Bluewoo HRMS

Authentication & Authorization

Auth strategy and RBAC decisions

Authentication & Authorization

Goal

Build a secure authentication system with SystemRole-based authorization using Auth.js database sessions.

Technology Decisions

ComponentChoiceWhy
Auth LibraryAuth.js (NextAuth) 5.xNext.js integration, OAuth support
Session StrategyDatabase sessions (MVP)Simpler setup via PrismaAdapter
AuthorizationSystemRole-basedSYSTEM_ADMIN, HR_ADMIN, MANAGER, EMPLOYEE
FutureJWT tokensMay add for API-to-API calls later

MVP Session Strategy: Phase 01 uses database sessions via Auth.js PrismaAdapter (not JWT). The session callback enriches session with tenantId and systemRole. See Phase 01 for implementation details.

Authentication

Login Methods (MVP)

  • Google SSO (primary for MVP)
  • Email/password (future enhancement)

Session Strategy (MVP)

  • Database sessions via Auth.js PrismaAdapter
  • Session stored in PostgreSQL sessions table
  • Session callback enriches with tenantId and systemRole
  • Tenant auto-created on first login via createUser event

Session Contains

  • User ID, email, name, image
  • tenantId (assigned by createUser event)
  • systemRole (SYSTEM_ADMIN, HR_ADMIN, MANAGER, EMPLOYEE)

Authorization: SystemRole-Based Hierarchy

LevelIdentificationAccess
System AdminsystemRole = SYSTEM_ADMINAll tenants, system config
HR AdminsystemRole = HR_ADMINFull access within tenant
ManagersystemRole = MANAGERTeam management, approvals
EmployeesystemRole = EMPLOYEEBasic read, own record updates

RBAC Permission Model

Permission Format

resource:action:scope

Components

ComponentOptions
Resourcesemployees, time_off, documents, settings, users, roles
Actionscreate, read, update, delete, approve
Scopesown, team, department, all

Examples

  • employees:read:all - Read all employees in tenant
  • employees:update:own - Update own employee record
  • time_off:approve:department - Approve for department members

Wildcards

  • Platform Admin: *:*:* (all permissions)
  • Tenant Admin: tenant:*:* (all within tenant)

Default Roles

RolePermissions
AdminFull tenant access
ManagerTeam management, approvals
EmployeeBasic read, own record updates

Security Rules

  1. Database sessions via Auth.js PrismaAdapter (MVP)
  2. TenantGuard validates tenant context on API requests
  3. SystemRoleGuard validates role permissions
  4. All endpoints protected by guards
  5. Audit logging for sensitive operations

See Phase 01 for implementation details

Multi-Tenancy

Tenant isolation strategy and implementation

AI Service

AI capabilities, use cases, and architecture

On this page

Authentication & AuthorizationGoalTechnology DecisionsAuthenticationLogin Methods (MVP)Session Strategy (MVP)Session ContainsAuthorization: SystemRole-Based HierarchyRBAC Permission ModelPermission FormatComponentsExamplesWildcardsDefault RolesSecurity Rules