One identity, many roles
LuxPay treats the human as a person first. The person then receives memberships in businesses, each with its own role, scope, and status. A user does not need a new identity for every branch, and identity alone never grants financial authority in a business.
What belongs to each layer?
- Person: name, verified phone, recovery methods, and devices.
- Membership: the relationship between the person and a business.
- Role: the set of permitted actions.
- Scope: the business or branches where the role applies.
- Operational decision: permission at the moment of action based on state and limits.
Practical example
Ahmed can own a personal wallet, work as a cashier in branch one, and have read-only review authority in branch two. His identity does not change at sign-in, but every action is evaluated against the active membership, branch, and role.
Important controls
- Revoking a membership does not delete the person identity or personal history.
- Changing a role does not rewrite past transactions.
- Branch context should not come from an untrusted input when it can be derived from the session and device.
- Sensitive actions can require approval or step-up verification even when the role generally permits them.
This model supports Roles and permissions and Trusted devices.