Identity

Identity is a Kubernetes-based microservice that manages users, credentials, and access control across distributed systems. It provides a centralized authentication and authorization service, offering a standardized API that integrates seamlessly with other services.

Key features

  • User Management – Create, update, and delete user accounts.
  • Role-Based Access Control (RBAC) – Assign predefined roles with granular permissions.
  • Group Association – Manage user memberships across applications.
  • OAuth2 Authentication – Secure authentication flows using JWT tokens.
  • Performance Optimization – Uses in-memory caching for fast query handling.
  • Observability – Integrated with OpenTelemetry for logging and tracing.

Role groups and permissions


User access in the Lerian ecosystem is controlled by role groups, defined per application (such as Midaz, Fee Engine, CRM, and others). Each role determines what users can see or do within a specific app.

Roles are tied to permission sets, which are predefined combinations of actions and resources. These permission sets are managed centrally and can’t be customized.

Role levels

Each user is assigned one of the following roles:

  • Admin – Full access to all resources and system-level actions.
  • Editor – Can create, update, and delete resources.
  • Contributor – Can create and update resources, but can’t delete.
  • Viewer – Read-only access; can view data but can’t make changes.
❗️

Important

Roles are scoped per application. A user can have different roles across different apps. For example, Editor in Midaz, Viewer in CRM, and no role in Fee Engine.

Here’s what that means in practice:

RoleAllowed Methods
AdminFull control
EditorGET, POST, PATCH, DELETE
ContributorGET, POST, PATCH
ViewerGET, HEAD
🚧

Attention

If a user has no assigned role in a given app, they won’t have access to it, not even read-only.


Permission sets by application

Behind each role is a permission set that specifies which resources the user can access and what actions they’re allowed to perform. These sets are defined in the init/casdoor/init_data.json file.

Expand the following section for the full list:

Permission table
NameDisplay NameResourcesActions
plugin-identity-editor-permissionPlugin Identity Editor Permissionapplications, groups, users, update-password, reset-passwordget, post, patch, delete
plugin-identity-default-permissionPlugin Identity Default Permissionupdate-passwordpatch
midaz-editor-permissionMidaz Editor Permissionaccounts, organizations, ledgers, assets, asset-rates, portfolios, segments, balances, transactions, operationsget, post, patch, delete, head
midaz-contributor-permissionMidaz Contributor Permissionaccounts, organizations, ledgers, assets, asset-rates, portfolios, segments, balances, transactions, operationsget, post, patch, head
midaz-viewer-permissionMidaz Viewer Permissionaccounts, organizations, ledgers, assets, asset-rates, portfolios, segments, balances, transactions, operationsget, head
routing-editor-permissionPlugin Routing Editor Permissionaccount-types, transaction-routes, operation-routesget, post, patch, delete
routing-contributor-permissionPlugin Routing Contributor Permissionaccount-types, transaction-routes, operation-routesget, post, patch
routing-viewer-permissionPlugin Routing Viewer Permissionaccount-types, transaction-routes, operation-routesget
plugin-fees-editor-permissionPlugin Fees Editor Permissionpackages, fees, estimatespost, get, patch, delete
plugin-fees-contributor-permissionPlugin Fees Contributor Permissionpackages, fees, estimatespost, get, patch
plugin-fees-viewer-permissionPlugin Fees Viewer Permissionpackages, fees, estimatesget
plugin-crm-editor-permissionPlugin CRM Editor Permissionholders, aliasespost, get, patch, delete
plugin-crm-contributor-permissionPlugin CRM Contributor Permissionholders, aliasespost, get, patch
plugin-crm-viewer-permissionPlugin CRM Viewer Permissionholders, aliasesget
plugin-smart-templates-viewer-permissionPlugin Smart Template Viewer Permissiontemplates, reports, data-sourceget
plugin-smart-templates-contributor-permissionPlugin Smart Templates Contributor Permissiontemplates, reports, data-sourceget, post, patch
plugin-smart-templates-editor-permissionPlugin Smart Templates Editor Permissiontemplates, reports, data-sourceget, post, patch, delete

How permissions are structured

All permission sets follow the same logic:

RoleTypical Methods
ViewerGET, HEAD
ContributorGET, POST, PATCH, HEAD
EditorGET, POST, PATCH, DELETE, HEAD

This consistent structure makes it easy to reason about access across different plugins.

Plugin-level resources

Here’s a quick reference of the resources each plugin manages:

PluginResource
Access Managerapplications, groups, users, update-password, reset-password
Midazaccounts, organizations, ledgers, assets, asset-rates, portfolios, segments, balances, transactions, operations, account-types, transaction-routes, operation-routes
Feespackages, fees, estimates
CRMholders, aliases
Smart Templatestemplates, reports, data-source

Architecture and identity flow


Identity follows a clean architecture pattern with the following request flow:

Figure 1. Identity Flow

Figure 1. Identity Flow

Request flow

  1. HTTP request entry
    • API endpoints process incoming requests.
    • Middleware handles CORS, logging, and telemetry.
    • Authorization middleware enforces access policies.
  2. Request processing
    • Handlers validate input and extract parameters.
    • The service layer executes business logic.
    • The adapter layer translates service calls to the external IAM system.
  3. Authentication flow
    • Client applications authenticate using OAuth2.
    • JWT tokens are validated with embedded certificates.
    • Permissions are enforced based on role definitions.
  4. Response flow
    • Data is transformed into API response models.
    • Standardized HTTP responses ensure consistency.
    • Logging and telemetry track the request lifecycle.

External dependencies

  • Primary storage – Centralized identity management system.
  • Caching – Optimized with an in-memory data store.
  • Tracing & monitoring – Integrated with OpenTelemetry.
  • Deployment – Kubernetes for infrastructure management.

API overview


Identity provides centralized identity and access management for distributed applications. APIs support:

  • User account management and authentication.
  • Role-based access control and permissions enforcement.
  • Group and application identity operations.

Access is secured by strict permission controls. For technical details, check the Identity API documentation.


Data storage and modeling


Identity doesn’t store data on its own—it connects with external systems to handle identity and caching.

Primary storage

The service relies on an external identity management system as its main data store. It manages key entities like users, groups, and applications:

  • User entity
    • Key properties: ID, first name, last name, username, email, hashed password, and group memberships.
    • Mapping: Directly corresponds to user objects in the identity system.
    • Operations: Supports create, read, update, and delete actions via API.
  • Group entity
    • Key properties: ID, name, display name, creation date, and associated users.
    • Mapping: Directly corresponds to group objects in the identity system.
    • Operations: Read operations available through API.
  • Application entity
    • Key properties: ID, name, description, client credentials, and creation date.
    • Mapping: Directly corresponds to application objects in the identity system.
    • Operations: Supports create, read, and delete actions via API.

Secondary storage

A document-based database is integrated to support additional data persistence needs.

Caching

A caching layer is used to improve performance, managing temporary data efficiently. Connections and cache consumers are handled programmatically within Identity.


Deployment & operations


  • Scalability & reliability – Managed through Kubernetes.
  • Observability – Integrated with OpenTelemetry.
  • Security – Aligned with industry best practices for authentication and authorization.

Identity ensures secure and efficient authentication across distributed applications, streamlining identity management with a robust and scalable design.