TenantAtlas/specs/062-tenant-rbac-v1/data-model.md

# Data Model for Tenant RBAC v1

This document outlines the data models for the Tenant RBAC feature.

## `users`

Represents a user identity, linked to an Entra ID.

-   `id` (PK)
-   `entra_tenant_id` (string) - The Entra ID tenant ID (tid).
-   `entra_object_id` (string) - The Entra ID object ID (oid).
-   `name` (string)
-   `email` (string, nullable)
-   `timestamps`

**Indexes**:
-   Unique index on `(entra_tenant_id, entra_object_id)`.

## `tenant_memberships`

Links a User to a Suite Tenant with a specific role. This is the source of truth for authorization.

-   `id` (PK, uuid)
-   `tenant_id` (FK to `tenants.id`)
-   `user_id` (FK to `users.id`)
-   `role` (enum: `owner`, `manager`, `operator`, `readonly`)
-   `source` (enum: `manual`, `entra_group`, `entra_app_role`, `break_glass`)
-   `source_ref` (string, nullable) - e.g., Entra group ID or app role ID.
-   `created_by_user_id` (FK to `users.id`, nullable)
-   `timestamps`

**Indexes**:
-   Unique index on `(tenant_id, user_id)`.
-   Index on `(tenant_id, role)`.

## `tenant_role_mappings`

Defines the mapping between an Entra group/app-role and a TenantAtlas role for a Suite Tenant.

-   `id` (PK, uuid)
-   `tenant_id` (FK to `tenants.id`)
-   `mapping_type` (enum: `entra_group`, `entra_app_role`)
-   `external_id` (string) - The Entra group GUID or appRole string.
-   `role` (enum: `owner`, `manager`, `operator`, `readonly`)
-   `is_enabled` (boolean)
-   `timestamps`

**Indexes**:
-   Unique index on `(tenant_id, mapping_type, external_id)`.