BRD PER PERSONA
Module: M-AUTH-01 - Dang nhap & Xac thuc (OrangeHRM)
Generated: 2026-06-04 16:46:24
Input: 00-context.md
Pipeline step: 02
Upstream Issues
| Issue ID |
Source |
Description |
Handling |
| UI-001 |
01-module-map |
Module Map added F-AUTH-014 Session timeout although source feature list in context ended at F-AUTH-013. |
Kept F-AUTH-014 because 01 declared it and current prompt requires session timeout coverage. |
| UI-002 |
01-module-map |
Module Map references BR-AUTH-015 and BR-AUTH-016, but these IDs are not in original context Business Rules. |
Referenced only where needed for session/logout and marked as upstream issue. |
| UI-003 |
Current prompt vs _global-rules.md |
Current prompt example says validation HTTP 422, but R5 catalog has no 422 and global rules win. |
Used BAD_REQUEST HTTP 400 for malformed or missing fields per R5. |
================================================================
BUSINESS REQUIREMENTS DOCUMENT
Document ID : BRD-PER-01-M-AUTH-01
Module : M-AUTH-01 - Dang nhap & Xac thuc
Persona : Anonymous User
Version : 1.0
Status : DRAFT
Author : GPT-generated BA
Created Date : 2026-06-04
Last Updated : 2026-06-04
Reviewed By : [TBC - PO]
Approved By : [TBC - PO]
SECTION 1: Executive Summary
1.1 Document Purpose
BRD nay mo ta yeu cau cho Anonymous User khi truy cap OrangeHRM login, nhap credential, xu ly loi, quen mat khau, captcha, account locked va OTP challenge sau khi password hop le.
1.2 Scope
| Aspect |
Description |
| In-Scope |
F-AUTH-001, F-AUTH-002, F-AUTH-003, F-AUTH-004, F-AUTH-005, F-AUTH-006, F-AUTH-007, F-AUTH-008, F-AUTH-009, F-AUTH-011 |
| Out-of-Scope |
Tao user account, tao role, SSO, biometric login |
| Assumptions |
D-01 username la login identifier; D-11 demo credential chi dung cho training |
1.3 Target Audience
| Audience |
Purpose |
| Product Owner |
Approve login va recovery requirements |
| Development Team |
Implementation reference |
| QA Team |
Test case design |
| UX Team |
UI/UX design reference |
SECTION 2: Stakeholder Analysis
2.1 Primary Stakeholder
| Attribute |
Description |
| Persona ID |
PER-01 |
| Name |
Anonymous User |
| Role |
Nguoi dung chua dang nhap |
| Department |
HRM users across organization |
| Primary Goals |
Dang nhap, khoi phuc mat khau, hoan tat OTP neu duoc yeu cau |
| Pain Points |
Sai credential, quen mat khau, captcha, account locked |
| Success Metrics |
Login thanh cong cho active user >= 98 phan tram; forgot password completion >= 85 phan tram |
2.2 Secondary Stakeholders
| Stakeholder |
Role |
Interest Level |
Influence Level |
| System |
Validate credential va tao session |
High |
High |
| HR Admin |
Ho tro unlock account |
Medium |
Medium |
| Security Lead |
Xac nhan lockout, captcha, 2FA policy |
High |
High |
| Instructor |
Xac nhan demo training data |
Medium |
Medium |
2.3 RACI Matrix
| Activity |
Responsible |
Accountable |
Consulted |
Informed |
| Define requirements |
BA |
PO |
Security Lead |
Team |
| Approve requirements |
PO |
PO |
BA |
Team |
| Implement |
Dev Team |
Tech Lead |
BA |
PO |
| Test |
QA Team |
QA Lead |
BA |
PO |
SECTION 3: Business Objectives & KPIs
3.1 Business Objectives
| Objective ID |
Objective |
Alignment |
Priority |
| OBJ-001 |
Cho phep user hop le truy cap OrangeHRM an toan |
OBJ-01 |
Must |
| OBJ-002 |
Ngan truy cap trai phep vao du lieu nhan su |
OBJ-02 |
Must |
| OBJ-003 |
Giam phu thuoc admin khi user quen mat khau |
OBJ-03 |
Should |
3.2 KPIs
| KPI ID |
KPI Name |
Current |
Target |
Measurement Method |
| KPI-001 |
Active user login success rate |
[TBC - PO] |
>= 98 phan tram |
LoginAttempt success ratio |
| KPI-002 |
Forgot password completion rate |
[TBC - PO] |
>= 85 phan tram |
PasswordResetToken completed ratio |
| KPI-003 |
Unauthorized successful login |
[TBC - Security Lead] |
0 incident |
Security audit |
3.3 Success Criteria
| Criteria ID |
Description |
Measurement |
Target |
| SC-001 |
User co the mo login page va submit credential |
Functional test |
100 phan tram Must AC pass |
| SC-002 |
Invalid credential khong tiet lo username/password sai |
Security review |
D-02 complied |
| SC-003 |
Recovery flow gui reset link hoac hien account not found theo training rule |
QA test |
D-07 complied |
SECTION 4: Functional Requirements
4.1 Requirements Overview
| Req ID |
Requirement |
Feature ID |
Priority |
Complexity |
| REQ-AUTH-001 |
Hien thi login page |
F-AUTH-001 |
Must |
Low |
| REQ-AUTH-002 |
Cho phep nhap username va password |
F-AUTH-002 |
Must |
Low |
| REQ-AUTH-003 |
Validate credential va account state |
F-AUTH-003 |
Must |
Medium |
| REQ-AUTH-004 |
Ho tro demo login |
F-AUTH-004 |
Must |
Low |
| REQ-AUTH-005 |
Hien thi invalid credential message |
F-AUTH-005 |
Must |
Low |
| REQ-AUTH-006 |
Dieu huong forgot password |
F-AUTH-006 |
Should |
Low |
| REQ-AUTH-007 |
Reset password bang email |
F-AUTH-007 |
Should |
Medium |
| REQ-AUTH-008 |
Xu ly lockout va captcha |
F-AUTH-008/F-AUTH-009 |
Should |
Medium |
| REQ-AUTH-009 |
Yeu cau OTP sau password hop le |
F-AUTH-011 |
Could |
High |
4.2 Detailed Requirements
| Req ID |
Name |
Description |
Related Feature |
Source |
Rationale |
| REQ-AUTH-001 |
Login page |
System hien thi logo, username, password, login button, forgot password link |
F-AUTH-001 |
00-context.md |
Entry point bat buoc cho Anonymous User |
| REQ-AUTH-003 |
Credential validation |
System validate required fields, username case-insensitive, password hash, account status, lockout |
F-AUTH-003 |
01-module-map |
Bao ve truy cap HRM |
| REQ-AUTH-007 |
Password recovery |
User submit email, system tao reset token va gui email neu account ton tai |
F-AUTH-007 |
00-context.md |
Giam phu thuoc admin |
| REQ-AUTH-009 |
OTP verification |
Sau password hop le, system yeu cau OTP cho tat ca user theo D-08 |
F-AUTH-011 |
Decision Registry |
Tang bao mat dang nhap |
Functional Details
| Item |
Description |
| Input |
username, password, email, captcha, otp_code, new_password, confirm_password |
| Processing |
Validate format, normalize username, check password hash, failed count, captcha, lockout, OTP |
| Output |
Redirect, error message, reset email sent, account not found, OTP required |
| Validation |
Required fields use BAD_REQUEST 400; invalid credential uses INVALID_CREDENTIALS 401; captcha uses CAPTCHA_REQUIRED 429 |
Dependencies
| Dependency |
Type |
Description |
| Email Notification |
Hard |
Gui password reset email |
| Security Configuration |
Hard |
Lockout, captcha, password expiry, 2FA policy |
| Captcha Service |
Soft |
Required only when captcha enabled |
| Authenticator App |
Hard |
Required for F-AUTH-011 |
SECTION 5: Business Process Flows
5.1 Process Overview
| Process ID |
Process Name |
Trigger |
End State |
Actor |
| PROC-AUTH-001 |
Login |
User submit credential |
Authenticated, OTP Required, Login Failed, Account Locked |
PER-01 |
| PROC-AUTH-002 |
Forgot password |
User submit recovery email |
Reset requested or account not found |
PER-01 |
| PROC-AUTH-003 |
OTP verification |
Password valid and 2FA required |
Authenticated or OTP failed |
PER-01 |
5.2 Process Details
PROC-AUTH-001: Login
| Step |
Actor |
Action |
System Response |
Business Rule |
Next Step |
Alternative |
| 1 |
PER-01 |
Open login URL |
Display login page |
BR-AUTH-001/BR-AUTH-002 |
2 |
N/A |
| 2 |
PER-01 |
Enter username and password |
Validate required fields |
BR-AUTH-001/BR-AUTH-002 |
3 |
2a |
| 2a |
System |
Detect missing field |
Show Required, BAD_REQUEST 400 |
BR-AUTH-001/BR-AUTH-002 |
2 |
N/A |
| 3 |
PER-01 |
Submit login |
Validate credential |
BR-AUTH-003/BR-AUTH-004/BR-AUTH-005 |
4 |
3a |
| 3a |
System |
Credential invalid |
Show Invalid credentials, INVALID_CREDENTIALS 401 |
BR-AUTH-005 |
2 |
N/A |
| 4 |
System |
Check lockout, disabled, terminated |
Allow or deny login |
BR-AUTH-008/BR-AUTH-010 |
5 |
4a |
| 4a |
System |
Account locked |
Show account locked, ACCOUNT_LOCKED 423 |
BR-AUTH-008 |
End |
N/A |
| 5 |
System |
Check 2FA setting |
Show OTP screen if required |
BR-AUTH-013 |
PROC-AUTH-003 |
6 |
| 6 |
System |
Create session and redirect |
User enters role landing flow |
BR-AUTH-014 |
End |
N/A |
Text diagram:
[Start] -> [Open Login] -> [Enter Credential] -> [Validate]
-> [Invalid: show Invalid credentials]
-> [Locked: show Account locked]
-> [2FA: show OTP]
-> [Success: create session and redirect]
Exception Flows
| Exception |
Trigger |
Handling |
Recovery |
| EX-AUTH-001 |
Missing username/password |
BAD_REQUEST 400 and Required field error |
User corrects input |
| EX-AUTH-002 |
Wrong credential |
INVALID_CREDENTIALS 401 and generic message |
User retries |
