SPEC-PRD-FED · v0.6 28 June 2026 Owner: Platform team
Federation — identity, roles & access
The cross-app authorization specification: who can sign in, which applications an account is entitled to, what each role can do, and what every user type can see — for all three tenant types, in one place. This is the document the prototypes resolve access from.
DraftLiving documentCross-app
Elaborates the master PRD — never redefines it. Tenancy, identity, authorization and partner agreements are owned by SPEC-PRD (TEN-/ID-/AUTH-/PRT-). Every FED requirement cites its parents; on any conflict the master wins and the discrepancy is logged in both revision histories. App PRDs keep their app-scoped requirements; this document holds what cuts across all five.
1The access model — six layers
Authorization is resolved in order. Each layer only narrows what the previous one allows; nothing later can widen what an earlier layer denied.
Layer
Question it answers
Decided by
1 · Tenant
Which tenant does this account belong to?
Account creation — exactly one tenant per account (ID-1)
2 · Entitlement
Which applications can this account open?
Tenant-type gating + a role grant per app (AUTH-2)
3 · Role
Which role does the account hold in this app?
One role per application per account (AUTH-1)
4 · Permission
What can that role do here?
The app's role × permission matrix (AUTH-3, ACC-2)
5 · Scope
Where do those permissions apply?
Organization default, narrowed per region or site (ACC-2)
The customer organization's members — owners, administrators, editors, viewers managing the org and monitoring its devices
Sanyodenki (Thailand)
partner
Members of a partner org — every partner is exactly one subtype platform-wide, reseller or distributor (PRT-9); the subtype shapes commercial visibility, not the access model
RiverSync users — the tenant manages no organization of its own (TEN-3); its accounts are managed like any tenant's (AUTH-4)
RiverSync Co., Ltd.
One organization can hold the partner and customer roles at once (TEN-2) — Nera both services Sanyodenki devices and runs RiverSync units of its own. Its members remain accounts of one partner tenant; the dual role widens that tenant's entitlements, never the account's tenancy.
3Identity & authentication
FED-1
Sign-in methods — Google · Microsoft · LinkedIn · email & password; organizations can enforce Microsoft Entra ID SSO at org level. Methods attach to the account, not the tenant. ← ID-3, ACC-5
FED-2
Identity is (email, tenant). An account belongs to exactly one tenant; the same email may hold a separate account per tenant. When an email resolves to several accounts, sign-in offers the account chooser — never a merged session. ← ID-1, ID-2
FED-3
One federated session. A signed-in RiverSync ID moves between every application it is entitled to without re-authentication. The product switcher lists only entitled apps — gated apps never appear as locked tiles to unentitled accounts. ← ID-4, AUTH-2
FED-4
Email verification gates org surfaces. Until the address is verified, organization pages render locked with an explain-and-unlock state naming what verification opens. My Account stays reachable. ← ACC-5
The whole model below sits on ASP.NET Core Identity 10 as its foundation — see §9 for the base-vs-extension mapping.
