4.1 KiB
Hats, Realms, Services, Assets, And Access Profiles
Status: implemented headless slice Date: 2026-06-15 Related workplan: USER-WP-0012
Purpose
This slice models how a NetKingdom user can wear different hats across tenant, realm, service, asset, and group contexts. It gives authorization systems and service runtimes explicit access-control facts and claims-enrichment context without moving final policy decisions into user-engine.
Vocabulary
The USER-WP-0012 vocabulary maps onto existing user-engine facts:
- tenant: isolation boundary and tenant account state;
- realm: broad domain or community scope represented by membership scope
realm; - service: protected application or service scope represented by membership
scope
serviceor an access profileservice_id; - asset: protected resource scope represented by membership scope
assetor an access profileasset_id; - group: group membership represented by membership scope
group; - hat: active role persona selected from an access profile;
- access profile: template that combines membership requirements, factor requirements, profile defaults, and projection claim rules.
Domain Model
AccessProfile defines a claimable hat for a tenant context. It stores the
hat name, scope type/id, optional realm/service/asset ids, required membership
facts, required factor types, profile defaults, claims, group ids, and an
approval flag.
ActiveAccessContext records the user's currently selected hat for a tenant.
It stores the selected access profile, active scope, matched membership ids,
verified factor ids, group ids, projection claims, and profile defaults.
AccessControlFact is the export shape for policy and ACL systems. Facts can
represent direct user memberships, group-derived facts, and active-context
facts over realm, service, or asset scopes.
Public Facade
UserEngineService exposes:
register_access_profile(...)list_access_profiles(...)select_active_hat(...)export_access_control_facts(...)access_profile_diagnostics(...)
All mutating and read/export operations pass through the authorization port.
Selection Rules
Hat selection fails closed unless all of these are true:
- the actor is allowed to operate in the tenant context;
- the target user has an active tenant account;
- the access profile belongs to the tenant and is not approval-required;
- every profile membership requirement is satisfied by existing memberships;
- every required factor type has unexpired verified user evidence;
- the authorization port allows the active-context selection.
Selecting a hat records an ActiveAccessContext, emits
active_access_context.selected, and keeps raw factor values out of events and
projections.
Identity Context And Projections
identity_context now includes:
active_access_context;access_control_facts;- canon references for active hat, access profile, realm, service area, asset scope, and groups;
- relationship references such as
wears_hatandselected_access_profile.
Claims-enrichment projections include an access_context mapping when the
active context applies to the requested application/service. Service-specific
contexts are omitted from projections for other applications.
Export Boundary
export_access_control_facts returns an adapter-neutral manifest plus facts.
External authorization engines or ACL systems can consume these facts, but
they remain responsible for final policy decisions and runtime enforcement.
Redaction And Diagnostics
Diagnostics report counts, required factor types, and approval-required issues. They deliberately do not return profile default values, projection claim values, factor values, phone numbers, postal addresses, eID payloads, or other proofing data.
Current Limits
- user-engine does not implement a policy engine or ACL evaluator.
- Approval workflows for privileged hats remain a later slice.
- Access profile profile-default values are carried into active context and projections, but this slice does not persist them as catalog profile values.
- UI selection flow contracts are implemented by USER-WP-0014.