Authentication & Authorization

The Logistics module seamlessly integrates with the existing ERP authentication and authorization system, providing unified access control across all ERP modules with Single Sign-On (SSO) and Role-Based Access Control (RBAC).

Single Sign-On (SSO) Implementation

The module leverages the ERP's existing authentication infrastructure to provide seamless user experience across all modules.

@Configuration
@EnableWebSecurity
public class LogisticsSecurityConfig {
    
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .oauth2ResourceServer(oauth2 -> oauth2
                .jwt(jwt -> jwt
                    .jwtAuthenticationConverter(erpJwtAuthenticationConverter())
                )
            )
            .authorizeHttpRequests(authz -> authz
                .requestMatchers("/api/v1/logistics/public/**").permitAll()
                .requestMatchers("/api/v1/logistics/equipment/**")
                    .hasAnyRole("EQUIPMENT_MANAGER", "PROJECT_LEADER", "OPERATIONS")
                .requestMatchers("/api/v1/logistics/admin/**")
                    .hasRole("LOGISTICS_ADMIN")
                .anyRequest().authenticated()
            );
        return http.build();
    }
    
    @Bean
    public JwtAuthenticationConverter erpJwtAuthenticationConverter() {
        JwtAuthenticationConverter converter = new JwtAuthenticationConverter();
        converter.setJwtGrantedAuthoritiesConverter(
            new ERPJwtGrantedAuthoritiesConverter()
        );
        return converter;
    }
}

Role-Based Access Control (RBAC)

The system uses ERP's existing role hierarchy with logistics-specific permissions and multi-level approval workflows.

ERP User Context

interface ERPUserContext {
  // Basic User Information
  userId: string;                  // ERP User ID
  username: string;                // Username
  email: string;                   // Email address
  fullName: string;                // Full name
  employeeId?: string;             // Employee ID
  
  // Organizational Information
  departmentId: string;            // Department ID
  departmentName: string;          // Department name
  costCenter?: string;             // Cost center
  location: string;                // User location
  country: Country;                // Operating country
  
  // Role Information
  roles: ERPRole[];                // Array of assigned roles
  permissions: string[];           // Flattened permissions list
  
  // Project Access
  projectAccess: ProjectAccess[];  // Projects user can access
  
  // Logistics-Specific Permissions
  logisticsPermissions: {
    canViewEquipment: boolean;
    canEditEquipment: boolean;
    canApproveRequests: boolean;
    canViewReports: boolean;
    canManageSubcontractors: boolean;
    approvalLevels: ('PL' | 'PMO' | 'Operations' | 'BOD')[];
    maxApprovalAmount?: number;    // Maximum amount user can approve
  };
  
  // Session Information
  sessionId: string;               // Session identifier
  loginTime: Date;                 // Login timestamp
  lastActivity: Date;              // Last activity timestamp
  tokenExpiry: Date;               // Token expiry time
}

Logistics Module Permissions Matrix

Comprehensive permissions mapping for all roles within the logistics module.

Role View Equipment Edit Equipment Approve Requests Manage Subcontractors View Reports Admin Functions
Project Leader (PL) Own projects Level 1 Own projects
Project Manager (PM) Own projects Level 1 Own projects
PMO Manager Level 2
Operations Manager Level 3
Board of Directors Level 4
Construction Manager Limited
Equipment Manager
Logistics Admin All Levels

Multi-Level Approval Workflow

Equipment requests and extensions follow a structured approval process based on user roles and request values.

Level 1: Project Leader (PL)

Initial project-level approval

  • Validates project requirements
  • Confirms equipment necessity
  • Approves basic equipment requests
  • Maximum approval: Basic requests < $10,000

Level 2: PMO Manager

Budget and resource allocation approval

  • Reviews budget impact
  • Validates resource allocation
  • Approves medium-value requests
  • Maximum approval: $10,000 - $50,000

Level 3: Operations Manager

Operational feasibility and logistics approval

  • Confirms operational feasibility
  • Validates logistics requirements
  • Approves high-value requests
  • Maximum approval: $50,000 - $100,000

Level 4: Board of Directors (BOD)

Final approval for high-value requests

  • Strategic decision making
  • Risk assessment
  • Final approval for major investments
  • Approval required: > $100,000

API Authentication Headers

All API requests must include the following ERP authentication headers:

Authorization: Bearer <JWT_TOKEN>
X-ERP-User-Id: <USER_ID>
X-ERP-Session-Id: <SESSION_ID>
X-Client-Version: <CLIENT_VERSION>

Authorization

JWT Bearer token issued by the ERP authentication service. Contains user identity and permissions.

X-ERP-User-Id

Unique user identifier within the ERP system for audit and tracking purposes.

X-ERP-Session-Id

Session identifier to track user activities and maintain session state.

X-Client-Version

Client application version for compatibility and feature management.

Security Features

JWT Token Security

Secure JWT tokens with expiration, refresh mechanisms, and digital signatures.

Role-Based Access

Fine-grained permissions based on user roles and organizational hierarchy.

Audit Logging

Comprehensive audit trail for all user actions and system changes.

Session Management

Automatic session timeout and concurrent session control.

Multi-Country Support

Country-specific access controls for Libya, Tunisia, and Iraq operations.

Project-Based Access

Granular access control based on project assignments and responsibilities.

Authentication Error Responses

Unauthorized Access

{
  "success": false,
  "error": {
    "code": "AUTHENTICATION_REQUIRED",
    "message": "Valid authentication token required",
    "details": {
      "errorType": "UNAUTHORIZED",
      "loginUrl": "/auth/login",
      
    }
  },
  "timestamp": "2025-06-23T10:30:00Z"
}

Insufficient Permissions

{
  "success": false,
  "error": {
    "code": "INSUFFICIENT_PERMISSIONS",
    "message": "User does not have required permissions",
    "details": {
      "errorType": "FORBIDDEN",
      "requiredRole": "EQUIPMENT_MANAGER",
      "userRoles": ["PROJECT_LEADER"],
      "requiredPermission": "EDIT_EQUIPMENT"
    }
  },
  "timestamp": "2025-06-23T10:30:00Z"
}

Token Expired

{
  "success": false,
  "error": {
    "code": "TOKEN_EXPIRED",
    "message": "Authentication token has expired",
    "details": {
      "errorType": "TOKEN_EXPIRED",
      "expiredAt": "2025-06-23T09:30:00Z",
      "refreshUrl": "/auth/refresh",
      "loginUrl": "/auth/login"
    }
  },
  "timestamp": "2025-06-23T10:30:00Z"
}

ERP Integration Points

User Management

Seamless integration with ERP user management system for user creation, modification, and deactivation.

Role Management

Leverages ERP's role hierarchy and permission system with logistics-specific extensions.

Authentication Service

Uses ERP's centralized authentication service for consistent login experience.

Audit System

Integrates with ERP's audit and logging system for comprehensive activity tracking.

Notification Service

Utilizes ERP's notification system for approval workflows and alerts.

Reporting Integration

Connects with ERP's reporting framework for unified access control reporting.