RiverSync Co., Ltd. · BangkokSPEC-PRD-FED · 1 of 5
4Application entitlement
FED-5
Entitlement = tenant-type gate + per-app role grant. The tenant type decides which of the six applications are reachable at all; within reachable apps, an account participates only where it holds a role grant (FED-18). The matrix below is normative. ← AUTH-1, AUTH-2
Application
Customer tenant
Partner tenant
riversync tenant
Accountaccount.riversync.com
Yes — full organization management
Yes — same org surface (a partner org is also a company)
Only while the org also holds the customer role (TEN-2) — for its own devices, never a customer's
No tile — RiverSync users reach a customer's view through an audited view-as session (FED-13)
Partnerspartner.riversync.com
No — never shown
Yes — agreement-scoped service work + deal registration
No — RiverSync sales work lives in Pipeline
Pipelinepipeline.riversync.com
No — never shown
No — never shown
Yes — role-gated by the sales permissions
Adminadmin.riversync.com
No — never shown
No — never shown
Yes — role-gated by the riversync catalog
Fieldfield.riversync.com
No — never shown
No — never shown
Yes — RiverSync on-site service (mobile/tablet), membership-gated to the engineer role (FED-18)
Which roles reach which apps — the tenant gate above narrows to a tenant; the role grant here narrows to a set of tiles
FED-18
App reach is per role, not only per tenant. Within a tenant's reachable apps (FED-5), a role holds a grant only in the apps it works in — so two members of one tenant can carry a different set of product tiles. The matrix is normative: a member's product switcher shows exactly its ● apps and nothing else. ← AUTH-1, AUTH-2, AUTH-3
Role
Account
Portal
Partners
Pipeline
Admin
Field
Customer tenant · Sanyodenki
Ownerfixed-full
●
●
—
—
—
—
Administrator
●
●
—
—
—
—
Editor
○
●
—
—
—
—
Viewer
○
○
—
—
—
—
Partner tenant · reseller (Nera — also a customer)
Administratorfixed-full
●
●¹
●
—
—
—
Service Coordinator
—
—
●
—
—
—
Sales
—
—
●
—
—
—
Partner tenant · distributor (MegaWarehouse — no customer role)
Administratorfixed-full
●
—
●
—
—
—
Channel Manager
—
—
●
—
—
—
Sales
—
—
●
—
—
—
riversync tenant · RiverSync
adminfixed-full
●²
va
—
●
●
●
support
—
va
—
—
●³
—
sales
—
—
—
●
—
—
accounting
—
—
—
—
●³
—
engineer
—
va
—
—
—
●
● role grant — tile shown○ reachable, read-mostlyva via view-as only (no standing tile)— no tile
¹ Nera (reseller) also holds the customer role (TEN-2), so its Administrator opens Portal for Nera's own devices; distributor partners hold no customer role and see no Portal tile. ² The riversync tenant's Account is users / roles / permissions only — no org pages (TEN-3). ³ RiverSync support, accounting and operational service surfaces live inside the Admin console; support and engineers reach a customer's Portal only through an audited view-as session (FED-13).
5Role model
FED-6
Exactly one role per account per application. A member can be Administrator in Account and Viewer in Portal; no account holds two roles in one app, and there is no role-union mechanic anywhere. ← AUTH-1, AUTH-6
FED-7
Every tenant owns its role set. Defaults below; tenants create custom roles on the standard Roles page (template-based: start from Viewer / Editor / Administrator / blank) and configure them on Permissions. The riversync tenant's five roles are ordinary configurable roles in this same model. ← AUTH-5, AUTH-7, ACC-2
FED-8
One fixed-full role per tenant. Customer and partner tenants: Owner. The riversync tenant: admin. The fixed role always holds every permission, renders locked-on in every matrix, and cannot be restricted or deleted. ← AUTH-7, ACC-2
¹ The partner default sets ship without a named Owner; whether partner tenants get an explicit Owner role or Administrator is their fixed-full role is an open question (§11) — the prototypes currently treat Administrator as fixed-full.
Roles and the role grant are the ASP.NET Core Identity AspNetRoles / AspNetUserRoles tables, extended (§9): ApplicationRole adds the fixed-full flag, ApplicationUserRole adds the per-app key that makes “one role per application” enforceable.
6Permission catalogs
FED-9
Permission catalogs are per application. Each app carries its own catalog, grouped by domain; the Permissions surface is a role × permission matrix per app, with the fixed-full role's column locked on. Apps the tenant cannot reach render as locked chips naming the reason. ← AUTH-3, AUTH-7, ACC-2
FED-10
Scope narrows, never widens. The matrix default applies organization-wide; a region or site override replaces it for that scope with an equal-or-narrower set. Departments do not drive permission scope (open question in SPEC-APP-ACC). ← ACC-2
Tenants & provisioning (4) · Support & service (3) · Sales (2) · Billing & accounting (2) · Device operations (3) · User management (2)
The riversync tenant, per role, on its own Permissions page (AUTH-7)
Partners apppartner tenants
Not yet cataloged — drafting tracked in §11
—
RiverSync Co., Ltd. · BangkokSPEC-PRD-FED · 2 of 5
7Cross-tenant access
Layers 1–5 govern an account inside its own tenant. Three mechanisms — and only these three — let anyone see across a tenant boundary.