| EX-AUTH-003 |
Captcha required |
CAPTCHA_REQUIRED 429 and captcha field |
User completes captcha |
| EX-AUTH-004 |
Dependency unavailable |
DEPENDENCY_UNAVAILABLE 503 |
Retry or contact admin |
SECTION 6: Use Case Summary
6.1 Use Case List
| UC ID |
Use Case Name |
Primary Actor |
Priority |
Complexity |
| UC-AUTH-001 |
View login page |
PER-01 |
Must |
S |
| UC-AUTH-002 |
Submit valid credential |
PER-01 |
Must |
M |
| UC-AUTH-003 |
Submit invalid credential |
PER-01 |
Must |
S |
| UC-AUTH-004 |
Request password reset |
PER-01 |
Should |
M |
| UC-AUTH-005 |
Verify OTP |
PER-01 |
Could |
L |
6.2 Use Case Details
| Attribute |
Description |
| UC ID |
UC-AUTH-002 |
| Name |
Submit valid credential |
| Primary Actor |
PER-01 |
| Secondary Actors |
System |
| Preconditions |
Login page loaded; account enabled; not locked |
| Postconditions |
User authenticated or OTP required |
| Trigger |
User clicks Login |
| Step |
Actor |
Action |
System Response |
| 1 |
PER-01 |
Enter username and password |
System accepts input |
| 2 |
PER-01 |
Click Login |
System validates credential |
| 3 |
System |
Credential valid |
System creates OTP challenge or session |
| 4 |
System |
Role known |
System redirects by BR-AUTH-014 |
| Alt ID |
Condition |
Steps |
| ALT-1 |
Demo credential used |
username admin and password admin123 accepted per D-11 |
| ALT-2 |
Password expired |
System returns PASSWORD_EXPIRED 401 and redirects to change password |
| Exc ID |
Condition |
Steps |
| EXC-1 |
Account disabled or terminated |
System denies login and displays Invalid credentials per D-12 |
| EXC-2 |
Too many attempts |
System returns ACCOUNT_LOCKED 423 or CAPTCHA_REQUIRED 429 |
SECTION 7: Business Rules
7.1 Business Rules List
| Rule ID |
Rule Name |
Category |
Priority |
Enforcement |
| BR-AUTH-001 |
Username bat buoc |
Validation |
Must |
System |
| BR-AUTH-002 |
Password bat buoc |
Validation |
Must |
System |
| BR-AUTH-003 |
Demo credential |
Validation |
Must |
System |
| BR-AUTH-004 |
Username khong phan biet hoa thuong |
Validation |
Must |
System |
| BR-AUTH-005 |
Xu ly credential sai |
Security |
Must |
System |
| BR-AUTH-008 |
Account lockout |
Security |
Should |
System |
| BR-AUTH-009 |
Captcha threshold |
Security |
Should |
System |
| BR-AUTH-011 |
Forgot password identifier |
Workflow |
Should |
System |
| BR-AUTH-013 |
2FA bat buoc |
Security |
Could |
System |
7.2 Business Rules Details
| Rule ID |
Condition |
Action |
Exception |
Error Message |
Related Requirements |
| BR-AUTH-001 |
WHEN username empty |
THEN show required error |
EXCEPT none |
Required |
REQ-AUTH-002 |
| BR-AUTH-005 |
WHEN username or password invalid |
THEN deny login |
EXCEPT none |
Invalid credentials |
REQ-AUTH-003 |
| BR-AUTH-008 |
WHEN 5 failed attempts |
THEN lock for 30 minutes |
EXCEPT Global Admin |
Account locked |
REQ-AUTH-008 |
| BR-AUTH-013 |
WHEN password valid |
THEN require OTP |
EXCEPT none |
OTP code is required |
REQ-AUTH-009 |
| Scenario |
Input |
Expected Result |
| Valid case |
admin/admin123 |
Login accepted in training per D-11 |
| Invalid case |
admin/wrong |
INVALID_CREDENTIALS 401 and generic message |
SECTION 8: Data Requirements
8.1 Data Entities
| Entity |
Description |
Owner |
Sensitivity |
| UserAccount |
Login identity, password hash, account status |
M-AUTH-01 |
Confidential |
| LoginAttempt |
Login success/failure audit |
M-AUTH-01 |
Confidential |
| PasswordResetToken |
Reset token lifecycle |
M-AUTH-01 |
Confidential |
| TwoFactorAuthDevice |
OTP device and secret |
M-AUTH-01 |
Confidential |
| AuthSession |
Active web session |
M-AUTH-01 |
Confidential |
8.2 Data Dictionary
| Entity |
Field |
Type |
Required |
Unique |
Default |
Validation |
Description |
| UserAccount |
username |
String(40) |
Yes |
Yes global |
none |
Required, max 40, case-insensitive lookup |
Login identifier |
| UserAccount |
password_hash |
String(255) |
Yes |
No |
none |
Raw password never stored |
Password hash |
| UserAccount |
failed_login_count |
Integer |
Yes |
No |
0 |
>= 0 |
Failed login counter |
| UserAccount |
locked_until |
DateTime |
No |
No |
null |
Future datetime or null |
Lockout end time |
| LoginAttempt |
result |
Enum |
Yes |
No |
Failed |
Success, Failed, Locked |
Attempt result |
| PasswordResetToken |
token_hash |
String(255) |
Yes |
Yes global |
none |
Hashed token only |
Reset lookup |
| TwoFactorAuthDevice |
secret_key |
String(255) |
Yes |
No |
generated |
Confidential storage |
OTP validation secret |
8.3 Data Relationships
| From Entity |
To Entity |
Relationship |
Description |
| UserAccount |
LoginAttempt |
1-N |
A user can have many login attempts |
| UserAccount |
AuthSession |
1-N |
A user can have many sessions |
| UserAccount |
PasswordResetToken |
1-N |
A user can request many reset tokens |
| UserAccount |
TwoFactorAuthDevice |
1-N |
A user can have many OTP devices |
SECTION 9: Non-Functional Requirements
| NFR ID |
Requirement |
Target |
Priority |
| NFR-PERF-001 |
Login page load time |
< 2 seconds |
Must |
| NFR-PERF-002 |
Login validation response |
p95 < 500ms |
Must |
9.2 Security
| NFR ID |
Requirement |
Target |
Priority |
| NFR-SEC-001 |
Password storage |
Hashed password only |
Must |
| NFR-SEC-002 |
Transport security |
HTTPS required |
Must |
| NFR-SEC-003 |
Error disclosure |
Generic invalid credential per D-02 and D-12 |
Must |
| NFR-SEC-004 |
Audit logging |
Log success and failure attempts |
Should |
9.3 Usability
| NFR ID |
Requirement |
Target |
Priority |
| NFR-USA-001 |
Keyboard navigation |
Login without mouse |
Should |
| NFR-USA-002 |
Error visibility |
Error near field or clear banner |
Should |
| NFR-USA-003 |
Responsive layout |
Desktop and mobile browser |
Should |
9.4 Reliability
| NFR ID |
Requirement |
Target |
Priority |
| NFR-REL-001 |
Authentication availability |
99.9 phan tram |
Should |
| NFR-REL-002 |
Dependency failure handling |
SMTP/Captcha/Authenticator failures return DEPENDENCY_UNAVAILABLE 503 |
Should |
SECTION 10: Constraints & Assumptions
10.1 Constraints
| Constraint ID |
Type |
Description |
Impact |
| CON-001 |
Technical |
Existing OrangeHRM routing under /web/index.php/auth |
API path must match current routing |
| CON-002 |
Security |
Session-based web authentication |
JWT assumptions are not used |
| CON-003 |
Training |
Demo data can reset periodically |
Instructor must verify before class |
10.2 Assumptions
| Assumption ID |
Description |
Risk if Wrong |
Validation |
| ASM-001 |
Username is login identifier per D-01 |
Login tests mismatch |
[CONFIRM - PO] |
| ASM-002 |
Demo credential works per D-11 |
Classroom login fails |
[CONFIRM - Instructor] |
| ASM-003 |
2FA is enabled for Phase 3 per D-08 |
OTP flow not testable |
[CONFIRM - Security Lead] |
10.3 Dependencies
| Dependency ID |
Type |
Description |
Owner |
Status |
| DEP-001 |
Internal |
HR Administration for account status |
HR Admin |
[TBC - HR Admin] |
| DEP-002 |
External |
SMTP for reset email |
Tech Lead |
[TBC - Tech Lead] |
| DEP-003 |
External |
Authenticator App for OTP |
Security Lead |
[TBC - Security Lead] |
SECTION 11: Acceptance Criteria Overview
11.1 Feature Acceptance Criteria
| Feature ID |
AC Summary |
Test Approach |
| F-AUTH-001 |
Login page displays required controls |
Both |
| F-AUTH-003 |
Valid credential authenticates; invalid returns INVALID_CREDENTIALS 401 |
Both |
| F-AUTH-007 |
Registered email can request reset; unknown email returns ACCOUNT_NOT_FOUND 404 per D-07 |
Both |
| F-AUTH-008 |
5 failed attempts lock account for 30 minutes per D-03 |
Automated |
| F-AUTH-009 |
Captcha required after threshold per D-04 |
Both |
| F-AUTH-011 |
Password valid user must pass OTP per D-08 |
Both |
11.2 Overall Acceptance Criteria
| Criteria |
Description |
Verification Method |
| Functional |
Anonymous login and recovery flows work |
Test execution |
| Performance |
Login NFR targets met |
Load testing |
| Security |
No credential disclosure beyond D-07 training seed |
Security review |
| Usability |
Error and recovery UI are clear |
UAT sign-off |
================================================================
BUSINESS REQUIREMENTS DOCUMENT
Document ID : BRD-PER-02-M-AUTH-01
Module : M-AUTH-01 - Dang nhap & Xac thuc
Persona : Employee User
Version : 1.0
Status : DRAFT
Author : GPT-generated BA
Created Date : 2026-06-04
Last Updated : 2026-06-04
Reviewed By : [TBC - PO]
Approved By : [TBC - PO]
SECTION 1: Executive Summary
1.1 Document Purpose
BRD nay mo ta yeu cau cho Employee User sau khi dang nhap thanh cong, bao gom role-based landing toi My Info, session timeout, logout va password expiry.
