Multi-Tenant System Administration Module Design with Federated Authentication

System administration is a common requirement in many of the systems. This includes user authentication to authorization management to content within a system. There are set of commonly used functions within an legacy administrative module for authentication and authorization such as;

User Authentication
1. User Management
  • Maintenance of user authentication credentials within the system in traditional systems.
  • System has to maintain critical information of the user and maintain them such as passwords.
  • User has to maintain a profile with the system; in other words user has to register on the system.
  • To avoid the hassle of remembering password for multiple number of systems, Identity Delegation and Federated Authentication is used instead of maintaining credentials locally.
  • In Federated Authentication, third party openID enabled service will be used to authenticate user where the system (Resource Owner) does not need to maintain password and login credentials locally.

2. Authentication Rules

  • This will be maintaining reusable profiles for user authentication where they could be assigned to each user.
  • This is required in legacy user authentication models.
  • This will not be required when used federated authentication where the openID enabled authentication service provider will have to implement authentication rules since login credentials are maintained with them.
Role Authorization
3. User Role Management
  • Maintain Roles within the system
  • E.g.:- Administrator, Financial Controller, Manager, Data Entry Operator etc.
4. User – User Role access Management
  • Keep track on which user has access to which role.
  • This should be a function allowed to system administration personal.
Organization Hierarchy
5. Organization
  • This will represent the highest node in the system hierarchy.
  • E.g.:- If a corporate with multiple subsidiaries, this will be the corporate.
6. Business Unit
  • This will maintain details of subsidiaries or divisions or department details under Organization.
Blank Flowchart - New Page
Content Authorization
There will be details kept as master information for the purpose of authorization as below.
7. System Modules
  • Maintains main modules of the system.
  • Each module will attach to the Organization where it could be consumed by multiple business units.
  • E.g.:- General Finance, Administration, Operations etc.
8. System Module Interfaces
  • Maintains each user interface listed under the module
  • E.g.:- Tax data entry interface, Journal entry interface under General Finance Module
9. System Module Interface Grouping
  • Grouping of the above interfaces to increase accessability
  • E.g.:- Content authorization management activities under ‘Authorization’ group
10. System Module Interface Fields
  • List of data fields within an interface
  • E.g:- Tax Type, Rate on Tax data entry interface
  • This could be enable as an automated process where list of data fields as maintained within an excel sheet and they sync with the system when required to enhance maintainability.

Above master information will be mapped to each User Authorization on specific business unit where the user could select the business unit upon login to the system as below.

11. User – User Role – Module Mapping

  • Map ‘User – User Role’ authorizing structure with selected Module for selected ‘Business Unit’.
  • When this feature is enabled, access is granted at Module level where user has full access on all Interface and Interface Fields.

12. User – User Role – Interface Mapping

  • Map ‘User – User Role’ authorizing structure with selected Interface for selected ‘Business Unit’.
  • When this feature is enabled, access is granted at Interface level where user has full access on a selected Interface and Interface Fields.

13. User – User Role – Interface Fields Mapping

  • Map ‘User – User Role’ authorizing structure with selected Interface Field for selected ‘Business Unit’.
  • When this feature is enabled, access could be controlled at data field level where critical data fields could be grant / revoke for selected  ‘User – User Role’ authorizing structure.

All functionalities (modules) attached and authorized to the user could be generated dynamically upon user authorization.

High-level data flow could be elaborated as below;

Blank AWS Network Diagram - New Page

Common Validations and Security

This could be maintained at higher level of class hierarchy and override on sub level as and when required.

  • Numbers cannot be minus.
  • Characters could not be submitted on Numeric fields.
  • Standard date format for whole system (could be configurable on property file)
  • For session validation, following session attributes are required to be existing upon new resource request from the server.
    • LOGGER_KEY_SECURED (specific user credential with cryptographically secured value stored on a session cookie at client side)
  • If session is not validated, it be redirected to the index by clearing session and cache data.
  • Delete, Update operations must be altered before proceeding.

Database Design

The following illustrates the database Entity Relationship Model of the module.

erdcor1

Detail standard table descriptions are elaborated in below.