FED-11
Partner access is customer-granted, per link. Four scope switches — telemetry · service tickets · sites & visit info · invoices & agreements — optionally limited by region, set by the customer on the partner detail page, changeable or revocable at any time, effective immediately. A partner's queries are bounded by the grant and by its covered devices; partners never see uncovered devices or other partners' coverage. ← PRT-3, PRT-7, PAR-1
FED-12
Every cross-tenant action is audited and attributed to the acting organization — partner actions land in the customer's audit log under the partner org's name; RiverSync users’ actions under RiverSync's. ← PRT-4, PAR-5
FED-13
RiverSync view-as sessions. RiverSync users act inside a customer tenant only through a view-as session: gated by the "Start a view-as session" permission (Support & service group), announced by a persistent banner, every action logged in both the customer's audit log and the RiverSync trail. Two planes, separate sessions: account-side (Account portal) and hub-side (the customer's Portal from the Operations console). ← TEN-3, ADM-5
FED-14
RiverSync factory default. Factory telemetry and engineer dispatch are on for every device by default — not customer-manageable, never represented as a partner link, always audited. ← PRT-6
8Visibility mandates
FED-15
The rules below are normative for every prototype and for production. Each names the surface it governs; a screen that contradicts one is a bug, not a variation. ← AUTH-2, ACC-5, PRT-8, PRT-12, PRT-13, ADM-5
Surface
Rule
Master
Product switcher
Lists entitled apps only — gated apps are absent, never shown locked
AUTH-2
Permissions — app chips
Inside an entitled tenant, unreachable apps render locked with the reason ("Pipeline is for RiverSync users only.")
ACC-2
Users list · User detail
Per-app roles always visible: the "Apps" column and the Application access panel read the same grants
AUTH-3
Partner list
Never shows the viewing organization itself — no self-links
PRT-8
Partner detail · audit
Shows only the partnership; a partner's other tenant roles (e.g. that it is also a customer) are never disclosed to the viewing customer
PRT-13
Distributor funnel
Shows every handled reseller's deals, but value & quote details are masked on deals not channeled through the viewer
PRT-12
Pipeline app
RiverSync only; shows the full channel chain on every deal, nothing masked
PRT-12
Unverified account
Org surfaces lock with an explain-and-unlock state; My Account stays open
ACC-5
View-as session
Persistent banner names the impersonated tenant; exit returns to the RiverSync console; all actions dual-logged
ADM-5
riversync tenant in Account
No org pages exist; any org-page destination falls back to the tenant's Overview landing
TEN-3
RiverSync Co., Ltd. · BangkokSPEC-PRD-FED · 3 of 5
9Identity foundation — ASP.NET Core Identity 10
The model in §§3–6 is not built from scratch. Its foundation is Microsoft ASP.NET Core Identity 10 (Entity Framework Core stores, Guid keys); RiverSync adds tenancy, the per-application role grant and the permission model as extensions on top. Nothing here changes the behaviour above — it states where each concept physically lives.
