Skip to main content

Authentication and Authorisation

Overview

Authentication and authorization are critical security components of the Secure Controlled Guns and Ammunition Inventory Management System (SCGAIMS). Given the sensitivity of firearms and ammunition inventory records, unauthorized access to the platform could result in inventory manipulation, accountability failures, investigation compromise, and operational security risks.

To address these concerns, SCGAIMS incorporates a centralized Identity and Access Management (IAM) architecture using Auth0 as its Identity Provider (IdP). The platform utilizes role-based access control principles to restrict user actions based on operational responsibilities.

The authentication and authorization design aligns with the core security objectives of:

  • Confidentiality
  • Integrity
  • Accountability
  • Non-repudiation
  • Least Privilege
  • Separation of Duties

Identity and Access Management (IAM)

Identity and Access Management (IAM) refers to the processes and technologies responsible for controlling access to system resources based on verified identities.

SCGAIMS utilizes IAM controls to:

  • Verify user identities
  • Manage access permissions
  • Restrict privileged functionality
  • Improve accountability
  • Support audit and investigation activities

The platform employs centralized authentication through Auth0 and authorization through Role-Based Access Control (RBAC).


Authentication Architecture

Authentication is the process of verifying a user's identity before granting access to system resources.

SCGAIMS utilizes:

Auth0

as its primary authentication provider.

Authentication requests are processed externally through Auth0 before users are granted access to protected application resources.

High-level authentication flow:

User
|
v
Auth0 Login
|
v
Credential Validation
|
v
Authentication Success
|
v
Role Assignment
|
v
SCGAIMS Access

Auth0 Integration

Purpose

Auth0 was selected as the Identity Provider (IdP) due to its support for:

  • OAuth 2.0
  • OpenID Connect (OIDC)
  • Role-Based Access Control
  • Multi-Factor Authentication
  • Centralized User Management

Auth0 provides centralized identity management while reducing the complexity of implementing secure authentication directly within the application.


Auth0 Tenant

SCGAIMS utilizes a dedicated Auth0 tenant configured for:

SCGAIMS

The Auth0 environment manages:

  • User accounts
  • Roles
  • Permissions
  • Authentication policies

Auth0 Applications

The environment includes dedicated Auth0 applications to support authentication workflows.

SCGAIMS Web

Purpose:

Regular Web Application

Responsible for:

  • User authentication
  • Session establishment
  • Identity verification

SCGAIMS API

Purpose:

Protected Resource Server

Responsible for:

  • Permission enforcement
  • API access control
  • Authorization configuration

Authentication Standards

OAuth 2.0

OAuth 2.0 provides a framework for secure authorization and delegated access.

Benefits include:

  • Secure access delegation
  • Token-based authentication
  • Centralized access management

OpenID Connect (OIDC)

OpenID Connect extends OAuth 2.0 to provide user authentication and identity information.

Benefits include:

  • Standardized authentication
  • User identity verification
  • Federated identity capabilities

Role-Based Access Control (RBAC)

Overview

Role-Based Access Control (RBAC) is used to restrict access to system functionality based on assigned operational roles.

Rather than assigning permissions directly to users, permissions are associated with roles, and users inherit permissions based on role membership.

Benefits include:

  • Simplified administration
  • Reduced privilege creep
  • Improved security
  • Better compliance alignment

User Roles

SCGAIMS defines the following operational roles.


Administrator

The Administrator role possesses the highest privilege level within the system.

Responsibilities include:

  • System management
  • User administration
  • Inventory management
  • Investigation oversight
  • Audit review
  • Security administration

Typical capabilities include:

Create Inventory
Update Inventory
Delete Inventory
View Audit Logs
Manage Investigations
Manage Users

Supervisor

The Supervisor role provides operational oversight and accountability functions.

Responsibilities include:

  • Investigation reviews
  • Discrepancy management
  • Operational monitoring
  • Audit review

Typical capabilities include:

View Inventory
Review Investigations
Resolve Investigations
View Audit Logs
Review Transactions

Officer

The Officer role supports day-to-day inventory operations.

Responsibilities include:

  • Inventory issuance
  • Inventory returns
  • Shift operations

Typical capabilities include:

Issue Inventory
Return Inventory
View Assigned Transactions
Start Shift
End Shift

Permissions

SCGAIMS utilizes Auth0 permissions to implement fine-grained authorization controls.

Current permissions include:


issue:inventory

Allows a user to:

Issue firearms
Issue ammunition
Create issuance transactions

return:inventory

Allows a user to:

Process inventory returns
Update issuance records
Trigger discrepancy validation

resolve:investigation

Allows a user to:

Review investigation records
Update investigation status
Resolve investigations

view:records

Allows a user to:

View inventory transactions
View issuance history
Review operational records

view:auditlogs

Allows a user to:

Access audit records
Review user activity
Perform accountability reviews

Authorization Model

Authorization decisions are based on the relationship between:

User
|
v
Assigned Role
|
v
Granted Permissions
|
v
Accessible Resources

Example:

Administrator
|
+--- issue:inventory
+--- return:inventory
+--- view:records
+--- view:auditlogs
+--- resolve:investigation

Principle of Least Privilege

SCGAIMS follows the Principle of Least Privilege (PoLP).

Users are granted only the minimum permissions required to perform their duties.

Benefits include:

  • Reduced attack surface
  • Reduced insider threat risk
  • Improved accountability
  • Stronger security governance

Separation of Duties

The platform incorporates role separation principles.

Examples include:

  • Officers issue and return inventory.
  • Supervisors review investigations.
  • Administrators manage system configuration.

This reduces opportunities for abuse and improves accountability.


Auditability

Authentication and authorization activities contribute directly to system accountability.

Examples include:

  • User authentication events
  • Inventory transactions
  • Investigation updates
  • Administrative actions

These events may be reviewed through audit logs to support:

  • Investigations
  • Compliance reviews
  • Forensic analysis
  • Accountability verification

Future Security Enhancements

Future releases may include:

Multi-Factor Authentication (MFA)

Additional identity verification factors such as:

  • Authenticator applications
  • Push notifications
  • Security codes

Step-Up Authentication

Sensitive operations such as:

  • Inventory issuance
  • Inventory returns
  • Investigation resolution

may require additional user verification before processing.


Conditional Access Policies

Risk-based access controls may include:

  • Device validation
  • Geolocation restrictions
  • Privileged access reviews

Security Benefits

The authentication and authorization architecture provides:

  • Centralized identity management
  • Stronger access control
  • Reduced unauthorized access risk
  • Improved accountability
  • Enhanced auditability
  • Improved compliance readiness

Conclusion

SCGAIMS employs a centralized identity and access management architecture through Auth0, supported by Role-Based Access Control principles. Through the implementation of user roles, permissions, and secure authentication workflows, the system strengthens accountability, restricts unauthorized access to controlled asset records, and supports the broader security governance objectives that motivated the development of the platform.