Part 3: Role Concept & Backend Access Control

Item	Content
Document Name	Part 3: Role Concept & Backend Access Control
Product Name	DTA Wide Sleep Management Platform
Date	2026-02-10
Scope	Part 3 (Backend)

1. Role Definitions

1.1 Application User Roles

Role	English Name	Permission Level	Key Permissions
Patient	Patient	Level 1	Own data CRUD, questionnaire responses, program execution

1.2 Infrastructure Operator Roles (GCP IAM)

Role	GCP IAM Role	Permission Scope
Infrastructure Administrator	Owner, Editor	All GCP resources
Developer	Viewer	Cloud SQL read/write, logs, deployment
DevOps	Cloud Run Admin	Cloud Run deployment, configuration
Security Team	Security Admin	IAM, Audit Logs, Security Center

2. Permission Matrix

2.1 Application Level

Resource	Patient
Own sleep logs	CRUD
Other users' sleep logs	-
Own questionnaire responses	CRUD
Other users' questionnaire responses	-
Consultation notes	R (own only)
User account	RU (own only)
System settings	-
Audit logs	-

Permission Codes:

C: Create
R: Read
U: Update
D: Delete

2.2 Infrastructure Level (GCP IAM)

GCP Resource	Infrastructure Admin	Developer	DevOps	Security Team
Cloud Run	CRUD	R	CRU	R
Cloud SQL	CRUD	R	R	R
Cloud Logging	CRUD	R	R	CRUD
Secret Manager	CRUD	-	R	CRUD
IAM & Admin	CRUD	R	R	CRUD
Cloud KMS	CRUD	-	-	CRUD

3. Role-Based Access Control (RBAC) Implementation

3.1 NestJS Guards

AppToken JWT Structure (Actual Implementation - app-token.guard.ts):

AppToken uses RS256 asymmetric signing with JWK (JSON Web Key) management approach.

Authentication/Authorization Separation Structure:

// AppToken Payload Structure
interface AppTokenPayload {
  appId: string;       // App identifier
  deviceId: string;    // Device identifier
  jti: string;         // JWT ID (unique identifier)
  env: string;         // Environment (dev/stage/prod)
  exp: number;         // Expiration time
  iat: number;         // Issued time
}

Authentication Guard Chain (Actual Implementation):

Guard	File Path	Role
AppTokenGuard	`guards/app-token.guard.ts`	AppToken JWT validation (RS256), expiration/revocation handling

Service Account Authentication:

Implemented in iam/controllers/
Used for inter-service communication

Controller Usage Example:

@Controller('sleep')
@UseGuards(AppTokenGuard)
export class SleepController {
  @Get('/logs')
  async getSleepLogs(@CurrentUser() user: TokenPayload) {
    // AppToken + UserToken dual authentication then access
  }
}

3.2 Data-Level Filtering

Own Data Access Only (Patient):

// Query Handler
async execute(query: GetSleepLogsQuery): Promise<SleepLogDto[]> {
  const { userId, requesterId, requesterRoles } = query;

  // Patient can access own data only
  if (requesterRoles.includes('patient') && userId !== requesterId) {
    throw new ForbiddenException('Cannot access other user data');
  }

  return this.repository.findByUserId(userId);
}

5. Access Approval and Review Cycle

5.1 Periodic Access Review

Frequency	Target	Reviewer	Action
Monthly	All GCP IAM roles	Security team	Remove unnecessary permissions
Quarterly	Application Admin roles	CTO	Role reassignment
Annually	Complete access control policy	Security + Compliance team	Policy update

5.2 Permission Revocation

Condition	Revocation Timing	Responsible
Employee departure	Immediately	Operations, Development team
Role change	Immediately	User involved
Suspicious activity	Immediately	Security team, user involved

6. Audit Log Event Definitions

6.1 Required Audit Events

Event	Log Level	Log Information	Retention Period
Administrator login	WARNING	adminId, IP, timestamp, MFA presence	1 year
Role change	ERROR	targetUserId, changer, old role, new role	1 year
Direct DB access	ERROR	adminId, DB name, query (params masked)	1 year
User account deletion	ERROR	adminId, target userId, reason	1 year
Sensitive data bulk export	ERROR	adminId, record count, data type	1 year
Permission denied (403)	WARNING	userId, request path, required permission	90 days
System settings change	ERROR	adminId, setting key, old value, new value	1 year