1.2 Scope
| Aspect |
Description |
| In-Scope |
F-AUTH-010, F-AUTH-012, F-AUTH-013, F-AUTH-014 |
| Out-of-Scope |
Manage users, direct report data, HR Administration |
| Assumptions |
Employee has ESS role; session timeout configurable per D-09 |
1.3 Target Audience
| Audience |
Purpose |
| Product Owner |
Approve ESS authentication behavior |
| Development Team |
Implement session and redirect |
| QA Team |
Validate Employee auth paths |
| UX Team |
Confirm session expired and logout states |
SECTION 2: Stakeholder Analysis
2.1 Primary Stakeholder
| Attribute |
Description |
| Persona ID |
PER-02 |
| Name |
Employee User |
| Role |
Nhan vien ESS |
| Department |
Employee Self Service |
| Primary Goals |
Truy cap My Info, logout, duoc bao khi session expired |
| Pain Points |
Session het han, password het han, redirect sai role |
| Success Metrics |
ESS redirect dung role; logout and timeout return login page |
2.2 Secondary Stakeholders
| Stakeholder |
Role |
Interest Level |
Influence Level |
| System |
Session and redirect processor |
High |
High |
| Supervisor User |
May depend on employee access state |
Low |
Low |
| HR Admin |
Can manage user status |
Medium |
Medium |
| PO |
Approves Employee landing behavior |
High |
High |
2.3 RACI Matrix
| Activity |
Responsible |
Accountable |
Consulted |
Informed |
| Define requirements |
BA |
PO |
Dev Lead |
Team |
| Approve requirements |
PO |
PO |
BA |
Team |
| Implement |
Dev Team |
Tech Lead |
BA |
PO |
| Test |
QA Team |
QA Lead |
BA |
PO |
SECTION 3: Business Objectives & KPIs
| Objective ID |
Objective |
Alignment |
Priority |
| OBJ-001 |
Cho Employee truy cap self-service sau login |
OBJ-01 |
Must |
| OBJ-002 |
Ket thuc session an toan khi logout hoac timeout |
OBJ-02 |
Must |
| KPI ID |
KPI Name |
Current |
Target |
Measurement Method |
| KPI-001 |
ESS redirect accuracy |
[TBC - PO] |
100 phan tram Must path |
Role landing tests |
| KPI-002 |
Logout success |
[TBC - QA Lead] |
100 phan tram |
Session state test |
| KPI-003 |
Expired session redirect |
[TBC - QA Lead] |
100 phan tram |
Timeout test |
| Criteria ID |
Description |
Measurement |
Target |
| SC-001 |
Employee reaches My Info after login |
Functional test |
100 phan tram |
| SC-002 |
Employee logout marks session LoggedOut |
DB/API verification |
100 phan tram |
SECTION 4: Functional Requirements
| Req ID |
Requirement |
Feature ID |
Priority |
Complexity |
| REQ-AUTH-010 |
Redirect ESS user to My Info |
F-AUTH-013 |
Must |
Medium |
| REQ-AUTH-011 |
Logout active session |
F-AUTH-012 |
Must |
Low |
| REQ-AUTH-012 |
Expire inactive session |
F-AUTH-014 |
Must |
Medium |
| REQ-AUTH-013 |
Redirect password expired user to change password |
F-AUTH-010 |
Should |
Medium |
| Req ID |
Name |
Description |
Related Feature |
Source |
Rationale |
| REQ-AUTH-010 |
ESS landing |
Employee role redirects to My Info per D-10 |
F-AUTH-013 |
01-module-map |
User lands in correct ESS context |
| REQ-AUTH-011 |
Logout |
Employee can end own session |
F-AUTH-012 |
00-context.md |
Prevent stale access |
| REQ-AUTH-012 |
Session timeout |
Inactive session expires and returns login |
F-AUTH-014 |
01-module-map |
Reduce risk of unattended access |
| REQ-AUTH-013 |
Password expiry |
Expired password redirects to change password |
F-AUTH-010 |
D-05 |
Enforce security policy |
| Item |
Description |
| Input |
Active session, role assignment, logout action, last_activity_at |
| Processing |
Check session status, role, password_expires_at, timeout |
| Output |
My Info redirect, login redirect, change password redirect |
| Validation |
Missing/invalid session uses UNAUTHORIZED 401 |
| Dependency |
Type |
Description |
| Dashboard/My Info |
Hard |
Target after ESS login |
| Security Configuration |
Hard |
Session timeout and expiry settings |
SECTION 5: Business Process Flows
| Process ID |
Process Name |
Trigger |
End State |
Actor |
| PROC-AUTH-004 |
Employee role landing |
Employee login success |
My Info displayed |
PER-02 |
| PROC-AUTH-005 |
Employee logout |
User clicks logout |
Login page displayed |
PER-02 |
| PROC-AUTH-006 |
Employee session timeout |
Inactivity exceeds timeout |
Login page displayed |
PER-02 |
| Step |
Actor |
Action |
System Response |
Business Rule |
Next Step |
Alternative |
| 1 |
System |
Complete login validation |
Read role assignment |
BR-AUTH-014 |
2 |
1a |
| 1a |
System |
No role found |
Redirect Dashboard |
BR-AUTH-014 |
End |
N/A |
| 2 |
System |
Detect ESS role |
Redirect My Info |
BR-AUTH-014 |
3 |
N/A |
| 3 |
PER-02 |
Use application |
Update last_activity_at |
BR-AUTH-015 |
4 |
3a |
| 3a |
System |
Session inactive beyond timeout |
Expire session and redirect login |
BR-AUTH-015 |
End |
N/A |
| 4 |
PER-02 |
Click logout |
Mark session LoggedOut |
BR-AUTH-016 |
End |
N/A |
Text diagram:
[Login success] -> [Check role] -> [ESS: My Info] -> [Active session]
-> [Logout: Login page]
-> [Timeout: Login page]
| Exception |
Trigger |
Handling |
Recovery |
| EX-AUTH-005 |
Session token missing |
UNAUTHORIZED 401 |
User logs in again |
| EX-AUTH-006 |
Password expired |
PASSWORD_EXPIRED 401 |
User changes password |
| EX-AUTH-007 |
Role missing |
Redirect Dashboard |
PO confirms limited permissions |
SECTION 6: Use Case Summary
| UC ID |
Use Case Name |
Primary Actor |
Priority |
Complexity |
| UC-AUTH-006 |
Access ESS landing |
PER-02 |
Must |
M |
| UC-AUTH-007 |
Logout own session |
PER-02 |
Must |
S |
| UC-AUTH-008 |
Handle session timeout |
PER-02 |
Must |
M |
| UC-AUTH-009 |
Change expired password |
PER-02 |
Should |
M |
| Attribute |
Description |
| UC ID |
UC-AUTH-007 |
| Name |
Logout own session |
| Primary Actor |
PER-02 |
| Secondary Actors |
System |
| Preconditions |
Employee authenticated with Active session |
| Postconditions |
Session status LoggedOut; login page displayed |
| Trigger |
User selects logout |
| Step |
Actor |
Action |
System Response |
| 1 |
PER-02 |
Open user menu |
System shows logout action |
| 2 |
PER-02 |
Click Logout |
System invalidates session |
| 3 |
System |
Redirect |
Login page displayed |
| Alt ID |
Condition |
Steps |
| ALT-1 |
Session already expired |
System redirects login and returns UNAUTHORIZED 401 for protected calls |
| Exc ID |
Condition |
Steps |
| EXC-1 |
Server error |
System returns INTERNAL_ERROR 500 and logs ERROR |
SECTION 7: Business Rules
| Rule ID |
Rule Name |
Category |
Priority |
Enforcement |
| BR-AUTH-007 |
Password expiry |
Security |
Should |
System |
| BR-AUTH-014 |
Role redirect |
Workflow |
Must |
System |
| BR-AUTH-015 |
Session timeout |
Security |
Must |
System |
| BR-AUTH-016 |
Logout own session |
Authorization |
Must |
System |
| Rule ID |
Condition |
Action |
Exception |
Error Message |
Related Requirements |
| BR-AUTH-014 |
WHEN Employee/ESS login success |
THEN redirect to My Info |
No role redirects Dashboard |
N/A |
REQ-AUTH-010 |
| BR-AUTH-015 |
WHEN inactive beyond configured timeout |
THEN expire session |
EXCEPT none |
Session expired |
REQ-AUTH-012 |
| BR-AUTH-016 |
WHEN authenticated user logs out own session |
THEN mark LoggedOut |
EXCEPT admin session management [TBC - PO] |
N/A |
REQ-AUTH-011 |
| Scenario |
Input |
Expected Result |
| Valid case |
Employee active session logout |
Session LoggedOut and login page shown |
| Invalid case |
Protected request after timeout |
UNAUTHORIZED 401 |
SECTION 8: Data Requirements
| Entity |
Description |
Owner |
Sensitivity |
| AuthSession |
Employee session status and expiry |
M-AUTH-01 |
Confidential |
| UserAccount |
Employee login and role link |
M-AUTH-01 |
Confidential |
| UserRoleAssignment |
ESS role mapping |
User Role Management |
Internal |
| Entity |
Field |
Type |
Required |
Unique |
Default |
Validation |
Description |
| AuthSession |
status |
Enum |
Yes |
No |
Active |
Active, Expired, LoggedOut |
Session state |
| AuthSession |
last_activity_at |
DateTime |
Yes |
No |
now |
Must be <= current time |
Activity tracking |
| AuthSession |
expires_at |
DateTime |
Yes |
No |
now plus timeout |
Must be after created_at |
Expiry time |
| UserRoleAssignment |
user_account_id |
UUID |
Yes |
Composite |
none |
Existing user |
Role mapping |
| From Entity |
To Entity |
Relationship |
Description |
| UserAccount |
AuthSession |
1-N |
Employee can have multiple sessions |
| UserAccount |
UserRoleAssignment |
1-N |
Employee can have assigned roles |
SECTION 9: Non-Functional Requirements
| NFR ID |
Requirement |
Target |
Priority |
| NFR-PERF-003 |
Role redirect response |
p95 < 500ms |
Must |
| NFR-SEC-005 |
Session protection |
Session-based authentication enforced |
Must |
| NFR-USA-004 |
Logout discoverability |
Logout visible in user menu |
Should |
| NFR-REL-003 |
Session state consistency |
No access after LoggedOut or Expired |
Must |
SECTION 10: Constraints & Assumptions
| Constraint ID |
Type |
Description |
Impact |
| CON-004 |
Technical |
Current OrangeHRM menu controls logout location |
UX must align existing layout |
| CON-005 |
Security |
Timeout duration is configurable |
QA needs configured value [TBC - Tech Lead] |
| Assumption ID |
Description |
Risk if Wrong |
Validation |
| ASM-004 |
Employee role maps to ESS/My Info per D-10 |
Redirect test fails |
[CONFIRM - PO] |
| ASM-005 |
Timeout can be triggered in test env |
Cannot verify F-AUTH-014 |
[CONFIRM - Tech Lead] |
| Dependency ID |
Type |
Description |
Owner |
Status |
| DEP-004 |
Internal |
My Info landing page |
PO |
[TBC - PO] |
| DEP-005 |
Internal |
Security Configuration timeout |
Tech Lead |
[TBC - Tech Lead] |
SECTION 11: Acceptance Criteria Overview
| Feature ID |
AC Summary |
Test Approach |
| F-AUTH-012 |
Employee logout ends session and redirects login |
Both |
| F-AUTH-013 |
Employee redirects to My Info per D-10 |
Both |
| F-AUTH-014 |
Inactive Employee session expires per D-09 |
Automated |
| F-AUTH-010 |
Expired password sends Employee to change password per D-05 |
Both |
| Criteria |
Description |
Verification Method |
| Functional |
Employee auth lifecycle works |
Regression tests |
| Performance |
Redirect and session checks meet p95 target |
Performance test |
| Security |
Expired/logged-out session blocked |
Security test |
| Usability |
Logout and timeout messaging clear |
UAT |
================================================================
BUSINESS REQUIREMENTS DOCUMENT
Document ID : BRD-PER-03-M-AUTH-01
Module : M-AUTH-01 - Dang nhap & Xac thuc
Persona : Supervisor User
Version : 1.0
Status : DRAFT
Author : GPT-generated BA
Created Date : 2026-06-04
Last Updated : 2026-06-04
Reviewed By : [TBC - PO]
Approved By : [TBC - PO]
SECTION 1: Executive Summary
1.1 Document Purpose
BRD nay mo ta yeu cau authentication cho Supervisor User, tap trung vao login thanh cong, role-based landing, session management va logout. Supervisor co the co quyen xem thong tin ca nhan va direct report sau khi da authenticated, nhung noi dung direct report nam ngoai pham vi auth.
