Role-scoped data access
|
|
| ID |
MOD-052 |
| System |
SD08 |
| Repo |
bank-app |
| Build status |
Deployed |
| Deployed |
Yes |
| Last commit |
bc8ae27c9ecc660c7eb59e321a9936d2a0c54463 |
All data returned by the API is scoped to the authenticated agent's role. Enforced server-side, not client-side. See ADR-004.
Module dependencies
Depends on
| Module |
Title |
Required? |
Contract |
Reason |
| MOD-044 |
JWT role-based access control |
Required |
— |
Staff JWTs validated upstream by MOD-044 authoriser; cognito:groups claim carries the role indicator that enforce() reads from requestContext.authorizer.claims. |
| MOD-068 |
Authentication & session management |
Required |
— |
access.user_identities (V001 Flyway migration owned by MOD-068) must exist before MOD-052 can resolve staff_user_id to person_party_id for audit logging. |
| MOD-104 |
AWS shared infrastructure bootstrap |
Required |
— |
AWS shared infrastructure provisioned by MOD-104 (EventBridge bank-app bus, KMS operational CMK, staff Cognito pool ARN, ADOT layer) is required before this module can be deployed. |
| MOD-103 |
Neon database platform bootstrap |
Required |
— |
Neon database and schema provisioned by MOD-103 must exist before this module can read or write Postgres. |
Required by
| Module |
Title |
As |
Contract |
| MOD-049 |
Open banking consent management |
Hard dependency |
— |
| MOD-053 |
Case & complaint management module |
Hard dependency |
— |
| MOD-073 |
Document vault |
Hard dependency |
— |
| MOD-074 |
Back-office customer 360 |
Hard dependency |
— |
Policies satisfied
| Policy |
Title |
Mode |
How |
| DT-001 |
Information Security Policy |
GATE |
Minimum necessary data access enforced at API — no role can access data outside their scope |
| PRI-001 |
Privacy Policy |
AUTO |
Personal data access limited to authorised roles — principle of minimum necessary enforced |
| AML-006 |
Suspicious Activity Reporting Policy |
AUTO |
SAR data accessible only to compliance and legal roles — segregation enforced at data layer |
Capabilities satisfied
| Capability |
Title |
Mode |
How |
| CAP-031 |
Tenant environment provisioning |
AUTO |
Enforces role-scoped data access for all back-office staff roles from a single deployed enforcement library — no per-role service instances required. Single-tenant deployment satisfies the isolation capability; multi-tenant is out of v1 scope. |
| CAP-032 |
Per-tenant module configuration |
AUTO |
Admin endpoints expose role assignment and permission management so back-office role configurations can be updated at runtime without service restart (FR-328 60-second propagation via TTL cache). |
| CAP-033 |
Tenant data isolation |
GATE |
Enforcement library blocks any attribute request outside the role's explicit grant scope — no data leakage between back-office roles (DT-001 GATE). Single-tenant deployment; data isolation is between staff roles, not between external tenants. |
| CAP-034 |
Jurisdiction configuration layer |
AUTO |
AML-006 RESTRICTED_TO_COMPLIANCE_AND_LEGAL entity list covers jurisdiction-specific SAR entities for NZ + AU; jurisdiction is captured on every access_log row. |
| CAP-073 |
Dual-mode rendering engine (customer + back office) |
AUTO |
enforce() returns only the attribute subset permitted for the caller's role — back-office BFF views are always role-scoped without caller-side filtering logic. |
| CAP-075 |
Shared UI component library |
AUTO |
The workspace enforcement library (@bank-app/mod-052-role-scoped-data-access) ships as a shared backend contract consumed by all back-office BFF Lambdas — enforcement consistency is guaranteed at the library level, not per-handler. |
Part of SD08 — Customer App & Back Office Platform
Compiled 2026-05-22 from source/entities/modules/MOD-052.yaml