docs(adr-0025): authorization model — privileges × roles × scopes
CI / a11y (pull_request) Successful in 3m22s
Docs site / build (pull_request) Successful in 3m29s
CI / perf (pull_request) Successful in 6m35s
CI / scan (pull_request) Successful in 3m10s
CI / commits (pull_request) Successful in 3m26s
CI / check (pull_request) Successful in 3m37s

Proposes a three-orthogonal-axis authorization model:

- Privileges (Entra app roles): coarse portal-level capabilities.
  v1 catalogue ships one entry, Portal.Admin.
- Functional roles (Entra security groups mapped to a curated
  slug catalogue): what someone does in APF. 22 v1 entries grouped
  into workforce / governance / volunteer / external.
- Scopes (apf_portal-side user_scopes table, future Pléiades
  feed): where a role applies. 6 v1 kinds (self / etablissement /
  delegation / region / siege / unrestricted).

Replaces stargate's linear hierarchy (Admin ⊃ Directeur ⊃ RH ⊃
Collaborateur) which conflated portal privilege with business
role and ignored geographic scope entirely.

Specifies the Entra-side setup (one app role + one security
group per functional role), the Principal shape consumed by
portal guards, and the deterministic projection to ADR-0024's
flat-roles[] AI-service contract. Ten test-tenant personas
documented for the user to provision in the freshly available
test tenant.

Status: proposed. Implementation phasing recorded in §"More
Information" — types + Principal builder, guards, drift CI gate,
test-tenant seed, in that order.
This commit is contained in:
Julien Gautier
2026-05-20 16:52:15 +02:00
parent e389567a3c
commit a7dfd83571
2 changed files with 394 additions and 0 deletions
+1
View File
@@ -68,3 +68,4 @@ ADRs are listed in numerical order. To slice by topic, filter on the `Tags` colu
| [0022](0022-docs-site-vitepress.md) | Documentation site — VitePress + Mermaid plugin, separate static deployment | accepted | `process`, `infrastructure` | 2026-05-15 |
| [0023](0023-charts-d3-observable-plot.md) | Charts + dashboards — D3 + Observable Plot wrapped in `libs/shared/charts` | accepted | `frontend`, `accessibility`, `performance` | 2026-05-16 |
| [0024](0024-ai-service-relay-grpc-sse-bridge.md) | AI service relay — vendored gRPC protos, NestJS gRPC client, SSE bridge to the SPA, POC unsigned principal | accepted | `backend`, `security`, `observability` | 2026-05-19 |
| [0025](0025-authorization-model-privileges-roles-scopes.md) | Authorization model — three orthogonal axes (privileges × functional roles × scopes), Entra-backed | proposed | `security`, `backend`, `data` | 2026-05-20 |