Facility Service — Security Model
Status: populated
Owner: TBD
Last updated: 2026-04-17
Companion: 13 Security/Compliance/Tenancy · 14 Extended Compliance
1. Authentication
| Flow | Mechanism |
|---|
| Edge clients | JWT from identity-service validated against JWKS |
| Service-to-service | mTLS + service JWT with svc: prefix scopes |
| Platform admin | JWT with platform:admin scope |
2. Authorization
All write operations authorised via POST /internal/access/evaluate on access-policy (no local evaluation).
2.1 RBAC baseline
| Role | Read | Write hierarchy | Write location | Write bed status | Import/export |
|---|
tenant.viewer | ✓ | – | – | – | – |
tenant.facility_user | ✓ | – | – | ✓ (own location) | – |
tenant.facility_admin | ✓ | ✓ (tenant scope) | ✓ | ✓ | ✓ |
tenant.admin | ✓ | ✓ | ✓ | ✓ | ✓ |
platform.admin | ✓ | ✓ (all tenants) | ✓ | ✓ | ✓ |
2.2 ABAC
| Attribute | Source | Used by |
|---|
tenantId | JWT tid | Every query via RLS |
subjectNodeIds | access-policy context | Limit bed operations to user's node subtree |
purposeOfUse | header X-Purpose | Audit |
moduleKey | ehr.facility | Licensing Service gate |
2.3 Scopes
| Scope | Purpose |
|---|
facility:read | All GET endpoints |
facility:write | Non-admin mutations |
facility:admin | Profile default, location deactivate force, import/export |
internal:any-service | /internal/providers/:id/context |
3. Encryption
| Layer | Tech | Class |
|---|
| At rest | Postgres TDE (AES-256) | N/A (no PHI here) |
| In transit | TLS 1.3 | N/A |
| Field | None — no PII/PHI stored | — |
Facility data is organisational. If a deployment stores PII (addresses, phone) the contact_info JSON column is classified internal.
4. Audit Events
| Event | When |
|---|
facility.audit.node.created | Create node |
facility.audit.node.deactivated | Deactivate |
facility.audit.profile.updated | Any profile change |
facility.audit.location.force_deactivated | force=true override on deactivate |
facility.audit.bed.status_override | Admin-forced bed status |
facility.audit.import.completed | Bulk import |
facility.audit.export.downloaded | Snapshot export |
All audit events forwarded to audit-service with full actor / target / reason metadata.
5. GDPR Participation
facility-service stores no patient PII under normal operation. It participates in the GDPR erasure saga only if a tenant's own admin contact info was retained — it acknowledges gdpr.subject_request.received.v1 with no_data unless such rows exist, in which case it nulls the contact JSON fields.
6. Data Residency
- Data is stored in the tenant's residency region (country). See 14 Extended Compliance §Residency.
- AFG tenants: data in region
af-central-1.
- UAE tenants: data in region
ae-central-1.
- Cross-tenant federation (shared MoPH region nodes) defers to M3+ with explicit data-sharing agreements.
7. Rate Limits & Abuse
| Abuse | Control |
|---|
| Bulk import DoS | Max 10,000 nodes per dry-run; rate limit 1/hour/tenant |
| Cycle-probing brute force on edges | Rate limit 200 write rps/tenant |
| Admin context lookup floods | Per-service 5,000 rps budget; circuit breaker on Redis |