1.2 Scope
| Aspect |
Description |
| In-Scope |
F-AUTH-003, F-AUTH-010, F-AUTH-012, F-AUTH-013, F-AUTH-014 |
| Out-of-Scope |
Chi tiet direct report data va permission cua module nhan vien |
| Assumptions |
Supervisor role duoc gan qua UserRoleAssignment |
1.3 Target Audience
| Audience |
Purpose |
| Product Owner |
Confirm Supervisor landing behavior |
| Development Team |
Implement role and session behavior |
| QA Team |
Design Supervisor auth tests |
| UX Team |
Validate redirect and expired session UX |
SECTION 2: Stakeholder Analysis
| Attribute |
Description |
| Persona ID |
PER-03 |
| Name |
Supervisor User |
| Role |
Quan ly truc tiep |
| Department |
HR operations |
| Primary Goals |
Login, access own profile and direct report entry points |
| Pain Points |
Sai quyen sau login, session timeout |
| Success Metrics |
Supervisor role recognized and protected session enforced |
| Stakeholder |
Role |
Interest Level |
Influence Level |
| Employee User |
Direct report access subject |
Medium |
Low |
| HR Admin |
Assigns role |
High |
Medium |
| System |
Enforces authentication |
High |
High |
| PO |
Defines landing destination |
High |
High |
| Activity |
Responsible |
Accountable |
Consulted |
Informed |
| Define requirements |
BA |
PO |
HR Admin |
Team |
| Approve requirements |
PO |
PO |
BA |
Team |
| Implement |
Dev Team |
Tech Lead |
BA |
PO |
| Test |
QA Team |
QA Lead |
BA |
PO |
SECTION 3: Business Objectives & KPIs
| Objective ID |
Objective |
Alignment |
Priority |
| OBJ-001 |
Allow Supervisor to access authorized HRM entry point |
OBJ-01 |
Must |
| OBJ-002 |
Prevent unauthenticated access to protected supervisor features |
OBJ-02 |
Must |
| KPI ID |
KPI Name |
Current |
Target |
Measurement Method |
| KPI-001 |
Supervisor login success |
[TBC - PO] |
>= 98 phan tram active users |
LoginAttempt success ratio |
| KPI-002 |
Unauthorized access incidents |
[TBC - Security Lead] |
0 incident |
Security audit |
| KPI-003 |
Session timeout compliance |
[TBC - QA Lead] |
100 phan tram |
Timeout tests |
| Criteria ID |
Description |
Measurement |
Target |
| SC-001 |
Supervisor authenticated before protected access |
Security test |
100 phan tram |
| SC-002 |
Supervisor session can logout and expire |
Functional test |
100 phan tram |
SECTION 4: Functional Requirements
| Req ID |
Requirement |
Feature ID |
Priority |
Complexity |
| REQ-AUTH-014 |
Authenticate Supervisor credential |
F-AUTH-003 |
Must |
Medium |
| REQ-AUTH-015 |
Redirect Supervisor by role |
F-AUTH-013 |
Must |
Medium |
| REQ-AUTH-016 |
Enforce session timeout |
F-AUTH-014 |
Must |
Medium |
| REQ-AUTH-017 |
Allow logout own session |
F-AUTH-012 |
Must |
Low |
| REQ-AUTH-018 |
Enforce password expiry |
F-AUTH-010 |
Should |
Medium |
| Req ID |
Name |
Description |
Related Feature |
Source |
Rationale |
| REQ-AUTH-014 |
Supervisor authentication |
Validate Supervisor credential and account status |
F-AUTH-003 |
01-module-map |
Protect supervisor capabilities |
| REQ-AUTH-015 |
Supervisor landing |
Redirect according to assigned role; exact target [TBC - PO] |
F-AUTH-013 |
D-10 |
User must land in authorized area |
| REQ-AUTH-016 |
Session timeout |
Expire inactive Supervisor sessions |
F-AUTH-014 |
D-09 |
Protect unattended HR data |
| Item |
Description |
| Input |
username, password, session token, role assignment |
| Processing |
Credential validation, role lookup, session activity update |
| Output |
Authenticated session, role landing, timeout redirect |
| Validation |
Invalid session returns UNAUTHORIZED 401; forbidden resource returns FORBIDDEN 403 |
| Dependency |
Type |
Description |
| User Role Management |
Hard |
Supervisor role assignment |
| Employee Management |
Hard |
Direct report access checks after auth |
| Security Configuration |
Hard |
Timeout and password expiry |
SECTION 5: Business Process Flows
| Process ID |
Process Name |
Trigger |
End State |
Actor |
| PROC-AUTH-007 |
Supervisor login and landing |
Login success |
Supervisor landing displayed |
PER-03 |
| PROC-AUTH-008 |
Supervisor protected access |
Open protected page |
Access granted or denied |
PER-03 |
| PROC-AUTH-009 |
Supervisor logout/timeout |
Logout or inactivity |
Session ended |
PER-03 |
| Step |
Actor |
Action |
System Response |
Business Rule |
Next Step |
Alternative |
| 1 |
PER-03 |
Login successfully |
System loads roles |
BR-AUTH-014 |
2 |
1a |
| 1a |
System |
Password expired |
Redirect change password |
BR-AUTH-007 |
End |
N/A |
| 2 |
System |
Detect Supervisor role |
Redirect to role landing [TBC - PO] |
BR-AUTH-014 |
3 |
N/A |
| 3 |
PER-03 |
Access protected page |
System validates session |
BR-AUTH-015 |
4 |
3a |
| 3a |
System |
Session invalid |
Return UNAUTHORIZED 401 |
BR-AUTH-015 |
End |
N/A |
| 4 |
PER-03 |
Logout or become inactive |
System ends session |
BR-AUTH-015/BR-AUTH-016 |
End |
N/A |
Text diagram:
[Supervisor login] -> [Role lookup] -> [Supervisor landing]
-> [Protected access with active session]
-> [Logout or timeout]
| Exception |
Trigger |
Handling |
Recovery |
| EX-AUTH-008 |
Role not assigned |
Redirect Dashboard with limited permissions |
HR Admin checks assignment |
| EX-AUTH-009 |
Cross-ownership access |
FORBIDDEN 403 |
User returns to allowed page |
| EX-AUTH-010 |
Password expired |
PASSWORD_EXPIRED 401 |
Change password |
SECTION 6: Use Case Summary
| UC ID |
Use Case Name |
Primary Actor |
Priority |
Complexity |
| UC-AUTH-010 |
Supervisor login |
PER-03 |
Must |
M |
| UC-AUTH-011 |
Supervisor role landing |
PER-03 |
Must |
M |
| UC-AUTH-012 |
Supervisor timeout |
PER-03 |
Must |
M |
| UC-AUTH-013 |
Supervisor logout |
PER-03 |
Must |
S |
| Attribute |
Description |
| UC ID |
UC-AUTH-011 |
| Name |
Supervisor role landing |
| Primary Actor |
PER-03 |
| Secondary Actors |
System |
| Preconditions |
Supervisor authenticated and role assigned |
| Postconditions |
Supervisor lands in authorized area |
| Trigger |
Login success |
| Step |
Actor |
Action |
System Response |
| 1 |
System |
Read UserRoleAssignment |
Supervisor role found |
| 2 |
System |
Apply role redirect |
Landing page displayed |
| 3 |
PER-03 |
Open protected entry point |
System permits only authenticated access |
| Alt ID |
Condition |
Steps |
| ALT-1 |
No role found |
Redirect Dashboard per D-10 |
| Exc ID |
Condition |
Steps |
| EXC-1 |
Session expired |
Return UNAUTHORIZED 401 and redirect login |
SECTION 7: Business Rules
| Rule ID |
Rule Name |
Category |
Priority |
Enforcement |
| BR-AUTH-004 |
Username khong phan biet hoa thuong |
Validation |
Must |
System |
| BR-AUTH-007 |
Password expiry |
Security |
Should |
System |
| BR-AUTH-014 |
Role redirect |
Workflow |
Must |
System |
| BR-AUTH-015 |
Session timeout |
Security |
Must |
System |
| BR-AUTH-016 |
Logout own session |
Authorization |
Must |
System |
| Rule ID |
Condition |
Action |
Exception |
Error Message |
Related Requirements |
| BR-AUTH-014 |
WHEN Supervisor login succeeds |
THEN redirect by assigned role |
No role -> Dashboard |
N/A |
REQ-AUTH-015 |
| BR-AUTH-007 |
WHEN password expired after 30 days |
THEN redirect change password |
Global Admin only |
Password expired |
REQ-AUTH-018 |
| BR-AUTH-015 |
WHEN inactivity exceeds timeout |
THEN expire session |
EXCEPT none |
Session expired |
REQ-AUTH-016 |
| Scenario |
Input |
Expected Result |
| Valid case |
Supervisor active role |
Authenticated landing shown |
| Invalid case |
Expired session |
UNAUTHORIZED 401 |
SECTION 8: Data Requirements
| Entity |
Description |
Owner |
Sensitivity |
| UserAccount |
Supervisor account state |
M-AUTH-01 |
Confidential |
| UserRoleAssignment |
Supervisor role link |
User Role Management |
Internal |
| AuthSession |
Supervisor session |
M-AUTH-01 |
Confidential |
| Entity |
Field |
Type |
Required |
Unique |
Default |
Validation |
Description |
| UserAccount |
password_expires_at |
DateTime |
Yes |
No |
now plus 30 days |
Must be valid datetime |
Expiry decision |
| UserRoleAssignment |
user_role_id |
UUID |
Yes |
Composite |
none |
Existing role |
Supervisor role |
| AuthSession |
status |
Enum |
Yes |
No |
Active |
Active, Expired, LoggedOut |
Session state |
| From Entity |
To Entity |
Relationship |
Description |
| UserAccount |
UserRoleAssignment |
1-N |
User may hold Supervisor role |
| UserAccount |
AuthSession |
1-N |
User may have sessions |
SECTION 9: Non-Functional Requirements
| NFR ID |
Requirement |
Target |
Priority |
| NFR-PERF-004 |
Protected access auth check |
p95 < 500ms |
Must |
| NFR-SEC-006 |
RBAC enforcement |
Supervisor access requires assigned role |
Must |
| NFR-USA-005 |
Timeout message |
Clear login-again state |
Should |
| NFR-REL-004 |
Session invalidation |
Expired session cannot access protected routes |
Must |
SECTION 10: Constraints & Assumptions
| Constraint ID |
Type |
Description |
Impact |
| CON-006 |
Business |
Supervisor landing page exact target not specified |
Needs [TBC - PO] |
| CON-007 |
Technical |
Direct report permission outside auth scope |
Auth only validates entry and session |
| Assumption ID |
Description |
Risk if Wrong |
Validation |
| ASM-006 |
Supervisor role exists in test data |
Role test blocked |
[CONFIRM - Instructor] |
| ASM-007 |
Supervisor follows same password expiry as Employee |
Expiry behavior mismatch |
[CONFIRM - Security Lead] |
| Dependency ID |
Type |
Description |
Owner |
Status |
| DEP-006 |
Internal |
User Role Management |
HR Admin |
[TBC - HR Admin] |
| DEP-007 |
Internal |
Employee Management direct reports |
PO |
[TBC - PO] |
SECTION 11: Acceptance Criteria Overview
| Feature ID |
AC Summary |
Test Approach |
| F-AUTH-003 |
Supervisor can authenticate with valid credential |
Both |
| F-AUTH-013 |
Supervisor redirected by role per D-10 or [TBC - PO] target |
Both |
| F-AUTH-014 |
Timeout invalidates Supervisor session |
Automated |
| F-AUTH-012 |
Logout marks Supervisor session LoggedOut |
Both |
| Criteria |
Description |
Verification Method |
| Functional |
Supervisor auth flows complete |
Test execution |
| Security |
Protected pages reject invalid session |
Security test |
| Usability |
Redirect and session expired states clear |
UAT |
| Performance |
Role and session checks meet targets |
Performance test |
================================================================
BUSINESS REQUIREMENTS DOCUMENT
Document ID : BRD-PER-04-M-AUTH-01
Module : M-AUTH-01 - Dang nhap & Xac thuc
Persona : HR Admin
Version : 1.0
Status : DRAFT
Author : GPT-generated BA
Created Date : 2026-06-04
Last Updated : 2026-06-04
Reviewed By : [TBC - PO]
Approved By : [TBC - PO]
SECTION 1: Executive Summary
1.1 Document Purpose
BRD nay mo ta authentication requirements cho HR Admin, bao gom dang nhap, role-based landing toi Admin module, logout, session timeout va unlock account theo permission matrix.
