Key Documentations - saayam-for-all/docs GitHub Wiki

Welcome to the Key Documentations Wiki!

Purpose: This documentation provides a structured overview of user roles, access levels, and identity management within the Saayam For All ecosystem. It is intended to guide internal stakeholders in understanding:

  • The classification and hierarchy of Application Roles and Enterprise Roles
  • How user access is managed through AWS Cognito and AWS IAM
  • The policies and processes for role assignment, promotion, and access control

This resource ensures consistency, transparency, and security in how user access is granted and maintained across both applications and enterprise systems.

User Roles & Access Management Overview

1. Role Classification

  • Saayam For All classifies roles into two primary categories:

A. Application Roles

  • These are used exclusively for access and functionality within our web and mobile applications.
  • Roles include:
  1. Beneficiaries
  2. Volunteers
  3. Stewards
  4. Admins
  5. Super Admins
  • Each role is granted only the necessary privileges required for their function.
  • User-to-role mapping is never done directly. Instead, roles are assigned through user groups in AWS Cognito.

Application Role Hierarchy & Group Management

  • All new users are placed in the Beneficiaries group by default -----> This group has access aligned with the Beneficiary role.
  • Promotion Flow:
  1. Beneficiaries ----→ Volunteers:- Users added to the Volunteers group, gaining additional privileges.
  2. Volunteers ----→ Stewards:- Selected volunteers are added to the Stewards group.
  • External Participants (non-employees) can be part of:
  1. Beneficiaries
  2. Volunteers
  3. Stewards
  • Admins and Super Admins are restricted to internal enterprise users only.

B. Enterprise Roles

  • Pertains to employees and select volunteers operating within the internal organization (Org group).

  • Enterprise user hierarchy:

  1. Executives
  2. Mid-level Managers/Leads
  3. Enterprise Volunteers
  • Enterprise Role Assignments & Privileges
  1. Executives: Assigned Super Admin privileges both in the application and AWS Saayam account.
  2. Mid-Level Managers/Leads: Assigned to the Admins group in both the application and AWS IAM. Each manager/lead is restricted to managing one specific area in AWS.
  3. Enterprise Volunteers: Operate in AWS Saayam without administrative privileges. Considered regular operators.

2. Access & Identity Management

A. AWS Cognito

  • Manages all application-specific roles and user groups.
  • Responsible for:
  1. Authentication of app users.
  2. Group-based role assignments (e.g., Beneficiaries, Volunteers, etc.).

B. AWS IAM (Identity and Access Management)

  • Manages all enterprise roles, users, and group assignments.
  • Responsible for:
  1. Defining enterprise hierarchy.
  2. Managing access permissions in the AWS environment.

3. Key Notes

  • Only enterprise users can be part of Admins and Super Admins groups.
  • All users, regardless of enterprise status, may belong to Beneficiary, Volunteer, or Steward roles depending on their involvement.
  • Application roles are functional, whereas Enterprise roles are organizational and access-based.
  • Access control is achieved only through user group assignments, never by direct role assignment.
⚠️ **GitHub.com Fallback** ⚠️