FED-17
Identity is ASP.NET Core Identity 10, extended — never replaced. Accounts, roles, the user-role join, external logins, claims and tokens are the framework's seven AspNet* tables (Guid keys). ApplicationUser : IdentityUser<Guid>, ApplicationRole : IdentityRole<Guid> and ApplicationUserRole : IdentityUserRole<Guid> carry the RiverSync extension columns; Tenant, Organization, Application, Permission and RolePermission are extension entities with no Identity equivalent. ← ID-1…4, AUTH-1…7
Concept
ASP.NET Core Identity 10 base
RiverSync extension
Account
AspNetUsersIdentityUser<Guid>
ApplicationUser — TenantId (one tenant, ID-1), DisplayName, Status, LastActive, organization unit & site; UNIQUE (Email, TenantId) replaces the NormalizedEmail index
ApplicationUserRole — AppKey column, UNIQUE (UserId, AppKey): exactly one role per application (FED-6)
Sign-in methods
AspNetUserLogins + PasswordHash
Google · Microsoft · LinkedIn · Entra ID persist as external logins; email & password is the native PasswordHash (FED-1)
Permissions
AspNetRoleClaims · AspNetUserClaims
authored as the RolePermission matrix with region/site scope (FED-9, FED-10), compiled to claims on the token at sign-in
Verification · 2FA
AspNetUserTokens + EmailConfirmed
EmailConfirmed gates org surfaces (FED-4); tokens hold email-verification, 2FA and refresh secrets
The structural detail — every column, key and the diagrams — lives in the Account ERD (identity & authorization) and the master ERD's DM-32 / DM-33.
RiverSync Co., Ltd. · BangkokSPEC-PRD-FED · 4 of 5
10Personas — the canonical demo population
FED-16
Prototypes resolve access from the signed-in persona, never per page. The Tweaks panel ("Signed in as" → tenant · partner type · role) signs you in as one of the members below; every surface — switcher tiles, locked chips, nav, matrices — must derive from that persona through the layers in §1. This table is the canonical persona set; new prototypes reuse it, never invent parallel members.
Tenant context
Role
Member
Demonstrates
CustomerSanyodenki (Thailand)
Owner default · fixed-full
Duangjai Metharom
Full org management, billing, every matrix cell on
Administrator
Kamol Ratanaporn
Manage users & sites; no billing, security policy or role editing
Editor
Pranee Chaiyasit
Configure devices & reports; read-only org
Viewer
Niran Sukhum
Read-only dashboards; most of Account hidden
Partner — resellerNera (Thailand) · Gold
Administrator fixed-full
Tida Charoensuk
Partner org management; Partners + Portal (also a customer)
Service Coordinator default
Duangjai Metharom
Agreement-scoped service work under customer grants
Distributor org management; no Portal (no customer role)
Channel Manager default
Somchai Boonmee
Reseller funnel with off-channel masking (PRT-12)
Sales
Preecha Wongchai
Distribution-side deal handling
riversyncRiverSync Co., Ltd.
admin default · fixed-full
Rachan Suksiri
Every riversync permission; Pipeline + Admin + view-as
support
Pimchanok Saetang
Support inbox, tickets, view-as sessions
sales
Krit Chaiyawan
Quotes & pipeline only
accounting
Busaba Thongdee
Invoices, payments, plans & pricing
engineer
Anan Prasert
Provisioning, telemetry, dispatch, firmware
Duangjai Metharom appears twice by design — Sanyodenki's Owner and Nera's Service Coordinator are two separate accounts under one email, the living demonstration of FED-2's account chooser.
FED-19
The prototype exposes the persona as Tweaks — these choices and no others. The Tweaks panel (toolbar “Tweaks” toggle) is the single control for who you are signed in as; its options are exactly the dimensions of the access model (§1), so changing one re-resolves every surface live (switcher, nav, matrices, locks). No screen offers a parallel persona control. The available choices are normative for every prototype. ← AUTH-1, AUTH-2, ACC-5
Tweak
Choices
What it drives
Tenant“Signed in as”
Customer (Sanyodenki) · Partner · RiverSync
Layer 1 — the tenant gate (FED-5); swaps the shell, nav and entitled tiles
Partner typeshown when tenant = partner
Reseller (Nera) · Distributor (MegaWarehouse)
The partner subtype (PRT-9); selects the partner org and its commercial visibility
Layers 3–4 — signs you in as that member (FED-18); re-resolves app reach, nav and the permission matrices
Email verified“Account state”
On · Off
The verification gate (FED-4) — org surfaces lock with an explain-and-unlock state when off
The role choices are exactly the tenant's default role set (FED-7), and the list changes with the selected tenant and partner type — there is one chip per canonical persona (§10), never a free-text role. The Pipeline prototype carries an equivalent role tweak that gates which riversync roles may open it (admin · sales entitled; the rest see the locked app).
