Audit Service — Security Model

Status: populated Owner: TBD Last updated: 2026-04-18 Companion: Service Template · 13 security-compliance-tenancy

1. RBAC matrix

Role	Read entries	Read disclosures	Request export	Admin operations
SUPER_ADMIN	All tenants	All tenants	Yes	Yes
TENANT_ADMIN	Own tenant only	Own tenant only	No (export = super admin)	No
COMPLIANCE_OFFICER	Own tenant (assigned)	Own tenant	Read export status	No
PATIENT	Own disclosures only (via portal)	Own only	No	No
SERVICE_ACCOUNT	No	No	No	No — services produce events; never query audit

Scopes enforced by Keycloak JWT claims; RLS enforcement at DB is secondary defence.

2. Data access controls

Control	Mechanism
Tenant isolation	tenant_id column + JWT-extracted tenantId; Tenant Admins' queries auto-scoped
DB role immutability	audit_app role: INSERT on audit_entries; SELECT on audit_entries + audit_exports; UPDATE on audit_exports only (status transitions); UPDATE/DELETE on audit_entries revoked
Query window limit	Live queries limited to 90-day ranges; wider ranges require async export
Export file access	Signed URLs with 1-hour TTL; only the requesting user's userId receives the URL
Admin operations	Require SUPER_ADMIN scope; Keycloak RS256 JWT validation

3. Encryption

Data	Class	Mechanism
audit_entries at rest	Sensitive (may contain PHI in metadata)	AES-256 via PostgreSQL TDE (operator level)
audit_exports export files	Sensitive	Server-side encryption on object storage (SSE-S3)
chain_hash	Integrity	SHA-256 hex; stored as plain text (hash, not encrypted)
Transit	Confidential	TLS 1.3 on all connections (Kong, NATS, Postgres, object storage)

4. Audit of the audit service (meta-audit)

The audit service audits its own operations:

Operation	Meta-audit entry
Bulk export requested	AuditEntry { eventType: BULK_EXPORT, actorId: <requester> }
Chain integrity failure	Logged + audit.dlq.alert.v1 emitted; NOT stored as AuditEntry (DB may be compromised)
DLQ alert	audit.dlq.alert.v1 event to platform-admin-service

5. GDPR and data retention

Requirement	Implementation
7-year retention floor	recorded_at partitions retained; automated archival policy prevents premature deletion
GDPR Art. 17 erasure	Clinical audit records retained (legal basis: public health, MoPH obligation); PII in metadata.actorId and metadata.resourceId obfuscated on erasure request
Accounting of disclosures	GET /api/v1/audit/disclosures?patientId= returns patient-visible access log (HIPAA analogue)
Data residency	All data co-located with primary Postgres; no cross-border transfer without DPIA

6. Threat model

Threat	Likelihood	Impact	Mitigation
Insider modifies audit records	Low	Critical	DB role UPDATE/DELETE revoked; chain-hash detects tampering; DBA access logged
Cross-tenant query	Low	Critical	RLS + JWT claim enforcement; integration test mandatory
Export data exfiltration	Low	High	Signed URLs; 1-hour TTL; export itself creates AuditEntry; rate-limited
NATS event spoofing (fake audit events)	Low	High	mTLS on NATS connections; service accounts authenticated via Keycloak; wildcard consumer validates envelope schema
DDoS on query API	Medium	Medium	Kong rate limiting (60 req/min per user); 90-day window limit prevents expensive full-scan queries
Supply chain (compromised event from source service)	Low	Medium	Event envelope schema validation at ingestion; malformed events to DLQ

7. Compliance references

Standard	Applicability	Implementation
HIPAA Security Rule (analogue)	Full	Access audit, tamper detection, minimum-necessary access
GDPR Art. 5(1)(e)	Partial	Retention policy; right to erasure balanced against public health obligation
Afghanistan MoPH data governance	Full	Data residency; 7-year retention; MoPH export on request
ISO 27001 A.12.4	Partial	Event logging, log protection (chain hash), log administrator access (meta-audit)