1.2 Scope
| Aspect |
Description |
| In-Scope |
F-AUTH-003, F-AUTH-010, F-AUTH-012, F-AUTH-013, F-AUTH-014, admin unlock endpoint |
| Out-of-Scope |
Tao user account, tao role, audit dashboard |
| Assumptions |
HR Admin co quyen Manage users va Unlock account theo permission matrix |
1.3 Target Audience
| Audience |
Purpose |
| Product Owner |
Approve admin auth and unlock requirements |
| Development Team |
Implement admin auth endpoints |
| QA Team |
Test admin auth and authorization |
| UX Team |
Validate admin landing and locked user support states |
SECTION 2: Stakeholder Analysis
| Attribute |
Description |
| Persona ID |
PER-04 |
| Name |
HR Admin |
| Role |
Quan tri nhan su |
| Department |
HR Administration |
| Primary Goals |
Dang nhap, access admin features, unlock accounts |
| Pain Points |
User locked, need support workflow, own session timeout |
| Success Metrics |
Admin redirect works; unlock authorized only for HR Admin/Global Admin |
| Stakeholder |
Role |
Interest Level |
Influence Level |
| Locked User |
Receives unlock support |
High |
Low |
| Global Admin |
Higher admin authority |
Medium |
High |
| System |
Enforces auth and authorization |
High |
High |
| Security Lead |
Confirms lockout policy |
High |
High |
| Activity |
Responsible |
Accountable |
Consulted |
Informed |
| Define requirements |
BA |
PO |
Security Lead |
Team |
| Approve requirements |
PO |
PO |
HR Admin |
Team |
| Implement |
Dev Team |
Tech Lead |
BA |
PO |
| Test |
QA Team |
QA Lead |
Security Lead |
PO |
SECTION 3: Business Objectives & KPIs
| Objective ID |
Objective |
Alignment |
Priority |
| OBJ-001 |
Enable authorized admin access to HR Administration |
OBJ-01 |
Must |
| OBJ-002 |
Support account unlock after lockout |
OBJ-02 |
Should |
| OBJ-003 |
Maintain secure admin sessions |
OBJ-02 |
Must |
| KPI ID |
KPI Name |
Current |
Target |
Measurement Method |
| KPI-001 |
HR Admin login success |
[TBC - PO] |
>= 98 phan tram active admins |
LoginAttempt |
| KPI-002 |
Unauthorized unlock attempts |
[TBC - Security Lead] |
0 successful incident |
Security audit |
| KPI-003 |
Unlock success for locked account |
[TBC - QA Lead] |
100 phan tram valid test cases |
API/UI test |
| Criteria ID |
Description |
Measurement |
Target |
| SC-001 |
HR Admin can access Admin module after login |
Functional test |
100 phan tram |
| SC-002 |
HR Admin can unlock locked user |
Permission test |
100 phan tram |
SECTION 4: Functional Requirements
| Req ID |
Requirement |
Feature ID |
Priority |
Complexity |
| REQ-AUTH-019 |
Authenticate HR Admin |
F-AUTH-003 |
Must |
Medium |
| REQ-AUTH-020 |
Redirect HR Admin to Admin module |
F-AUTH-013 |
Must |
Medium |
| REQ-AUTH-021 |
Logout HR Admin session |
F-AUTH-012 |
Must |
Low |
| REQ-AUTH-022 |
Expire inactive HR Admin session |
F-AUTH-014 |
Must |
Medium |
| REQ-AUTH-023 |
HR Admin unlock locked account |
F-AUTH-008 |
Should |
Medium |
| REQ-AUTH-024 |
Redirect expired password to change password |
F-AUTH-010 |
Should |
Medium |
| Req ID |
Name |
Description |
Related Feature |
Source |
Rationale |
| REQ-AUTH-020 |
Admin landing |
HR Admin redirects to Admin module per D-10 |
F-AUTH-013 |
01-module-map |
Admin needs correct entry point |
| REQ-AUTH-023 |
Unlock account |
Authorized HR Admin posts user_id to unlock endpoint |
F-AUTH-008 |
00-context.md |
Resolve lockout support |
| REQ-AUTH-022 |
Session timeout |
Inactive admin session expires |
F-AUTH-014 |
D-09 |
Protect admin access |
| Item |
Description |
| Input |
username, password, session token, user_id for unlock |
| Processing |
Validate credential, admin role, lockout state, permission |
| Output |
Admin module redirect, unlock success, error code |
| Validation |
FORBIDDEN 403 for non-admin unlock; ACCOUNT_LOCKED 423 for locked own login |
| Dependency |
Type |
Description |
| HR Administration |
Hard |
User status and unlock action |
| User Role Management |
Hard |
HR Admin role assignment |
| Security Configuration |
Hard |
Lockout and timeout settings |
SECTION 5: Business Process Flows
| Process ID |
Process Name |
Trigger |
End State |
Actor |
| PROC-AUTH-010 |
HR Admin login |
Admin submits valid credential |
Admin module displayed |
PER-04 |
| PROC-AUTH-011 |
Unlock user |
Admin submits unlock request |
User account unlocked |
PER-04 |
| PROC-AUTH-012 |
Admin logout/timeout |
Logout or inactivity |
Session ended |
PER-04 |
| Step |
Actor |
Action |
System Response |
Business Rule |
Next Step |
Alternative |
| 1 |
PER-04 |
Login |
System validates admin credential |
BR-AUTH-003/BR-AUTH-005 |
2 |
1a |
| 1a |
System |
Invalid credential |
INVALID_CREDENTIALS 401 |
BR-AUTH-005 |
End |
N/A |
| 2 |
System |
Read role |
Redirect Admin module |
BR-AUTH-014 |
3 |
N/A |
| 3 |
PER-04 |
Submit unlock user_id |
Validate admin permission |
Permission Matrix |
4 |
3a |
| 3a |
System |
Permission missing |
FORBIDDEN 403 |
Permission Matrix |
End |
N/A |
| 4 |
System |
Unlock account |
Clear locked_until and failed count |
BR-AUTH-008 |
End |
N/A |
Text diagram:
[HR Admin login] -> [Admin module] -> [Unlock request]
-> [Permission valid: unlock]
-> [Permission invalid: FORBIDDEN]
| Exception |
Trigger |
Handling |
Recovery |
| EX-AUTH-011 |
Non-admin calls unlock |
FORBIDDEN 403 |
Login as authorized admin |
| EX-AUTH-012 |
Target user not found |
ACCOUNT_NOT_FOUND 404 |
Verify user_id |
| EX-AUTH-013 |
Admin session expired |
UNAUTHORIZED 401 |
Login again |
SECTION 6: Use Case Summary
| UC ID |
Use Case Name |
Primary Actor |
Priority |
Complexity |
| UC-AUTH-014 |
HR Admin login |
PER-04 |
Must |
M |
| UC-AUTH-015 |
HR Admin role landing |
PER-04 |
Must |
M |
| UC-AUTH-016 |
Unlock locked account |
PER-04 |
Should |
M |
| UC-AUTH-017 |
HR Admin logout |
PER-04 |
Must |
S |
| Attribute |
Description |
| UC ID |
UC-AUTH-016 |
| Name |
Unlock locked account |
| Primary Actor |
PER-04 |
| Secondary Actors |
System, Locked User |
| Preconditions |
HR Admin authenticated; target user locked |
| Postconditions |
Target account unlocked |
| Trigger |
HR Admin submits unlock request |
| Step |
Actor |
Action |
System Response |
| 1 |
PER-04 |
Select locked user |
System displays user account |
| 2 |
PER-04 |
Submit unlock |
System validates permission |
| 3 |
System |
Update account |
locked_until cleared; failed_login_count reset |
| 4 |
System |
Return success |
200 Unlocked |
| Alt ID |
Condition |
Steps |
| ALT-1 |
User already unlocked |
System returns idempotent success [TBC - Tech Lead] |
| Exc ID |
Condition |
Steps |
| EXC-1 |
Missing permission |
FORBIDDEN 403 |
| EXC-2 |
User not found |
ACCOUNT_NOT_FOUND 404 |
SECTION 7: Business Rules
| Rule ID |
Rule Name |
Category |
Priority |
Enforcement |
| BR-AUTH-008 |
Account lockout |
Security |
Should |
System |
| BR-AUTH-010 |
Disabled account |
Authorization |
Must |
System |
| BR-AUTH-014 |
Role redirect |
Workflow |
Must |
System |
| BR-AUTH-015 |
Session timeout |
Security |
Must |
System |
| BR-AUTH-016 |
Logout own session |
Authorization |
Must |
System |
| Rule ID |
Condition |
Action |
Exception |
Error Message |
Related Requirements |
| BR-AUTH-014 |
WHEN HR Admin login succeeds |
THEN redirect Admin module |
No role -> Dashboard |
N/A |
REQ-AUTH-020 |
| BR-AUTH-008 |
WHEN account locked |
THEN deny login until unlock or 30 minutes |
Global Admin exempt from lockout |
Account locked |
REQ-AUTH-023 |
| BR-AUTH-010 |
WHEN account Disabled or Employee terminated |
THEN deny login |
EXCEPT none |
Invalid credentials |
REQ-AUTH-019 |
| Scenario |
Input |
Expected Result |
| Valid case |
HR Admin unlocks locked user |
User unlocked |
| Invalid case |
Employee calls unlock |
FORBIDDEN 403 |
SECTION 8: Data Requirements
| Entity |
Description |
Owner |
Sensitivity |
| UserAccount |
Admin and target account state |
M-AUTH-01 |
Confidential |
| UserRoleAssignment |
HR Admin role |
User Role Management |
Internal |
| LoginAttempt |
Lockout audit |
M-AUTH-01 |
Confidential |
| AuthSession |
Admin session |
M-AUTH-01 |
Confidential |
| Entity |
Field |
Type |
Required |
Unique |
Default |
Validation |
Description |
| UserAccount |
status |
Enum |
Yes |
No |
Enabled |
Enabled, Disabled |
Login eligibility |
| UserAccount |
locked_until |
DateTime |
No |
No |
null |
Null or future datetime |
Lockout state |
| UserAccount |
failed_login_count |
Integer |
Yes |
No |
0 |
>= 0 |
Lockout counter |
| AuthSession |
user_account_id |
UUID |
Yes |
No |
none |
Existing account |
Session owner |
| From Entity |
To Entity |
Relationship |
Description |
| UserAccount |
LoginAttempt |
1-N |
Attempts drive lockout |
| UserAccount |
AuthSession |
1-N |
Admin session tracking |
| UserAccount |
UserRoleAssignment |
1-N |
Admin permission lookup |
SECTION 9: Non-Functional Requirements
| NFR ID |
Requirement |
Target |
Priority |
| NFR-PERF-005 |
Unlock response |
p95 < 500ms [TBC - Tech Lead] |
Should |
| NFR-SEC-007 |
Admin authorization |
Unlock restricted to HR Admin and Global Admin |
Must |
| NFR-SEC-008 |
Audit logging |
Admin unlock logged |
Should |
| NFR-REL-005 |
Unlock consistency |
Lockout fields updated atomically |
Must |
SECTION 10: Constraints & Assumptions
| Constraint ID |
Type |
Description |
Impact |
| CON-008 |
Business |
Unlock account belongs to HR Administration dependency |
Auth module exposes endpoint only |
| CON-009 |
Security |
Disabled accounts still cannot login after unlock |
Avoid bypassing account status |
| Assumption ID |
Description |
Risk if Wrong |
Validation |
| ASM-008 |
HR Admin may unlock users per permission matrix |
Support flow invalid |
[CONFIRM - PO] |
| ASM-009 |
Unlock resets failed_login_count |
Repeat lockout risk |
[CONFIRM - Security Lead] |
| Dependency ID |
Type |
Description |
Owner |
Status |
| DEP-008 |
Internal |
HR Administration user management |
HR Admin |
[TBC - HR Admin] |
| DEP-009 |
Internal |
Security Configuration lockout |
Security Lead |
[TBC - Security Lead] |
SECTION 11: Acceptance Criteria Overview
| Feature ID |
AC Summary |
Test Approach |
| F-AUTH-013 |
HR Admin redirects to Admin module per D-10 |
Both |
| F-AUTH-008 |
HR Admin can unlock locked account with permission |
Both |
| F-AUTH-012 |
HR Admin logout invalidates session |
Both |
| F-AUTH-014 |
HR Admin timeout blocks protected admin access |
Automated |
| Criteria |
Description |
Verification Method |
| Functional |
Admin auth and unlock work |
Test execution |
| Security |
Non-admin unlock denied |
Security test |
| Audit |
Login and unlock events logged |
Log review |
| Usability |
Admin receives clear unlock result |
UAT |
================================================================
BUSINESS REQUIREMENTS DOCUMENT
Document ID : BRD-PER-05-M-AUTH-01
Module : M-AUTH-01 - Dang nhap & Xac thuc
Persona : Global Admin
Version : 1.0
Status : DRAFT
Author : GPT-generated BA
Created Date : 2026-06-04
Last Updated : 2026-06-04
Reviewed By : [TBC - PO]
Approved By : [TBC - PO]
SECTION 1: Executive Summary
1.1 Document Purpose
BRD nay mo ta authentication behavior cho Global Admin, gom login, Admin module redirect, logout, session timeout, unlock account va cac ngoai le Global Admin trong lockout va password expiry theo Decision Registry.