  • ORGANIZATION
Field name data type length key is null default
o_id int pk false
name varchar 512 unique false
description varchar 2048 true
reg_no varchar 256 unique true
date_created date true current date
time_created time true current time
date_modified date true current date
time_modified time true current time
created_by varchar 256 true current user
modified_by varchar 256 true current user
status int true 1
  • BUSINESS_UNIT
Field name data type length key is null default
bu_id int pk false
name varchar 512 unique false
display_name varchar 512 unique false
description varchar 2048 true
reg_no varchar 256 unique true
address_1 varchar 1024 true
address_2 varchar 1024 true
address_3 varchar 1024 true
address_4 varchar 1024 true
contact_Number_1 varchar 16 true
contact_number_2 varchar 16 true
fax_number_1 varchar 16 true
fax_number_2 varchar 16 true
date_created date true current date
time_created time true current time
date_modified date true current date
time_modified time true current time
created_by varchar 256 true current user
modified_by varchar 256 true current user
status int true 1
o_id int fk false
  • AUTH_RULES

This table will not be required when using a federated or delegated user authentication mechanism since the password profiles of the user are maintained by the federated or delegated identity service provider such as google, facebook, linkedin etc.

Field name data type length key is null default
ar_id int pk false
profile_name varchar 256 unique false
password_valid_period int false
password_grace_period int false
maximum_login_attempts int false
password_length int false
number_of_capitals int false
number_of_symbols int false
date_created date true current date
time_created time true current time
date_modified date true current date
time_modified time true current time
created_by varchar 256 true current user
modified_by varchar 256 true current user
status int true 1
  • USER

When using a federated or delegated authentication solution, the pass_word and ar_id fields which refer to the authentication features of the user are not required on the user table. Instead of those fields, it may required to add token values which are used to validate single sign on session of the user with the federated or delegated authentication service provider.