11Traceability — requirements ↔ prototypes
PRD-side evidence; the model-side mapping lives in the master ERD §5. Every FED requirement cites its master parents inline (the ← tags above).
Req
Prototype evidence
FED-1…4
Sign In — providers, account chooser, Entra SSO; verification lock on every org page
FED-5
Product switcher tiles per tenant (rs-shell) · locked app chips on Permissions
Tweaks panel persona switching across every Account page · the shell (rs-shell.js) resolves the persona's per-app role to a reachable-surface set, hides every menu item the role can’t open, and blocks a direct visit to a hidden surface with an explain-and-return state — customer surfaces mirror the Permissions matrix, the riversync tenant falls back to Overview (TEN-3)
FED-18
Product switcher tiles per persona (rs-shell.js) — each role sees only its ● apps; User Detail → Application access reads the same per-app grants; Field is engineer-only
FED-19
The Tweaks panel (rs-shell.js) — tenant · partner type · role chips · email-verified toggle; the role chips rebuild from the selected tenant's set, every change reloads the resolved persona
12Open questions
Partner fixed-full role — should partner tenants get an explicit Owner, or is Administrator their Owner analogue (note ¹, §5)?
Partners-app permission catalog — which groups (agreement work, deal registration, agreements) and which defaults per partner role?
Permission counts disagree in the Account prototype: the Roles page says "24 permissions", the matrix defines 20 — reconcile when the catalog is frozen.
Does a customer Administrator's region assignment (Users surface) implicitly bound their matrix scope, or are role scope overrides the only mechanism?
View-as write access — can a RiverSync view-as session change customer data with the member's effective permissions, or is it read-only with explicit exceptions?
Custom roles per application or per tenant — today a role spans all entitled apps with a column per matrix; is a Portal-only role needed?
13Revision history
Version
Date
Changes
0.1
13 Jun 2026
First consolidation — six-layer access model, entitlement matrix, role model with fixed-full roles, permission catalogs, cross-tenant mechanisms, visibility mandates, canonical persona set (FED-1…16); elaborates master TEN-/ID-/AUTH-/PRT- without changing them
0.2
13 Jun 2026
Vocabulary — "staff" → user (master v0.16): RiverSync-tenant accounts are users; "RiverSync users" for the people, "RiverSync view-as" / "RiverSync console" / "RiverSync only" as the adjective forms; no requirement changes
0.3
13 Jun 2026
PRT-13 (master v0.17) — partner-role confidentiality joins the visibility mandates (§8): a customer never sees a linked partner's other tenant roles. FED-15 master refs updated
0.4
14 Jun 2026
Identity foundation set to ASP.NET Core Identity 10 — new §9 + FED-17: the model is the framework's seven AspNet* tables (Guid keys), extended not replaced (ApplicationUser/ApplicationRole/ApplicationUserRole on IdentityUser/IdentityRole/IdentityUserRole<Guid>); base↔extension mapping table; §3/§5 cross-references. Mirrors SPEC-ERD v0.13 (DM-32, DM-33) and SPEC-DDD. No behavioural requirement changes
0.5
15 Jun 2026
Account permission catalog group Site locations → Sites, matching the menu rename (entity SiteLocation → OrganizationSite, SPEC-ERD v0.16). No model changes
0.6
28 Jun 2026
Tenant×app gains Field; new role×app entitlement & the prototype Tweaks as a requirement. §4: the entitlement matrix now lists all six apps (Field added — riversync engineer, on-site service); FED-18 adds the normative role × application matrix (which roles carry which tiles, with view-as marked); FED-19 (§10) pins the prototype's persona Tweaks — tenant · partner type · role · email-verified — as the only persona control and lists its choices. App references converge on the canonical DS surface pills. Elaborates AUTH-1–3, TEN-2/3; no master change.
RiverSync Co., Ltd. · BangkokSPEC-PRD-FED · 5 of 5