1.2 Scope
| Aspect |
Description |
| In-Scope |
F-AUTH-003, F-AUTH-008, F-AUTH-010, F-AUTH-012, F-AUTH-013, F-AUTH-014 |
| Out-of-Scope |
Full system admin settings UI, audit report dashboard, SSO |
| Assumptions |
Global Admin has broad system role and exceptions per D-03 and D-05 |
1.3 Target Audience
| Audience |
Purpose |
| Product Owner |
Confirm Global Admin auth behavior |
| Development Team |
Implement exception logic |
| QA Team |
Test privileged auth scenarios |
| Security Lead |
Review admin exceptions |
SECTION 2: Stakeholder Analysis
| Attribute |
Description |
| Persona ID |
PER-05 |
| Name |
Global Admin |
| Role |
Quan tri toan he thong |
| Department |
System Administration |
| Primary Goals |
Access full admin area and support locked users |
| Pain Points |
Need exception from lockout and expiry rules |
| Success Metrics |
Global Admin redirect and exception rules work as approved |
| Stakeholder |
Role |
Interest Level |
Influence Level |
| HR Admin |
Lower admin role |
Medium |
Medium |
| Security Lead |
Owns exception risk |
High |
High |
| System |
Enforces rules |
High |
High |
| PO |
Approves role redirect |
High |
High |
| Activity |
Responsible |
Accountable |
Consulted |
Informed |
| Define requirements |
BA |
PO |
Security Lead |
Team |
| Approve requirements |
PO |
PO |
Security Lead |
Team |
| Implement |
Dev Team |
Tech Lead |
BA |
PO |
| Test |
QA Team |
QA Lead |
Security Lead |
PO |
SECTION 3: Business Objectives & KPIs
| Objective ID |
Objective |
Alignment |
Priority |
| OBJ-001 |
Enable highest privilege admin login |
OBJ-01 |
Must |
| OBJ-002 |
Prevent unauthorized access despite admin exceptions |
OBJ-02 |
Must |
| OBJ-003 |
Support account unlock capability |
OBJ-02 |
Should |
| KPI ID |
KPI Name |
Current |
Target |
Measurement Method |
| KPI-001 |
Global Admin login success |
[TBC - PO] |
>= 98 phan tram active admins |
LoginAttempt |
| KPI-002 |
Unauthorized admin incident |
[TBC - Security Lead] |
0 incident |
Security audit |
| KPI-003 |
Exception behavior coverage |
[TBC - QA Lead] |
100 phan tram |
Automated tests |
| Criteria ID |
Description |
Measurement |
Target |
| SC-001 |
Global Admin reaches Admin module |
Functional test |
100 phan tram |
| SC-002 |
Lockout and expiry exceptions follow D-03/D-05 |
Security test |
100 phan tram |
SECTION 4: Functional Requirements
| Req ID |
Requirement |
Feature ID |
Priority |
Complexity |
| REQ-AUTH-025 |
Authenticate Global Admin |
F-AUTH-003 |
Must |
Medium |
| REQ-AUTH-026 |
Redirect Global Admin to Admin module |
F-AUTH-013 |
Must |
Medium |
| REQ-AUTH-027 |
Exempt Global Admin from account lockout |
F-AUTH-008 |
Should |
Medium |
| REQ-AUTH-028 |
Exempt Global Admin from password expiry |
F-AUTH-010 |
Should |
Medium |
| REQ-AUTH-029 |
Logout Global Admin session |
F-AUTH-012 |
Must |
Low |
| REQ-AUTH-030 |
Expire inactive Global Admin session |
F-AUTH-014 |
Must |
Medium |
| Req ID |
Name |
Description |
Related Feature |
Source |
Rationale |
| REQ-AUTH-027 |
Lockout exception |
Global Admin exempt from 5-attempt lockout per D-03 |
F-AUTH-008 |
Decision Registry |
Preserve emergency admin access |
| REQ-AUTH-028 |
Expiry exception |
Global Admin exempt from password expiry per D-05 |
F-AUTH-010 |
Decision Registry |
Preserve admin availability |
| REQ-AUTH-030 |
Session timeout |
Global Admin still subject to session timeout per D-09 |
F-AUTH-014 |
Decision Registry |
Prevent unattended privileged access |
| Item |
Description |
| Input |
username, password, role assignment, session token |
| Processing |
Validate credential, role, exception logic, session |
| Output |
Admin module, session state, unlock result |
| Validation |
Invalid credential remains INVALID_CREDENTIALS 401; invalid session is UNAUTHORIZED 401 |
| Dependency |
Type |
Description |
| User Role Management |
Hard |
Global Admin role assignment |
| Security Configuration |
Hard |
Lockout, expiry, timeout settings |
| HR Administration |
Hard |
Unlock target accounts |
SECTION 5: Business Process Flows
| Process ID |
Process Name |
Trigger |
End State |
Actor |
| PROC-AUTH-013 |
Global Admin login |
Submit credential |
Admin module displayed |
PER-05 |
| PROC-AUTH-014 |
Global Admin exception handling |
Failed attempts or expired password |
Exception applied or login denied |
PER-05 |
| PROC-AUTH-015 |
Global Admin session end |
Logout or inactivity |
Session ended |
PER-05 |
| Step |
Actor |
Action |
System Response |
Business Rule |
Next Step |
Alternative |
| 1 |
PER-05 |
Submit credential |
Validate username/password |
BR-AUTH-004/BR-AUTH-005 |
2 |
1a |
| 1a |
System |
Credential invalid |
Show Invalid credentials |
BR-AUTH-005 |
End |
N/A |
| 2 |
System |
Detect Global Admin role |
Apply D-03/D-05 exceptions |
BR-AUTH-007/BR-AUTH-008 |
3 |
N/A |
| 3 |
System |
Create active session |
Redirect Admin module |
BR-AUTH-014 |
4 |
N/A |
| 4 |
PER-05 |
Logout or inactive timeout |
End session |
BR-AUTH-015/BR-AUTH-016 |
End |
N/A |
Text diagram:
[Global Admin login] -> [Credential valid] -> [Apply admin exceptions]
-> [Admin module] -> [Logout or timeout]
| Exception |
Trigger |
Handling |
Recovery |
| EX-AUTH-014 |
Credential invalid |
INVALID_CREDENTIALS 401 |
Retry with valid credential |
| EX-AUTH-015 |
Account disabled |
ACCOUNT_DISABLED 423 or Invalid credentials per D-12 display |
Security Lead review |
| EX-AUTH-016 |
Session expired |
UNAUTHORIZED 401 |
Login again |
SECTION 6: Use Case Summary
| UC ID |
Use Case Name |
Primary Actor |
Priority |
Complexity |
| UC-AUTH-018 |
Global Admin login |
PER-05 |
Must |
M |
| UC-AUTH-019 |
Apply Global Admin exceptions |
PER-05 |
Should |
M |
| UC-AUTH-020 |
Global Admin unlock account |
PER-05 |
Should |
M |
| UC-AUTH-021 |
Global Admin session timeout |
PER-05 |
Must |
M |
| Attribute |
Description |
| UC ID |
UC-AUTH-019 |
| Name |
Apply Global Admin exceptions |
| Primary Actor |
PER-05 |
| Secondary Actors |
System |
| Preconditions |
Global Admin credential submitted |
| Postconditions |
Lockout/expiry exception applied where allowed |
| Trigger |
Login validation reaches policy checks |
| Step |
Actor |
Action |
System Response |
| 1 |
System |
Identify Global Admin role |
Exception path selected |
| 2 |
System |
Check lockout policy |
No lockout applied per D-03 |
| 3 |
System |
Check password expiry |
No expiry redirect per D-05 |
| 4 |
System |
Continue login |
Session created if credential valid |
| Alt ID |
Condition |
Steps |
| ALT-1 |
Account Disabled |
Deny login per D-12 |
| Exc ID |
Condition |
Steps |
| EXC-1 |
Role lookup unavailable |
INTERNAL_ERROR 500 and security log |
SECTION 7: Business Rules
| Rule ID |
Rule Name |
Category |
Priority |
Enforcement |
| BR-AUTH-007 |
Password expiry |
Security |
Should |
System |
| BR-AUTH-008 |
Account lockout |
Security |
Should |
System |
| BR-AUTH-010 |
Disabled account |
Authorization |
Must |
System |
| BR-AUTH-014 |
Role redirect |
Workflow |
Must |
System |
| BR-AUTH-015 |
Session timeout |
Security |
Must |
System |
| Rule ID |
Condition |
Action |
Exception |
Error Message |
Related Requirements |
| BR-AUTH-008 |
WHEN failed login count reaches 5 |
THEN lock for 30 minutes |
EXCEPT Global Admin |
Account locked |
REQ-AUTH-027 |
| BR-AUTH-007 |
WHEN password older than 30 days |
THEN redirect change password |
EXCEPT Global Admin |
Password expired |
REQ-AUTH-028 |
| BR-AUTH-014 |
WHEN Global Admin login succeeds |
THEN redirect Admin module |
No role -> Dashboard |
N/A |
REQ-AUTH-026 |
| Scenario |
Input |
Expected Result |
| Valid case |
Global Admin valid credential |
Admin module displayed |
| Invalid case |
Global Admin account disabled |
Login denied per D-12 |
SECTION 8: Data Requirements
| Entity |
Description |
Owner |
Sensitivity |
| UserAccount |
Global Admin account and status |
M-AUTH-01 |
Confidential |
| UserRole |
Global Admin role |
User Role Management |
Internal |
| UserRoleAssignment |
Role membership |
User Role Management |
Internal |
| AuthSession |
Admin session |
M-AUTH-01 |
Confidential |
| Entity |
Field |
Type |
Required |
Unique |
Default |
Validation |
Description |
| UserRole |
role_code |
String(50) |
Yes |
Yes global |
none |
Existing role code |
Global Admin detection |
| UserAccount |
failed_login_count |
Integer |
Yes |
No |
0 |
>= 0 |
Lockout calculation |
| UserAccount |
password_expires_at |
DateTime |
Yes |
No |
now plus 30 days |
Valid datetime |
Expiry calculation |
| AuthSession |
status |
Enum |
Yes |
No |
Active |
Active, Expired, LoggedOut |
Session state |
| From Entity |
To Entity |
Relationship |
Description |
| UserAccount |
UserRoleAssignment |
1-N |
Global Admin role assignment |
| UserRole |
UserRoleAssignment |
1-N |
Role assigned to account |
| UserAccount |
AuthSession |
1-N |
Session tracking |
SECTION 9: Non-Functional Requirements
| NFR ID |
Requirement |
Target |
Priority |
| NFR-PERF-006 |
Admin login response |
p95 < 500ms |
Must |
| NFR-SEC-009 |
Privileged session timeout |
Enforced per D-09 |
Must |
| NFR-SEC-010 |
Exception audit |
Log Global Admin exception paths |
Should |
| NFR-REL-006 |
Role lookup reliability |
No bypass if role lookup fails |
Must |
SECTION 10: Constraints & Assumptions
| Constraint ID |
Type |
Description |
Impact |
| CON-010 |
Security |
Global Admin exception is intentional training requirement |
Security Lead must approve |
| CON-011 |
Business |
Disabled account still denied even for Global Admin |
Prevent unsafe bypass |
| Assumption ID |
Description |
Risk if Wrong |
Validation |
| ASM-010 |
Global Admin is exempt from lockout per D-03 |
Tests mismatch policy |
[CONFIRM - Security Lead] |
| ASM-011 |
Global Admin is exempt from expiry per D-05 |
Tests mismatch policy |
[CONFIRM - Security Lead] |
| ASM-012 |
Global Admin still subject to session timeout |
Privileged session risk |
[CONFIRM - PO/Tech Lead] |
| Dependency ID |
Type |
Description |
Owner |
Status |
| DEP-010 |
Internal |
User Role Management |
PO |
[TBC - PO] |
| DEP-011 |
Internal |
Security Configuration |
Security Lead |
[TBC - Security Lead] |
SECTION 11: Acceptance Criteria Overview
| Feature ID |
AC Summary |
Test Approach |
| F-AUTH-013 |
Global Admin redirects to Admin module |
Both |
| F-AUTH-008 |
Global Admin lockout exception follows D-03 |
Automated |
| F-AUTH-010 |
Global Admin expiry exception follows D-05 |
Automated |
| F-AUTH-014 |
Global Admin session timeout follows D-09 |
Automated |
| Criteria |
Description |
Verification Method |
| Functional |
Global Admin auth flow works |
Test execution |
| Security |
Exceptions are limited and audited |
Security review |
| Reliability |
Role lookup failure does not grant access |
Fault test |
| Usability |
Session end behavior clear |
UAT |
================================================================
BUSINESS REQUIREMENTS DOCUMENT
Document ID : BRD-PER-06-M-AUTH-01
Module : M-AUTH-01 - Dang nhap & Xac thuc
Persona : System
Version : 1.0
Status : DRAFT
Author : GPT-generated BA
Created Date : 2026-06-04
Last Updated : 2026-06-04
Reviewed By : [TBC - Tech Lead]
Approved By : [TBC - PO]
SECTION 1: Executive Summary
1.1 Document Purpose
BRD nay mo ta yeu cau cho System actor, tuc authentication service xu ly credential validation, login attempt logging, lockout, captcha, OTP, session creation, session timeout, logout va role-based redirect.
