Platform Admin Service — Security Model
Status: populated Owner: TBD Last updated: 2026-04-18 Companion: 13 Security · 14 Compliance
1. RBAC matrix
| Role | Config (PLATFORM scope) | Config (TENANT scope) | Feature flags | Health aggregate | Internal endpoints |
|---|---|---|---|---|---|
SUPER_ADMIN | Full CRUD | Full CRUD | Full CRUD | Read | Yes (JWT) |
TENANT_ADMIN | No access | Read own | Evaluate own tenant | No | No |
| Platform service | No | No | Evaluate via /internal/* | Read via /internal/* | Yes (IP-restricted) |
2. Audit events
All config and flag mutations are auditable:
| Event | Actor logged | Data logged |
|---|---|---|
| Config upsert | changedBy (userId) | key, scope, tenantId, oldValue, newValue |
| Config archive | changedBy | key, scope, tenantId |
| Flag create | changedBy | key, defaultEnabled |
| Flag update | changedBy | key, changed fields |
| Flag archive | changedBy | key |
| Tenant override set | changedBy | flag key, tenantId, enabled |
History stored in config_history table; events published to audit-service via platform_admin.config.updated.v1.
3. Encryption
| Data | Classification | Encryption |
|---|---|---|
| Platform config values | Internal | PostgreSQL TDE (AES-256 at rest); TLS 1.3 in transit |
| Feature flag data | Internal | PostgreSQL TDE; TLS 1.3 |
| Health check details | Internal | PostgreSQL TDE; TLS 1.3 |
SMTP credentials (config key email.*) | Confidential | Values stored encrypted with KMS-derived key |
4. Internal endpoint security
/internal/admin/* routes:
- IP-restricted to cluster CIDR (Kubernetes NetworkPolicy).
- No JWT required — relies on network isolation.
- Rate-limited: 1000/min/service.
5. Config value security
Config values that contain credentials (SMTP host/password, API keys) must be stored via a separate SecretConfig entity backed by AWS Secrets Manager. The allow-list type schema flags these keys as type: secret; values are not returned in GET responses (returned as ***REDACTED***).
6. GDPR participation
platform-admin-service does not store PII. changedBy references user IDs (not names). On user deactivation, changedBy references remain (audit integrity requires actor traceability; this is lawful basis: legal obligation / audit trail).
7. Threat model notes
| Threat | Mitigation |
|---|---|
| Unauthorized config mutation | SUPER_ADMIN JWT scope required; audit log; rate limit |
| Flag manipulation to enable unauthorized features | SUPER_ADMIN only; audit log; tenant-override requires explicit action |
| Health endpoint impersonation | Source registration requires SUPER_ADMIN or cluster-internal IP |
| Stale flag cache used to bypass feature controls | 60 s TTL + event-driven invalidation; archived flag always deny regardless of cache |