EPIC-2: Identity, Authentication & Role-Based Access Control
| Field | Value |
|---|---|
| Total Story Points | 89 SP |
| Stories | 10 |
| Sprints | Sprint 3-8 (Weeks 5-16) |
| Priority | P0 - Critical Foundation |
| Dependencies | EPIC-1 (Infrastructure) |
Overview
Identity and access control is the security foundation of EduPulse. With 500K+ users across multiple schools, we need:
- Multi-tenant isolation: Schools cannot see each other's data
- Role-based access: Principal, Teacher, Student, Parent have different permissions
- Fine-grained control: Teachers only see their classes, parents only see their children
- DPDPA Compliance: Consent management + audit trails
- Scalability: Custom roles and permissions per school
RBAC Model
Permission Format: {module}.{resource}.{action}
Examples:
- student.profile.read (View student profiles)
- fee.invoice.create (Create invoices)
- admin.role.manage (Manage roles)
Wildcards:
- student.* (All student permissions)
- *.*.read (Read-only everywhere)
Data Scopes
| Scope | Description | Example |
|---|---|---|
| SELF | User's own data only | Student viewing own grades |
| CHILDREN | Parent's children only | Parent viewing child's fees |
| ASSIGNED_CLASSES | Teacher's classes | Class teacher viewing students |
| DEPARTMENT | Department staff | HOD viewing teachers |
| ALL_SCHOOL | Everyone in school | Principal, Admin |
Stories Summary
| Story | Title | SP | Sprint |
|---|---|---|---|
| 2.1 | AWS Cognito Multi-tenant Setup | 8 | Sprint 3 |
| 2.2 | Authentication Service & JWT | 8 | Sprint 3-4 |
| 2.3 | Core RBAC Engine | 13 | Sprint 4-5 |
| 2.4 | Permission Definitions & Seeding | 8 | Sprint 5 |
| 2.5 | Custom Roles per School | 8 | Sprint 5-6 |
| 2.6 | Data-Level Access Control | 13 | Sprint 6-7 |
| 2.7 | Consent Management (DPDPA) | 8 | Sprint 7 |
| 2.8 | Security Audit Logging | 8 | Sprint 7-8 |
| 2.9 | Encryption & Data Protection | 8 | Sprint 8 |
| 2.10 | Role Management Admin UI | 7 | Sprint 8 |
System Roles Hierarchy
SUPER_ADMIN (Platform)
└── SCHOOL_ADMIN (IT Admin)
├── PRINCIPAL
│ ├── VICE_PRINCIPAL
│ │ ├── HOD
│ │ ├── CLASS_TEACHER
│ │ └── TEACHER
│ └── ACCOUNTANT
��├── STUDENT
└── PARENT
Technical Stack
| Component | Technology |
|---|---|
| Auth Provider | AWS Cognito |
| RBAC Engine | Go (high performance) |
| Auth Service | Node.js/NestJS |
| Permission Cache | Redis |
| Database | PostgreSQL (RLS) |
| Encryption | AWS KMS + AES-256-GCM |