Security & RBAC¶
Defence-in-depth at the edge, in transit, at rest, and at the query layer.
RBAC policy is centralised in core-svc.
Request flow — security layers¶
flowchart LR
IN([User request])
ARM[Cloud Armor<br/>WAF · OWASP CRS · geo rules]
IAP[IAP<br/>officer-only hosts]
GW[Cloud LB · TLS 1.3 edge]
MESH[Anthos Service Mesh<br/>mTLS between services]
APP[Service<br/>FastAPI]
RBAC[core-svc<br/>policy decision token]
RLS[AlloyDB RLS<br/>tenant_id + department_id]
IN --> ARM --> IAP --> GW --> MESH --> APP
APP --> RBAC --> APP
APP --> RLSControls by layer¶
| Layer | Control |
|---|---|
| Edge | Cloud Load Balancer + Cloud Armor (WAF, OWASP CRS, geo rules). IAP gates officer-only hosts. |
| Transport | TLS 1.3 at the edge; mTLS between services via Anthos Service Mesh (or Istio). |
| Secrets | Secret Manager only. CMEK on AlloyDB and GCS. |
| Network | Private GKE cluster, VPC Service Controls boundary around BigQuery / GCS / AlloyDB, Private Service Connect for Vertex AI. |
| Headers / sessions | Strict CSP, HSTS, SameSite=Strict cookies, 15-minute idle timeout, session rotated on privilege change. |
| VAPT | Quarterly third-party penetration tests starting at M6. |
RBAC¶
Policy resides in core-svc. Every other service delegates authorisation by
attaching a signed policy-decision token to each inter-service call.
Seed roles¶
| Role | Purpose |
|---|---|
PSP |
Owns own submissions, replies to comments. |
CMU.Officer |
Coordinates submissions. |
CMU.Admin |
Workflow config, user management. |
ATD/ATL.Officer |
Review and comment within own department. |
SIRP.Officer |
Review planning / zoning; BIM visual inspection. |
Auditor |
Read-only access to audit BigQuery dataset. |
System.Admin |
Platform config, RBAC admin — no submission data access. |
Permission grain¶
Permissions follow resource.action. Examples:
submission.read,submission.writecomment.write,comment.library.adminperakuan.signworkflow.configbim.annotateaudit.export
Scoping¶
- Tenant scoping — enforced at every query layer;
tenant_idis part of every WHERE clause via RLS. - Department scoping — enforced for ATD / ATL officers via RLS so they only see submissions routed to their department.
- Step-up authentication — required for sensitive actions: digital signature, RBAC change, workflow config publish. See Signing.
Permission denial is audited
Every failed authorisation check is an audit event, not just an access log line. This lets auditors see attempts and patterns, not just successes. See Observability.