Action can be attached to the functional hierarchy according to the authorization graph rules. |
SYSTEM_CONFIGURATION |
APP_CONFIGURATION / AppConfiguration |
Runtime configuration with global, tenant, or system scope. |
PROFILE_ACCESS_REQUEST |
APPROVAL_REQUEST / ApprovalRequest |
Profile request is implemented through the generic approval request model. |
EXTERNAL_ACCESS_REQUEST |
APPROVAL_REQUEST / ApprovalRequest |
B2B access request is modeled as an approval workflow unless a dedicated record is introduced by ADR. |
erDiagram
ORGANIZATION ||--o{ BRANCH : has
ORGANIZATION ||--o{ ORGANIZATION : parent_hierarchy
USER ||--o{ EXTERNAL_ACCESS_REQUEST : sponsors
ORGANIZATION ||--o{ EXTERNAL_ACCESS_REQUEST : targets
ORGANIZATION ||--o{ USER : contains
ORGANIZATION ||--o{ PROFILE : owns
TENANT_SIGNUP_REQUEST }o--o| ORGANIZATION : approved_as
USER ||--o{ PROFILE_ACCESS_REQUEST : requests
BRANCH ||--o{ PROFILE : scoped_to
BRANCH ||--o{ USER_PROFILES : restricts
USER ||--o{ USER_PROFILES : assigned
PROFILE ||--o{ USER_PROFILES : holds
PROFILE }o--o| AUTH_TEMPLATE : implements
PROFILE ||--o{ AUTHORIZATION : declares
AUTH_TEMPLATE ||--o{ AUTHORIZATION : templates
SYSTEM ||--o{ MODULE : contains
MODULE ||--o{ MENU : contains
MENU ||--o{ SUBMENU : contains
SUBMENU ||--o{ OPTION : contains
SYSTEM ||--o{ ACTION : declares
MODULE ||--o{ ACTION : declares
MENU ||--o{ ACTION : declares
SUBMENU ||--o{ ACTION : declares
OPTION ||--o{ ACTION : declares
AUTHORIZATION }o--|| ACTION : targets
NETWORK ||--o{ PROFILE : restricts
SYSTEM ||--o{ IDP_CONFIGURATION : uses
ORGANIZATION ||--o{ IDP_CONFIGURATION : configures
SYSTEM ||--o{ SYSTEM_CONFIGURATION : has
ORGANIZATION ||--o{ SYSTEM_CONFIGURATION : scopes
SYSTEM ||--o{ FEATURE_FLAG : governs
FEATURE_FLAG ||--o{ FLAG_EVALUATION_LOG : produces
| Conceptual Entity | Implemented Source | Purpose |
|---|---|---|
TENANT_SIGNUP_REQUEST |
identity.TenantSignupRequests |
Tracks public company signup before tenant creation. |
USER with pending status |
identity.UserAccounts.StatusId = Pending |
Tracks user signup requests for an existing tenant. |
PROFILE_ACCESS_REQUEST |
approvals.ApprovalRequests |
Tracks profile access requests from lobby users. |
The final business outcomes for user signup and profile access requests are Approved and Denied. Current implemented persistence stores profile denial as ApprovalStatus.Rejected, which must be translated to Denied at application and UI boundaries.
Physical / DDD mapping:
USER_ACCOUNT/UserAccount.
id (UUID, PK): Unique identifier for the user.organization_id (UUID, FK): Owning tenant organization.email (string, Unique): Corporate email address.password_hash (string, Nullable): Populated only when the Internal Bcrypt Strategy adapter is active for the organization. NULL when authentication is delegated to an external IdP.identity_reference (string): External unique ID linking to corporate HR/ERP records.status (enum): ACTIVE, SUSPENDED, or TERMINATED.created_at (datetime2): Record creation timestamp.Physical / DDD mapping:
TENANT/Tenant.
This entity represents a company node. An organization can be the primary corporate Tenant (INTERNAL), or an external actor such as a B2B CLIENT or SUPPLIER.
id (UUID, PK): Unique identifier for the organization.tenant_id (UUID, FK): The overarching master tenant this organization belongs to.parent_organization_id (UUID, FK, Nullable): Self-referencing link for hierarchical grouping.type (enum): INTERNAL, CLIENT, SUPPLIER, PARTNER.name (string): Corporate legal company name.company_reference (string): External company code linking to corporate ERP.idp_strategy (enum): INTERNAL_BCRYPT, ZITADEL, AZURE_AD, OKTA, SAML2, GENERIC_OIDC.status (enum): ACTIVE or BLOCKED.Physical / DDD mapping:
BRANCH/Tenant.Branch.
id (UUID, PK): Unique identifier for the branch.organization_id (UUID, FK): Owning tenant organization.name (string): Human-readable branch name.code (string, Unique within organization): Short branch code.geofencing_metadata (nvarchar(max) JSON, Nullable): Optional geofencing constraints.status (enum): ACTIVE or SUSPENDED.Physical / DDD mapping:
PROFILE/Profile.
id (UUID, PK): Unique identifier for the profile.organization_id (UUID, FK): The owning tenant organization.branch_id (UUID, FK, Nullable): Optional branch scope. NULL means profile applies organization-wide.name (string): Human-readable profile name.template_id (UUID, FK, Nullable): Optional linked Authorization Template.auto_assigned (boolean): true if assigned via the automatic rule-based engine.Physical / DDD mapping:
PERMISSION_TEMPLATE_ITEMandPROFILE_PERMISSION.
id (UUID, PK): Unique identifier for the authorization record.profile_id (UUID, FK, Nullable): Linked profile if customized locally.template_id (UUID, FK, Nullable): Linked template if inherited from a blueprint.action_id (UUID, FK): Mapped system action.effect (enum): ALLOW or DENY.Physical / DDD mapping:
PERMISSION_TEMPLATE/PermissionTemplate.
