Files

Christian Galo 195cd348a9 Update design to use schemas per module and revert to using industry

aligned terminology for discounts and coupons and promo codes.

2026-04-01 03:08:35 -05:00

architecture.md

Update design to use schemas per module and revert to using industry

2026-04-01 03:08:35 -05:00

companion.md

Update design to use schemas per module and revert to using industry

2026-04-01 03:08:35 -05:00

interfaces.md

Update design to use schemas per module and revert to using industry

2026-04-01 03:08:35 -05:00

model.md

Update design to use schemas per module and revert to using industry

2026-04-01 03:08:35 -05:00

README.md

Update design to use schemas per module and revert to using industry

2026-04-01 03:08:35 -05:00

README.md

Organization & Access

Type: Domain Schema: organization Tables: 8 Primary source: documents/doc-25-org-access-architecture.md Decisions: 9, 13, 14, 16, 17, 18, 19, 27, 39, 40, 41, 42, 45, 52

Purpose

The organization module is the governance spine of the Member Console data model. It answers the questions that every downstream module depends upon: what containers exist, who belongs to them, what are they permitted to do, and who or what is acting. It provides the structural foundation for organizational membership, role-based access control, workspace containment, service principal management, and the invitation lifecycle — the full machinery of organizational governance without which resource allocation, billing, and audit lose their context.

Tables

Table	Purpose
`organizations`	Top-level governance containers. Every person operates within at least one organization. Three types: personal (auto-created), team, enterprise.
`org_members`	Organization membership records. Represents belonging — a person is part of this organization with a specific role. Born `active`, never `pending`.
`roles`	Permission bundle definitions. System-defined (6 built-in roles) or organization-defined (custom). Flat permission arrays, no inheritance.
`role_assignments`	Scoped permission grants to actors (persons or service accounts). Exclusive arcs for both actor and scope dimensions.
`workspaces`	Resource isolation boundaries within organizations. Containers for resources with optional per-workspace access controls.
`service_accounts`	Non-human API actors owned by organizations, not persons. Permissions derived exclusively from role assignments.
`service_account_keys`	API key credentials for service accounts. Hash-and-prefix storage pattern. Supports concurrent active keys for rotation.
`invitations`	Organization join invitation lifecycle. Scope-aware (org or workspace), progressive invitee identity, four terminal states.

Quick Links

Model Reference — DDL and table descriptions
Architecture — Deep-dive documentation
Module Companion — Decisions and open issues
Interfaces — Cross-module dependencies