Authentication and Authorisation
Overview
Authentication and authorization are critical security components of the Secure Controlled Guns and Ammunition Inventory Management System (SCGAIMS). Given the sensitivity of firearms and ammunition inventory records, unauthorized access to the platform could result in inventory manipulation, accountability failures, investigation compromise, and operational security risks.
To address these concerns, SCGAIMS incorporates a centralized Identity and Access Management (IAM) architecture using Auth0 as its Identity Provider (IdP). The platform utilizes role-based access control principles to restrict user actions based on operational responsibilities.
The authentication and authorization design aligns with the core security objectives of:
- Confidentiality
- Integrity
- Accountability
- Non-repudiation
- Least Privilege
- Separation of Duties
Identity and Access Management (IAM)
Identity and Access Management (IAM) refers to the processes and technologies responsible for controlling access to system resources based on verified identities.
SCGAIMS utilizes IAM controls to:
- Verify user identities
- Manage access permissions
- Restrict privileged functionality
- Improve accountability
- Support audit and investigation activities
The platform employs centralized authentication through Auth0 and authorization through Role-Based Access Control (RBAC).
Authentication Architecture
Authentication is the process of verifying a user's identity before granting access to system resources.
SCGAIMS utilizes:
Auth0
as its primary authentication provider.
Authentication requests are processed externally through Auth0 before users are granted access to protected application resources.
High-level authentication flow:
User
|
v
Auth0 Login
|
v
Credential Validation
|
v
Authentication Success
|
v
Role Assignment
|
v
SCGAIMS Access
Auth0 Integration
Purpose
Auth0 was selected as the Identity Provider (IdP) due to its support for:
- OAuth 2.0
- OpenID Connect (OIDC)
- Role-Based Access Control
- Multi-Factor Authentication
- Centralized User Management
Auth0 provides centralized identity management while reducing the complexity of implementing secure authentication directly within the application.
Auth0 Tenant
SCGAIMS utilizes a dedicated Auth0 tenant configured for:
SCGAIMS
The Auth0 environment manages:
- User accounts
- Roles
- Permissions
- Authentication policies
Auth0 Applications
The environment includes dedicated Auth0 applications to support authentication workflows.
SCGAIMS Web
Purpose:
Regular Web Application
Responsible for:
- User authentication
- Session establishment
- Identity verification
SCGAIMS API
Purpose:
Protected Resource Server
Responsible for:
- Permission enforcement
- API access control
- Authorization configuration
Authentication Standards
OAuth 2.0
OAuth 2.0 provides a framework for secure authorization and delegated access.
Benefits include:
- Secure access delegation
- Token-based authentication
- Centralized access management
OpenID Connect (OIDC)
OpenID Connect extends OAuth 2.0 to provide user authentication and identity information.
Benefits include:
- Standardized authentication
- User identity verification
- Federated identity capabilities
Role-Based Access Control (RBAC)
Overview
Role-Based Access Control (RBAC) is used to restrict access to system functionality based on assigned operational roles.
Rather than assigning permissions directly to users, permissions are associated with roles, and users inherit permissions based on role membership.
Benefits include:
- Simplified administration
- Reduced privilege creep
- Improved security
- Better compliance alignment
User Roles
SCGAIMS defines the following operational roles.
Administrator
The Administrator role possesses the highest privilege level within the system.
Responsibilities include:
- System management
- User administration
- Inventory management
- Investigation oversight
- Audit review
- Security administration
Typical capabilities include:
Create Inventory
Update Inventory
Delete Inventory
View Audit Logs
Manage Investigations
Manage Users
Supervisor
The Supervisor role provides operational oversight and accountability functions.
Responsibilities include:
- Investigation reviews
- Discrepancy management
- Operational monitoring
- Audit review
Typical capabilities include:
View Inventory
Review Investigations
Resolve Investigations
View Audit Logs
Review Transactions
Officer
The Officer role supports day-to-day inventory operations.
Responsibilities include:
- Inventory issuance
- Inventory returns
- Shift operations
Typical capabilities include:
Issue Inventory
Return Inventory
View Assigned Transactions
Start Shift
End Shift
Permissions
SCGAIMS utilizes Auth0 permissions to implement fine-grained authorization controls.
Current permissions include:
issue:inventory
Allows a user to:
Issue firearms
Issue ammunition
Create issuance transactions
return:inventory
Allows a user to:
Process inventory returns
Update issuance records
Trigger discrepancy validation
resolve:investigation
Allows a user to:
Review investigation records
Update investigation status
Resolve investigations
view:records
Allows a user to:
View inventory transactions
View issuance history
Review operational records
view:auditlogs
Allows a user to:
Access audit records
Review user activity
Perform accountability reviews
Authorization Model
Authorization decisions are based on the relationship between:
User
|
v
Assigned Role
|
v
Granted Permissions
|
v
Accessible Resources
Example:
Administrator
|
+--- issue:inventory
+--- return:inventory
+--- view:records
+--- view:auditlogs
+--- resolve:investigation
Principle of Least Privilege
SCGAIMS follows the Principle of Least Privilege (PoLP).
Users are granted only the minimum permissions required to perform their duties.
Benefits include:
- Reduced attack surface
- Reduced insider threat risk
- Improved accountability
- Stronger security governance
Separation of Duties
The platform incorporates role separation principles.
Examples include:
- Officers issue and return inventory.
- Supervisors review investigations.
- Administrators manage system configuration.
This reduces opportunities for abuse and improves accountability.
Auditability
Authentication and authorization activities contribute directly to system accountability.
Examples include:
- User authentication events
- Inventory transactions
- Investigation updates
- Administrative actions
These events may be reviewed through audit logs to support:
- Investigations
- Compliance reviews
- Forensic analysis
- Accountability verification
Future Security Enhancements
Future releases may include:
Multi-Factor Authentication (MFA)
Additional identity verification factors such as:
- Authenticator applications
- Push notifications
- Security codes
Step-Up Authentication
Sensitive operations such as:
- Inventory issuance
- Inventory returns
- Investigation resolution
may require additional user verification before processing.
Conditional Access Policies
Risk-based access controls may include:
- Device validation
- Geolocation restrictions
- Privileged access reviews
Security Benefits
The authentication and authorization architecture provides:
- Centralized identity management
- Stronger access control
- Reduced unauthorized access risk
- Improved accountability
- Enhanced auditability
- Improved compliance readiness
Conclusion
SCGAIMS employs a centralized identity and access management architecture through Auth0, supported by Role-Based Access Control principles. Through the implementation of user roles, permissions, and secure authentication workflows, the system strengthens accountability, restricts unauthorized access to controlled asset records, and supports the broader security governance objectives that motivated the development of the platform.