id (UUID, PK): Unique identifier for the template.name (string): Human-readable template name.version (string): Semantic version.system_id (UUID, FK): The target client system this template is designed for.created_by (UUID, FK): Admin user who created the template.created_at (datetime2).Physical / DDD mapping:
SYSTEM_SUITE/SystemSuite.
id (UUID, PK): Unique identifier for the application/sub-portal.name (string, Unique): Application name.system_code (string, Unique): Machine-readable slug.base_url (string): Base physical URL for routing.api_credential_hash (string): Hashed M2M credential for gateway validation.Physical / DDD mapping:
FUNCTIONAL_MODULE,FUNCTIONAL_MENU,FUNCTIONAL_SUBMENU,FUNCTIONAL_OPTION,ACTIONinsideSystemSuite.
These form the hierarchical navigation topology compiled into the Authorization Graph.
The resource hierarchy is:
System → Module → Menu → SubMenu → Option
Actions may be attached at any level according to the physical model and authorization graph contract:
System / Module / Menu / SubMenu / Option
Module: module_id (UUID, PK), system_id (UUID, FK → System), name, code, description, is_active.Menu: id, module_id (FK), label, order, icon_code.SubMenu: id, menu_id (FK), label, order, icon_code.Option: id, submenu_id (FK), label, route_path.Action: action_id (UUID, PK), action_name, action_code, level, level_id, is_active.Physical / DDD mapping:
IDP_CONFIGURATION/IdpConfiguration.
id (UUID, PK)tenant_id (UUID, FK → ORGANIZATION)system_id (UUID, FK, Nullable → SYSTEM): NULL means applies to all systems for the tenantcode (string, Unique by scope): Stable technical key for the IdP configuration record.value (nvarchar(max) JSON): Operational configuration payload consumed by runtime.description (text): Functional purpose, impact, expected behavior, and applicable scope.provider_type (enum): INTERNAL_BCRYPT, ZITADEL, AZURE_AD, OKTA, KEYCLOAK, AUTH0, GOOGLE, LDAP, SAML2, GENERIC_OIDCpriority (integer): Resolution order.fallback_to (UUID, FK, Nullable → IDP_CONFIGURATION)config_payload (nvarchar(max) JSON, encrypted): Authority URL, client_id, scopes, claim mappingsconfig_secret_ref (string): Vault path for encrypted credentialsdomain_hints (text[]): Email domain patterns for IdP routingmfa_enforced (boolean)status (enum): ACTIVE, INACTIVE, DRAFTversion (string): Semantic version of this config recordPhysical / DDD mapping:
APP_CONFIGURATION/AppConfiguration.
id (UUID, PK)system_id (UUID, FK → SYSTEM)tenant_id (UUID, FK → ORGANIZATION)code (string, Unique by scope): Stable technical key for the configuration parameter.value (nvarchar(max) JSON): Operational value used by the system at runtime.description (text): Functional purpose, impact, expected behavior, and scope.version (string): Semantic version.config_payload (nvarchar(max) JSON): Full behavioral config.status (enum): ACTIVE, ARCHIVED, DRAFTpublished_at (datetime2)published_by (UUID, FK → USER)Physical / DDD mapping:
FEATURE_FLAG/FeatureFlag.
id (UUID, PK)code (string, Unique globally): Canonical feature flag identifier.value (nvarchar(max) JSON): Effective operational flag value/payload.description (text): Functional purpose, impact, expected behavior, and scope.flag_code (string, Unique globally): Machine-readable identifier.type (enum): BOOLEAN, VARIANT, PERCENTAGEtargets (nvarchar(max) JSON): Scoping rules.status (enum): ACTIVE, INACTIVE, ARCHIVEDlinked_resource_type (string, Nullable)linked_resource_id (UUID, Nullable)version (string)created_by (UUID, FK → USER)created_at (datetime2)Physical / DDD mapping:
FLAG_EVALUATION_LOG/FeatureFlag.FlagEvaluationLog.
id (UUID, PK)flag_id (UUID, FK → FEATURE_FLAG)evaluated_for_type (string): user, tenant, organizationevaluated_for_id (UUID)result (boolean or variant value)evaluated_at (datetime2)Physical / DDD mapping: currently represented by
ApprovalRequestunless a dedicated B2B request persistence record is introduced by ADR.
id (UUID, PK)sponsor_user_id (UUID, FK → USER): Internal user requesting access for a third party.target_organization_id (UUID, FK, Nullable → ORGANIZATION): The external B2B client/supplier organization.target_user_email (string): Email of the external user.requested_profile_id (UUID, FK → PROFILE): Suggested role for the external user.justification (text): Business rationale for granting access.status (enum): DRAFT, PENDING_APPROVAL, APPROVED, REJECTED.approved_by (UUID, FK, Nullable → USER): Admin who authorized the request.All parameter/configuration/catalog entities MUST include, at minimum:
codevaluedescriptiondescription MUST clearly document:
This standard applies to global, tenant, and system/suite scoped parameters; feature flags; policies; security configurations; workflows; business rules; and notification/approval configurations.
All these entities must also define:
ALLOW is declared by a profile or template.DENY is present, the user inherits all active ALLOW blocks from all assigned profiles.DENY from any active profile instantly invalidates matching ALLOW blocks across all other profiles.Use this document to discuss the business model with product, QA, and stakeholders. Use the following documents for implementation validation:
| Need | Authoritative Source |
|---|---|
| DDD aggregate ownership and invariants | Domain Aggregate Index |
| Physical ER and SQL Server model | Database Design ER |
| Cross-view consistency | Data Model Consistency Review |