1.2 Scope
| Aspect |
Description |
| In-Scope |
F-AUTH-003, F-AUTH-005, F-AUTH-008, F-AUTH-009, F-AUTH-010, F-AUTH-011, F-AUTH-012, F-AUTH-013, F-AUTH-014 |
| Out-of-Scope |
SSO identity provider, audit report dashboard, mobile biometric login |
| Assumptions |
System has access to UserAccount, Employee, roles, session, reset token and OTP data |
1.3 Target Audience
| Audience |
Purpose |
| Product Owner |
Approve system behavior |
| Development Team |
Backend implementation reference |
| QA Team |
API and integration test design |
| Security Lead |
Validate security and error catalog compliance |
SECTION 2: Stakeholder Analysis
| Attribute |
Description |
| Persona ID |
PER-06 |
| Name |
System |
| Role |
Authentication service |
| Department |
Platform backend |
| Primary Goals |
Validate auth flows consistently and securely |
| Pain Points |
SMTP, Captcha, Authenticator dependency failures |
| Success Metrics |
Correct error codes, audit logs, session state transitions |
| Stakeholder |
Role |
Interest Level |
Influence Level |
| Anonymous User |
Supplies credential and recovery data |
High |
Medium |
| Authenticated User |
Owns session lifecycle |
High |
Medium |
| HR Admin |
Uses unlock function |
Medium |
Medium |
| Security Lead |
Owns auth policy |
High |
High |
| Activity |
Responsible |
Accountable |
Consulted |
Informed |
| Define requirements |
BA |
PO |
Tech Lead |
Team |
| Approve requirements |
PO |
PO |
Security Lead |
Team |
| Implement |
Dev Team |
Tech Lead |
BA |
PO |
| Test |
QA Team |
QA Lead |
Tech Lead |
PO |
SECTION 3: Business Objectives & KPIs
| Objective ID |
Objective |
Alignment |
Priority |
| OBJ-001 |
Validate legitimate user access securely |
OBJ-01 |
Must |
| OBJ-002 |
Block unauthorized access |
OBJ-02 |
Must |
| OBJ-003 |
Record login attempts for audit |
OBJ-02 |
Should |
| OBJ-004 |
Support training defect discovery |
OBJ-04 |
Should |
| KPI ID |
KPI Name |
Current |
Target |
Measurement Method |
| KPI-001 |
Login validation p95 |
[TBC - Tech Lead] |
< 500ms |
APM |
| KPI-002 |
Login attempt logging coverage |
[TBC - QA Lead] |
100 phan tram success/failure |
Audit test |
| KPI-003 |
Auth availability |
[TBC - Tech Lead] |
99.9 phan tram |
Monitoring |
| KPI-004 |
Unauthorized successful login |
[TBC - Security Lead] |
0 incident |
Security audit |
| Criteria ID |
Description |
Measurement |
Target |
| SC-001 |
All auth decisions follow R5 error catalog |
API tests |
100 phan tram |
| SC-002 |
All Decision Registry defaults followed |
Requirement review |
100 phan tram |
SECTION 4: Functional Requirements
| Req ID |
Requirement |
Feature ID |
Priority |
Complexity |
| REQ-AUTH-031 |
Validate credentials |
F-AUTH-003 |
Must |
Medium |
| REQ-AUTH-032 |
Log login attempts |
F-AUTH-003 |
Should |
Medium |
| REQ-AUTH-033 |
Apply invalid credential response |
F-AUTH-005 |
Must |
Low |
| REQ-AUTH-034 |
Apply lockout policy |
F-AUTH-008 |
Should |
Medium |
| REQ-AUTH-035 |
Apply captcha policy |
F-AUTH-009 |
Should |
Medium |
| REQ-AUTH-036 |
Detect password expiry |
F-AUTH-010 |
Should |
Medium |
| REQ-AUTH-037 |
Validate OTP |
F-AUTH-011 |
Could |
High |
| REQ-AUTH-038 |
Create, expire, logout sessions |
F-AUTH-012/F-AUTH-014 |
Must |
Medium |
| REQ-AUTH-039 |
Resolve role-based redirect |
F-AUTH-013 |
Must |
Medium |
| Req ID |
Name |
Description |
Related Feature |
Source |
Rationale |
| REQ-AUTH-031 |
Credential validation |
Normalize username, validate password hash, account and employee status |
F-AUTH-003 |
00-context.md |
Core auth decision |
| REQ-AUTH-034 |
Lockout policy |
Lock non-exempt account for 30 minutes after 5 failed attempts |
F-AUTH-008 |
D-03 |
Reduce brute-force risk |
| REQ-AUTH-037 |
OTP validation |
Validate OTP with active TwoFactorAuthDevice |
F-AUTH-011 |
D-08 |
Enforce second factor |
| REQ-AUTH-038 |
Session lifecycle |
Create, update, expire, and logout AuthSession |
F-AUTH-012/F-AUTH-014 |
D-09 |
Control authenticated access |
| Item |
Description |
| Input |
username, password, captcha, otp_code, session_id, user_id |
| Processing |
Validation, hashing comparison, counters, lockout, token/session updates, role lookup |
| Output |
Redirect, session, error code, audit log |
| Validation |
R5 catalog: BAD_REQUEST 400, INVALID_CREDENTIALS 401, ACCOUNT_LOCKED 423, CAPTCHA_REQUIRED 429, DEPENDENCY_UNAVAILABLE 503 |
| Dependency |
Type |
Description |
| Database |
Hard |
Persist users, sessions, attempts, reset tokens |
| SMTP Server |
Hard |
Password reset email |
| Captcha Service |
Soft |
Captcha verification |
| Authenticator App |
Hard |
OTP verification in Phase 3 |
| Security Configuration |
Hard |
Policy thresholds and timeout |
SECTION 5: Business Process Flows
| Process ID |
Process Name |
Trigger |
End State |
Actor |
| PROC-AUTH-016 |
Credential validation engine |
POST /validate |
Authenticated, OTP Required, or denied |
PER-06 |
| PROC-AUTH-017 |
Security policy enforcement |
Failed attempts or password expiry |
Lockout, captcha, expiry redirect |
PER-06 |
| PROC-AUTH-018 |
Session lifecycle |
Login, activity, logout, timeout |
Active, Expired, LoggedOut |
PER-06 |
| Step |
Actor |
Action |
System Response |
Business Rule |
Next Step |
Alternative |
| 1 |
PER-06 |
Receive login request |
Validate request structure |
BR-AUTH-001/BR-AUTH-002 |
2 |
1a |
| 1a |
PER-06 |
Missing field |
Return BAD_REQUEST 400 |
BR-AUTH-001/BR-AUTH-002 |
End |
N/A |
| 2 |
PER-06 |
Normalize username |
Lookup UserAccount |
BR-AUTH-004 |
3 |
2a |
| 2a |
PER-06 |
User not usable |
Return generic invalid credential per D-12 |
BR-AUTH-010 |
End |
N/A |
| 3 |
PER-06 |
Validate password hash |
Record LoginAttempt |
BR-AUTH-005 |
4 |
3a |
| 3a |
PER-06 |
Invalid password |
Increment failed count and maybe lock/captcha |
BR-AUTH-008/BR-AUTH-009 |
End |
N/A |
| 4 |
PER-06 |
Check password expiry |
Redirect change password if required |
BR-AUTH-007 |
5 |
4a |
| 4a |
PER-06 |
Global Admin |
Skip expiry per D-05 |
BR-AUTH-007 |
5 |
N/A |
| 5 |
PER-06 |
Check 2FA |
Create OTP challenge if required |
BR-AUTH-013 |
6 |
5a |
| 5a |
PER-06 |
2FA not active [TBC - Security Lead] |
Create session |
BR-AUTH-013 |
6 |
N/A |
| 6 |
PER-06 |
Resolve role |
Redirect by role |
BR-AUTH-014 |
End |
N/A |
Text diagram:
[Request] -> [Validate fields] -> [Lookup account] -> [Check password]
-> [Failure: attempt log, lockout/captcha]
-> [Expiry: change password]
-> [OTP: challenge]
-> [Session + role redirect]
| Exception |
Trigger |
Handling |
Recovery |
| EX-AUTH-017 |
Malformed request |
BAD_REQUEST 400 |
Client fixes request |
| EX-AUTH-018 |
Rate limit exceeded |
TOO_MANY_ATTEMPTS 429 |
Retry after limit window |
| EX-AUTH-019 |
Captcha service unavailable |
DEPENDENCY_UNAVAILABLE 503 |
Retry or fallback [TBC - Security Lead] |
| EX-AUTH-020 |
SMTP unavailable |
DEPENDENCY_UNAVAILABLE 503 |
Retry recovery email |
| EX-AUTH-021 |
Authenticator unavailable |
DEPENDENCY_UNAVAILABLE 503 |
Retry OTP validation |
SECTION 6: Use Case Summary
| UC ID |
Use Case Name |
Primary Actor |
Priority |
Complexity |
| UC-AUTH-022 |
Validate login request |
PER-06 |
Must |
M |
| UC-AUTH-023 |
Enforce lockout and captcha |
PER-06 |
Should |
M |
| UC-AUTH-024 |
Validate password reset token |
PER-06 |
Should |
M |
| UC-AUTH-025 |
Validate OTP challenge |
PER-06 |
Could |
L |
| UC-AUTH-026 |
Manage session lifecycle |
PER-06 |
Must |
M |
| Attribute |
Description |
| UC ID |
UC-AUTH-022 |
| Name |
Validate login request |
| Primary Actor |
PER-06 |
| Secondary Actors |
PER-01 |
| Preconditions |
Login request submitted |
| Postconditions |
Login accepted, denied, or additional auth required |
| Trigger |
POST /web/index.php/auth/validate |
| Step |
Actor |
Action |
System Response |
| 1 |
PER-06 |
Validate required fields |
BAD_REQUEST 400 if invalid |
| 2 |
PER-06 |
Lookup normalized username |
UserAccount found or generic denial |
| 3 |
PER-06 |
Validate password |
Success or INVALID_CREDENTIALS 401 |
| 4 |
PER-06 |
Apply security checks |
Lockout, captcha, expiry, OTP |
| 5 |
PER-06 |
Create session or challenge |
Redirect or OTP required |
| Alt ID |
Condition |
Steps |
| ALT-1 |
Password expired |
Return PASSWORD_EXPIRED 401 and route change password |
| ALT-2 |
OTP required |
Create challenge and require otp_code |
| Exc ID |
Condition |
Steps |
| EXC-1 |
Dependency unavailable |
Return DEPENDENCY_UNAVAILABLE 503 and log ERROR |