Field name data type length key is null default
u_id int PK false
user_name varchar 256 unique false
pass_word varchar 256 false
first_name varchar 512 false
last_name varchar 512 true
contact_email varchar 256 unique true
contact_number varchar 16 true
description varchar 2048 true
login_attempts int true 0
restrict_times int true 0
date_last_logged date true current date (logged)
time_last_logged time true current time (logged)
date_last_password_change date true password change date
date_created date true current date
time_created time true current time
date_modified date true current date
time_modified time true current time
created_by varchar 256 true current user
modified_by varchar 256 true current user
status int true 1
ar_id int fk false
  • USER_ROLE
Field name data type length key is null default
ur_id int pk false
name varchar 256 unique false
description varchar 2048 true
date_created date true current date
time_created time true current time
date_modified date true current date
time_modified time true current time
created_by varchar 256 true current user
modified_by varchar 256 true current user
status int true 1
  • USER_USERROLE
Field name data type length key is null default
uur_id int pk false
u_id int UNIQUE / Composite false
ur_id int false
description varchar 2048 true
date_created date true current date
time_created time true current time
date_modified date true current date
time_modified time true current time
created_by varchar 256 true current user
modified_by varchar 256 true current user
status int true 1
  • USER_LOG
Field name data type length key is null default
ul_id int pk false
log_type varchar 64 false
time time false
date date false
uur_id int fk false
  • MODULE
Field name data type length key is null default
m_id int pk false
title varchar 256 unique false
display_title varchar 256 false
description varchar 2048 true
base_url varchar 2048 unique false
date_created date true current date
time_created time true current time
date_modified date true current date
time_modified time true current time
created_by varchar 256 true current user
modified_by varchar 256 true current user
status int true 1
o_id int fk false
  • INTERFACE_GROUP
Field name data type length key is null default
ig_id int pk false
title varchar 256 unique false
display_title varchar 256 false
description varchar 2048 true
date_created date true current date
time_created time true current time
date_modified date true current date
time_modified time true current time
created_by varchar 256 true current user
modified_by varchar 256 true current user
status int true 1
m_id int fk false
  • INTERFACE
Field name data type length key is null default
i_id int pk false
title varchar 256 unique false
display_title varchar 256 false
node_url varchar 64 unique false
description varchar 2048 true
date_created date true current date
time_created time true current time
date_modified date true current date
time_modified time true current time
created_by varchar 256 true current user
modified_by varchar 256 true current user
status int true 1
ig_id int fk false
  • INTERFACE_FIELD
Field name data type length key is null default
if_id int pk false
form_id varchar 256 unique / CK false
i_id int false
is_mandatory BOOLEAN FALSE false
description varchar 2048 true
date_created date true current date
time_created time true current time
date_modified date true current date
time_modified time true current time
created_by varchar 256 true current user
modified_by varchar 256 true current user
status int true 1
  • USERROLE_MODULE
Field name data type length key is null default
urm_id int pk false
ur_id
int Unique / ck false
m_id int false
description varchar 2048 true
date_created date true current date
time_created time true current time
date_modified date true current date
time_modified time true current time
created_by varchar 256 true current user
modified_by varchar 256 true current user
status int true 1
bu_id int fk false
  • USERROLE_INTERFACE
Field name data type length key is null default
uri_id int pk false
ur_id int Unique / ck false
i_id int false
create_granted boolean false false
edit_granted boolean false false
delete_granted boolean false false
description varchar 2048 true
date_created date true current date
time_created time true current time
date_modified date true current date
time_modified time true current time
created_by varchar 256 true current user
modified_by varchar 256 true current user
status int true 1
bu_id int fk false
  • USERROLE_INTERFACEFIELD
Field name data type length key is null default
urif_id int pk false
ur_id int Unique / ck false
if_id int false
is_visible Boolean false true
is_editable boolean false true
description varchar 2048 true
date_created date true current date
time_created time true current time
date_modified date true current date
time_modified time true current time
created_by varchar 256 true current user
modified_by varchar 256 true current user
status int true 1
bu_id int fk false
  • MODULE_INTERFACE_FIELD_LOG
Field name data type length key is null default
mifl_id int pk false
update_description varchar 2048 true
date_created date true current date
time_created time true current time
date_modified date true current date
time_modified time true current time
created_by varchar 256 true current user
modified_by varchar 256 true current user
uur_id int fk false
if_id         int fk false
bu_id int fk false

UI/UX Design

  • Organization

Description – This will be a basic interface where the user will required to input following basic fields.
Input – Name, Registration No, Description, Status (active by default)
Functions
– Create, View, Update, Delete
Algorithms – N/A
Security – Super user security scope
Validations – Common validations
Entities – ORGANIZATION

  • Business Unit

Description – Business Units under the Organization will be added via this interface.
Input –
Organization (List Box with Organizations), Name (System purpose – technical), Dispalay Name (Display purpose – non technical), Registration No, Address Field (Expandable up to 4 lines), Contat Details (Expandable up to 2 lines), Fax Details (Expandable up to 2 lines), Status (active by default)
Functions
– Create, View, Update, Delete
Algorithms – N/A
Security – Super user security scope
Validations – Common validations
Entities – BUSINESS_UNIT

  • Authentication Rules (Not required in Federated Authentication)

Description – Basic interface to enter authentication profiles of users
Input – Profile Name, Password Length, Password Valid Period, Password Grace Period, Max Login Attempts, Number of Caps, Numbers of Symbols, Status (active by default)
Functions
– Create, View, Update, Delete
Algorithms – N/A
Security – Super user security scope
Validations – Common validations
Entities – AUTH_RULE

  • User

Description – This will be a basic interface to enter user details
Input – Authentication Profile (List box of Auth Profiles if delegated identity is not used), Username, Password (if delegated identity is not used), First Name, Last Name, Email, Contact Number, Description, Login Attempts (Read only – Manage by system), Restricted Attempts (Read only – Manage by system), Date-Time Last Logged (Read only – Manage by system), Status (active by default)
Functions
– Create, View, Update, Delete
Algorithms – N/A
Security – Super user security scope
Validations – Common validations
Entities – USER

