Users - Entity | Meander Platform | Generated by Eircodex v8.8.6

Description

Core identity record for every authenticated principal in the Meander platform — peer mentors, coordinators, organization admins, and global admins. Holds tenant-scoped identity data and links to credentials, sessions, role assignments, profile, preferences, and all domain activity. Authentication state lives in user_credentials/user_sessions; authorization (roles, org scope) lives in user_roles + member_associations.

Data Structure

Name	Type	Description	Constraints
`id`	`uuid`	Primary identifier for the user, stable across renames and email changes.	PKrequiredunique
`organization_id`	`uuid`	Tenant (organization) the user primarily belongs to. Drives tenant scoping and module-toggle resolution. Global admins may be null.	-
`email`	`string`	User's email address. Used as login identifier and notification target.	requiredunique
`email_verified`	`boolean`	Whether the email address has been verified via confirmation link.	required
`full_name_encrypted`	`text`	Full name of the user, encrypted at the application level with AES-256-GCM before persistence (per Subprocessors.md).	required
`phone_number_encrypted`	`text`	Phone number, encrypted at the application level with AES-256-GCM. Used for SMS notifications and contact.	-
`national_id_encrypted`	`text`	Norwegian fødselsnummer when returned by BankID/Vipps authentication. Stored encrypted; access is restricted and audited.	-
`user_type`	`enum`	High-level classification of the principal type. Determines login surface (mobile vs admin portal).	required
`status`	`enum`	Lifecycle status of the user account.	required
`preferred_language`	`string`	BCP-47 language tag for UI and notifications (e.g., 'nb-NO', 'en-GB').	required
`auth_provider`	`enum`	Primary authentication method used at first login. BankID/Vipps unlock returns verified identity claims.	required
`biometric_enabled`	`boolean`	Whether the user has opted in to biometric session unlock (Face ID / fingerprint) on their mobile device.	required
`support_access_allowed_until`	`datetime`	Time-bounded flag granting Norse Global Admins support access to this user's org data. Null when no access is granted.	-
`last_login_at`	`datetime`	Timestamp of the most recent successful login.	-
`invited_by_user_id`	`uuid`	User who invited this user (typically an Org Admin). Null for self-registered or seed accounts.	-
`created_at`	`datetime`	When the user record was created.	required
`updated_at`	`datetime`	Last modification timestamp.	required
`deleted_at`	`datetime`	Soft-delete marker. When set, the record is hidden from all queries but retained for audit and Bufdir traceability.	-

Database Indexes

idx_users_email

btree unique

Columns: email

idx_users_organization_id

btree

Columns: organization_id

idx_users_org_status

btree

Columns: organization_id, status

idx_users_user_type

btree

Columns: user_type

idx_users_invited_by

btree

Columns: invited_by_user_id

idx_users_deleted_at

btree

Columns: deleted_at

Validation Rules

email_format error

Validation failed

email_unique error

Validation failed

organization_required_for_non_global error

Validation failed

valid_user_type error

Validation failed

status_transition_valid error

Validation failed

phone_format warning

Validation failed

national_id_pii_access error

Validation failed

invited_by_must_be_admin error

Validation failed

support_access_bounded error

Validation failed

preferred_language_supported warning

Validation failed

Business Rules

tenant_isolation

always

A user's organization_id determines all tenant scoping. Cross-organization data access is forbidden except for global admins with active support_access_allowed_until.

Enforced by: Auth Service Role Guard User Management Service Audit Service

login_surface_by_user_type

on_create

peer_mentor and coordinator log in only to the Mobile App. org_admin and global_admin log in only to the Admin Web Portal. org_admin appears as coordinator inside the Mobile App without a separate UI path.

Enforced by: Auth Service Role Guard Login Screen User Management Service

global_admin_no_default_org_data

always

Global admins have no default access to any organization's operational data; access is granted only via a time-bounded support_access_allowed_until flag set by the org admin.

Enforced by: Role Guard Auth Service Audit Service Security Metrics Service

soft_delete_only

on_delete

Users are never hard-deleted while they have associated activities, expenses, or assignments; deletion sets deleted_at and status='deleted' to preserve Bufdir traceability and audit history.

Enforced by: User Management Service Audit Service

invitation_required

on_create

Peer mentors and coordinators must be invited by an Org Admin (invited_by_user_id set) — they cannot self-register.

Enforced by: User Management Service Auth Service

paused_user_blocked_from_assignments

always

Users with status='paused' (peer mentors on pause or auto-paused due to certificate expiry) must not receive new assignments or appear in geographic matching.

Enforced by: Pause Service Auto-Pause Service Geo Matching Service Assignment Counter Service

audit_all_identity_changes

always

Every create/update/delete to a user record (role assignment, deactivation, support access grant) must produce an audit_logs entry scoped to the organization.

Enforced by: User Management Service Role Assignment Service Audit Service

support_access_expiry

always

When support_access_allowed_until passes, all active global-admin sessions touching this org must be invalidated immediately.

Enforced by: Session Service Auth Service Audit Service