| EXC-2 |
Locked account |
Return ACCOUNT_LOCKED 423 |
SECTION 7: Business Rules
| Rule ID |
Rule Name |
Category |
Priority |
Enforcement |
| BR-AUTH-001 |
Username bat buoc |
Validation |
Must |
System |
| BR-AUTH-002 |
Password bat buoc |
Validation |
Must |
System |
| BR-AUTH-004 |
Username khong phan biet hoa thuong |
Validation |
Must |
System |
| BR-AUTH-005 |
Credential sai |
Security |
Must |
System |
| BR-AUTH-007 |
Password expiry |
Security |
Should |
System |
| BR-AUTH-008 |
Account lockout |
Security |
Should |
System |
| BR-AUTH-009 |
Captcha threshold |
Security |
Should |
System |
| BR-AUTH-010 |
Disabled account |
Authorization |
Must |
System |
| BR-AUTH-013 |
2FA bat buoc |
Security |
Could |
System |
| BR-AUTH-014 |
Role redirect |
Workflow |
Must |
System |
| BR-AUTH-015 |
Session timeout |
Security |
Must |
System |
| BR-AUTH-016 |
Logout own session |
Authorization |
Must |
System |
| Rule ID |
Condition |
Action |
Exception |
Error Message |
Related Requirements |
| BR-AUTH-004 |
WHEN username casing differs |
THEN treat as same username |
EXCEPT none |
N/A |
REQ-AUTH-031 |
| BR-AUTH-005 |
WHEN credential invalid |
THEN return generic invalid credentials |
EXCEPT none |
Invalid credentials |
REQ-AUTH-033 |
| BR-AUTH-009 |
WHEN failed count reaches 5 |
THEN require captcha next login |
EXCEPT none |
Captcha is required |
REQ-AUTH-035 |
| BR-AUTH-014 |
WHEN login succeeds |
THEN redirect by role |
No role -> Dashboard |
N/A |
REQ-AUTH-039 |
| Scenario |
Input |
Expected Result |
| Valid case |
Active user valid credential |
Session or OTP challenge created |
| Invalid case |
Disabled account valid credential |
Denied with generic display per D-12 |
SECTION 8: Data Requirements
| Entity |
Description |
Owner |
Sensitivity |
| Employee |
Employment status for login eligibility |
Employee Management |
Confidential |
| UserAccount |
Core auth identity |
M-AUTH-01 |
Confidential |
| UserRole |
Role definitions |
User Role Management |
Internal |
| UserRoleAssignment |
User-to-role mapping |
User Role Management |
Internal |
| LoginAttempt |
Login audit and failed count evidence |
M-AUTH-01 |
Confidential |
| AuthSession |
Session lifecycle |
M-AUTH-01 |
Confidential |
| PasswordResetToken |
Recovery token lifecycle |
M-AUTH-01 |
Confidential |
| TwoFactorAuthDevice |
OTP secret and verification metadata |
M-AUTH-01 |
Confidential |
| Entity |
Field |
Type |
Required |
Unique |
Default |
Validation |
Description |
| UserAccount |
id |
UUID |
Yes |
Yes global |
auto |
UUID |
Primary key |
| UserAccount |
username |
String(40) |
Yes |
Yes global |
none |
Required, max 40 |
Login identifier |
| UserAccount |
email |
String(255) |
Yes |
Yes global |
none |
Valid email |
Reset email |
| UserAccount |
status |
Enum |
Yes |
No |
Enabled |
Enabled, Disabled |
Account status |
| LoginAttempt |
username_submitted |
String(40) |
Yes |
No |
none |
Required |
Submitted username |
| LoginAttempt |
failure_reason |
String(100) |
No |
No |
null |
Max 100 |
Failure reason |
| AuthSession |
session_id |
String(255) |
Yes |
Yes global |
generated |
Not empty |
Session identifier |
| PasswordResetToken |
status |
Enum |
Yes |
No |
Active |
Active, Used, Expired |
Reset status |
| TwoFactorAuthDevice |
status |
Enum |
Yes |
No |
Active |
Active, Disabled |
OTP device status |
| From Entity |
To Entity |
Relationship |
Description |
| Employee |
UserAccount |
1-N |
Employee can have user accounts |
| UserAccount |
LoginAttempt |
1-N |
Attempts are recorded per account if matched |
| UserAccount |
AuthSession |
1-N |
Sessions belong to account |
| UserAccount |
PasswordResetToken |
1-N |
Reset tokens belong to account |
| UserAccount |
TwoFactorAuthDevice |
1-N |
OTP devices belong to account |
| UserAccount |
UserRoleAssignment |
1-N |
Role assignments belong to account |
SECTION 9: Non-Functional Requirements
| NFR ID |
Requirement |
Target |
Priority |
| NFR-PERF-007 |
Login page load |
< 2 seconds |
Must |
| NFR-PERF-008 |
Login validation response |
p95 < 500ms |
Must |
| NFR-SEC-011 |
Password hashing |
Raw password never stored |
Must |
| NFR-SEC-012 |
HTTPS |
Required for auth traffic |
Must |
| NFR-SEC-013 |
Error catalog compliance |
R5 codes only |
Must |
| NFR-SEC-014 |
Audit login attempts |
Log success and failure |
Should |
| NFR-REL-007 |
Auth availability |
99.9 phan tram |
Should |
| NFR-USA-006 |
Accessible errors |
Screen-reader readable labels and errors |
Should |
SECTION 10: Constraints & Assumptions
| Constraint ID |
Type |
Description |
Impact |
| CON-012 |
Technical |
Existing OrangeHRM session-based web auth |
No JWT requirement introduced |
| CON-013 |
Technical |
API base path /web/index.php/auth |
Endpoints must align routing |
| CON-014 |
Security |
Some policies are training defect seeds |
Security Lead and Instructor must confirm |
| Assumption ID |
Description |
Risk if Wrong |
Validation |
| ASM-013 |
Lockout threshold is 5 attempts, 30 minutes |
Test mismatch |
[CONFIRM - Security Lead] |
| ASM-014 |
Captcha threshold is 5 attempts |
UI mismatch |
[CONFIRM - Security Lead] |
| ASM-015 |
Forgot password reveals account not found |
User enumeration risk |
[CONFIRM - Security/PO] |
| ASM-016 |
2FA required for all users |
OTP flow mismatch |
[CONFIRM - Security Lead] |
| Dependency ID |
Type |
Description |
Owner |
Status |
| DEP-012 |
Internal |
UserAccount database |
Tech Lead |
[TBC - Tech Lead] |
| DEP-013 |
Internal |
Security Configuration |
Security Lead |
[TBC - Security Lead] |
| DEP-014 |
External |
SMTP Server |
Tech Lead |
[TBC - Tech Lead] |
| DEP-015 |
External |
Captcha Service |
Security Lead |
[TBC - Security Lead] |
| DEP-016 |
External |
Authenticator App |
Security Lead |
[TBC - Security Lead] |
SECTION 11: Acceptance Criteria Overview
| Feature ID |
AC Summary |
Test Approach |
| F-AUTH-003 |
Credential validation handles success, invalid, disabled, locked, expired states |
Both |
| F-AUTH-005 |
Invalid credential returns INVALID_CREDENTIALS 401 and generic message |
Both |
| F-AUTH-008 |
Lockout follows D-03 |
Automated |
| F-AUTH-009 |
Captcha follows D-04 |
Both |
| F-AUTH-010 |
Password expiry follows D-05 |
Automated |
| F-AUTH-011 |
OTP follows D-08 |
Both |
| F-AUTH-012 |
Logout updates session status |
Both |
| F-AUTH-013 |
Redirect follows D-10 |
Both |
| F-AUTH-014 |
Timeout follows D-09 |
Automated |
| Criteria |
Description |
Verification Method |
| Functional |
System implements all auth decisions |
Integration tests |
| Performance |
API targets met |
Load testing |
| Security |
Error catalog and policy defaults followed |
Security review |
| Reliability |
Dependency failure paths return correct 503 code |
Fault injection |
SECTION 12: Appendix
12.1 Glossary
| Term |
Definition |
| Anonymous User |
User chua xac thuc, co the truy cap login va forgot password |
| AuthSession |
Session web sau khi user duoc authenticated |
| Credential |
Username va password do user submit |
| Lockout |
Trang thai khoa tam thoi sau 5 failed login theo D-03 |
| Captcha |
Verification bat buoc sau threshold theo D-04 |
| OTP |
One-time password dung cho two-factor authentication |
| Role-based redirect |
Redirect sau login dua tren role theo D-10 |
| ESS |
Employee Self Service role/area |
| Training defect seed |
Requirement co chu dich de hoc vien phat hien va log bug |
12.2 References
| Document |
Version |
Location |
| Context Block |
1.0 |
00-context.md |
| Module Map |
1.0 |
OUTPUT 01-module-map |
| Global Rules |
1.0 |
Login & Authentication/prompts/_global-rules.md |
12.3 Revision History
| Version |
Date |
Author |
Changes |
| 1.0 |
2026-06-04 |
GPT-generated BA |
Initial draft |
SELF-CHECK (Global Rules)
- Lint passed: Yes
- Invariant violations fixed: Used M-AUTH-01, F-AUTH, US-AUTH, BR-AUTH, REQ-AUTH and UC-AUTH naming; used Priority values Must/Should/Could only; used Complexity values Low/Medium/High and US sizes S/M/L only; did not use mermaid; used Vietnamese without accents to avoid mojibake.
- Decision Registry refs used: D-01, D-02, D-03, D-04, D-05, D-06, D-07, D-08, D-09, D-10, D-11, D-12.
- Upstream issues found: UI-001 Session timeout added as F-AUTH-014 in 01 though missing in original feature table; UI-002 BR-AUTH-015 and BR-AUTH-016 appear in 01 but not in original context; UI-003 current prompt mentioned HTTP 422 but R5 catalog does not include it, so BAD_REQUEST 400 was used.