  • User Role

Description – A basic interface to enter user role details
Input – Name, Description, Status (active by default)
Functions
– Create, View, Update, Delete
Algorithms – N/A
Security – Super user security scope
Validations – Common validations
Entities – USER_ROLE

  • User – User Role (User Authentication)

Description – Mapping user to required user roles will continue on this interface.
Input – User (To be select on left side of the screen), User Role (To be displayed on right side of the screen where already grated roles are shown as icon/action to revoke, and not grated roles are shown with check box.
Functions
– Create, View, Update, Delete
Algorithms – N/A
Security – Super user security scope
Validations – Common validations
Entities – USER_USERROLE

  • Module

Description – A basic interface to enter module details
Input – Title (System purpose – technical), Display Title (User purpose – non technical), Description, Status (active by default)
Functions
– Create, View, Update, Delete
Algorithms – N/A
Security – Super user security scope
Validations – Common validations
Entities – MODULE

  • Interface Group

Description – A basic interface to enter interface grouping details
Input – Module (List box to select the Module), Title (System purpose – technical), Display Title (User purpose – non technical), Description, Status (active by default)
Functions
– Create, View, Update, Delete
Algorithms – N/A
Security – Super user security scope
Validations – Common validations
Entities – INTERFACE_GROUP

  • Interface

Description – A basic interface to enter interface details
Input – Module (List box to select the Module), Title (System purpose – technical), Display Title (User purpose – non technical), Node Url (Interface access link or parameter), Description, Status (active by default)
Functions
– Create, View, Update, Delete
Algorithms – N/A
Security – Super user security scope
Validations – Common validations
Entities – INTERFACE

  • Interface Field

Description – This is a basic interface to maintain interface fileds
Input – Module (List Box to select the Module), Interface (List Box to select the Interface), Form Id (Field Name on interface), Mandatory (yes / no box), Description, Status (active by default), Upload ( Function to upload interface fields since it will be convenient at the initial data entry over manual entry)
Functions
– Create, View, Update, Delete
Algorithms – N/A
Security – Super user security scope
Validations – Common validations
Entities – INTERFACE_FILELD

  • (User Role) – Module (Module Authentication)

Description – Mapping of each Module to authorized User Roles.
Inputs – Organization, Business Unit, UserRole (List box on left side), Module (List Box on right side)
Functions
– Create, View, Update, Delete
Algorithms – N/A
Security – Super user security scope
Validations – Common validations
Entities – USERROLE_MODULE

  • (User Role) – Interface (Interface Authentication)

Description – Mapping of Interface to authorized User Roles
Input – Organization, Business Unit, UserRole (List Box on left side), Module (List Box on middle), Interface (List Box on right)
Functions
– Create, View, Update, Delete
Algorithms – N/A
Security – Super user security scope
Validations – Common validations
Entities – USERROLE_INTERFACE

  • (User Role) – Interface Field (Interface Field Authentication)

Description – Mapping of Interface Field to authorized User Roles
Input – Organization, Business Unit, UserRole (List Box on left side), Module (List Box on middle), Interface (List Box on right), Field (List Box bottom)
Functions
– Create, View, Update, Delete
Algorithms – N/A
Security – Super user security scope
Validations – Common validations
Entities – USERROLE_INTERFACEFIELD

The design could be modified according to the customized requirements and further this design could be extended to manage folowing features such as;

  • Alerts and Notifications Management

Manage and keep track of the alerts generated for various validations / conditions for the purpose of populating upon user login.

  • Work-flow Management

There will be following features enabled on the above design such as;

– Define a work-flow for specific Interface with number of approval levels.
– Define actor (User or User Role) for each level.
– Integrate work-flow feature on interface tool bar (upon save or based on condition) where the end user could initiate and pull the record on to the work-flow.

  • Schedule Management

There will be requirement to schedule reports and jobs to be executed on specific date / time or periodically. In order to cater for that requirement scheduler could be integrated with this module.

  • Reports Management

As Interfaces, system generated report authorization could be managed using the Interface functionality of the above design.

Thisara.

One Comment Add yours

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s