Skip to content
Lamba
Sign In

Concepts

Identity Model

Users, sessions, roles, and membership invalidation in one model.

Core entities

  • Lamba User: the global identity actor. This is the person-level identity across projects and sign-in methods.
  • Workspace: the billing, governance, and console boundary.
  • Project: the runtime product boundary inside a Workspace.
  • Team Member: a user with Workspace console access through Workspace roles and optional Project console roles.
  • Project Member: a user with runtime product access to a Project through Project roles.
  • Session: authenticated device or browser state, with optional Project-scoped runtime access.

The same user may be both a Team Member and a Project Member, but neither membership implies the other.

Session model

A user may have a global identity session plus Project-scoped runtime access. Runtime revoke granularity is Project. applicationId is audit-only inside scope records and should not be treated as the revoke boundary.

Revoked runtime scopes must not auto-heal from the current global session. The user should explicitly re-enter Project context to receive a new runtime scope.

Role model

Workspace roles control console access. Project console roles control console access inside a selected Project. Project roles control runtime product access.

Role layerActorControls
Workspace roleTeam MemberWorkspace-wide console capabilities
Project console roleTeam MemberConsole capabilities inside a Project
Project roleProject MemberRuntime product permissions

Do not use one layer as a fallback for another. Token claims should carry only the context needed to resolve runtime access, and access decisions should be made server-side per request.

Invalidation triggers

  • Membership role changed
  • Membership removed
  • Security posture change, such as forced logout
  • Workspace or project deactivated
  • Login method or provider setting changed
  • Social provider linked or unlinked
  • Project scope revoked

Audit implications

Identity lifecycle events should be logged with actor, Workspace, Project, environment, and session context when available.

Growth implications

Campaign, loyalty, notification, and analytics workflows should reference the same Lamba User and Project membership context. They should not create a parallel account graph that cannot explain auth, access, or audit decisions.

  • Workspaces and projects: /docs/concepts/tenant-project
  • Scoped sessions: /docs/concepts/scoped-sessions
  • Member lifecycle: /docs/concepts/member-lifecycle
  • OAuth/OIDC security: /docs/reference/oauth-oidc-security
  • Incident communication: /docs/reference/incident-comms