Security
:::info Source
Sourced from services/enrollment-service/SECURITY_MODEL.md in the documentation repo.
:::
1. Authentication
JWT internal. S2S mTLS.
2. Authorization
enrollment:read:self(learner own).enrollment:read:org(manager).enrollment:write:admin(admin create/revoke).enrollment:read:compliance(compliance officer).
3. Multi-Tenant Isolation
RLS on all tables. Cross-tenant enrollments rejected unless via explicit marketplace cross-tenant license (rare).
4. ABAC
- Learner reads own enrollments.
- Manager reads enrollments for users in their org unit.
- Admin reads all in tenant.
- Compliance officer reads + exports audit data.
5. Threat Model
| Threat | Mitigation |
|---|---|
| Unauthorized enrollment creation | RBAC check + audit |
| Cross-tenant access via manipulated userId | JWT tid match + ABAC |
| Enrollment state tampering | State changes event-driven; no direct API for state except revoke |
| Bulk enrollment abuse | Admin role required; rate-limited; audit logged |
| Self-enroll to paid course without purchase | Pre-check entitlement + license |
6. Audit
- Every enrollment creation, revocation, manual change → audit log.
- Daily Merkle anchor.
7. GDPR
- Erase user enrollments on request.
- Retain aggregate audit (tenant-scoped, anonymized user).
8. Compliance
- FERPA for education tenants (enrollment = educational record).
- SOC 2 audit logs.