6.2 Audit Log Example

{
  "timestamp": "2026-02-10T15:30:00.000Z",
  "severity": "ERROR",
  "service": "dta-wide-api",
  "module": "admin",
  "event_type": "user_deleted",
  "adminId": "admin-uuid-123",
  "admin_email": "adm***@dta-wide.com",
  "target_user_id": "user-uuid-456",
  "reason": "GDPR deletion request",
  "ip_address": "192.168.1.***",
  "user_agent": "Mozilla/5.0...",
  "approval_ticket": "JIRA-1234",
  "message": "[AUDIT] Admin deleted user account"
}

8. Separation of Duties

8.1 Duty Separation Matrix

Duty A	Duty B	Separation Required	Reason
Code development	Production deployment	✅	Prevent malicious code deployment
DB schema change	DB data modification	⚠️	Control via approval process
IAM role creation	IAM role assignment	✅	Prevent privilege escalation
Backup creation	Backup restoration	✅	Prevent data tampering
Audit log configuration	Audit log deletion	✅	Prevent evidence destruction

8.2 Four-Eyes Principle

Application Targets:

Production DB schema changes
Production deployment (except emergency hotfixes)
IAM role changes
Security policy modifications

Implementation:

Pull Request requires 1 approval (excludes author)
Jira ticket issue linking
GCP IAM: conditional roles (time limit + approver confirmation)

9. TODO: Anomalous Activity Detection and Response

9.1 Detection Patterns

Pattern	Detection Condition	Alert	Auto Action
Bulk data retrieval	100+ records within 1 minute	Security team (immediate)	Session invalidation
Abnormal access time	Admin login 00:00~06:00	Operations	MFA reconfirmation required
Multiple failed attempts	5 consecutive login failures	Security team	Account temporary lock (30 min)
Abnormal geographic access	Login from non-EU region	Security team	Account verification request
Privilege escalation attempt	Role change API call (no permission)	Security + CTO	Account immediate lock

9.2 Response Procedure

Evidence and References (Artifacts)

Permission Matrix (Section 2 of this document)
AppTokenGuard Implementation Code - guards/app-token.guard.ts
FlexibleAuthGuard Implementation Code - guards/flexible-auth.guard.ts
GCP IAM Role Definitions - artifacts/iam-roles.json
Approval Process Diagram (Section 4.2 of this document)
Audit Log Sample - logs/admin-audit-log-sample.json
Periodic Review Records - reports/iam-review-2025-q4.pdf
Anomalous Activity Detection Rules - artifacts/anomaly-detection-rules.json
Access Approval Jira Ticket Sample - artifacts/jira-approval-sample.pdf
Administrator Access Logs (30 days) - logs/admin-access-30days.log

Regulation	Requirement	Implementation	Evidence
BSI TR-03161 Part 3	Role-based access control	RBAC, Roles Guard	Permission Matrix (Section 2)
BSI TR-03161 Part 3	Administrator action audit	Audit logs, approval process	Audit log sample (Section 6)
GDPR Article 32	Appropriate access control	RBAC, least privilege, audit	This entire document
ISO 27001 A.9	Access control	RBAC, periodic review	Review procedure (Section 5)

1. Role Definitions​

1.1 Application User Roles​

1.2 Infrastructure Operator Roles (GCP IAM)​

2. Permission Matrix​

2.1 Application Level​

2.2 Infrastructure Level (GCP IAM)​

3. Role-Based Access Control (RBAC) Implementation​

3.1 NestJS Guards​

3.2 Data-Level Filtering​

5. Access Approval and Review Cycle​

5.1 Periodic Access Review​

5.2 Permission Revocation​

6. Audit Log Event Definitions​

6.1 Required Audit Events​

6.2 Audit Log Example​

8. Separation of Duties​

8.1 Duty Separation Matrix​

8.2 Four-Eyes Principle​

9. TODO: Anomalous Activity Detection and Response​

9.1 Detection Patterns​

9.2 Response Procedure​

Evidence and References (Artifacts)​