🏠 Overview 🧩 Components 🧩 Access Denial Service

Access Denial Service

Component Detail

Service Layer low complexity mobile
2
Dependencies
1
Dependents
2
Entities
0
Integrations

Description

Service responsible for determining that the current user's role is blocked from mobile access and providing the appropriate admin portal URL for the no-access screen. Coordinates with the role-based access control layer to evaluate role permissions.

Feature: No-Access Screen for Restricted Roles

access-denial-service

Summaries

The Access Denial Service enforces organizational security policy by programmatically preventing users with administrative-only roles from accessing the mobile application, where their elevated privileges could create compliance risks or workflow confusion. By centralizing role-based mobile access control, this service reduces the risk of accidental data exposure, simplifies audit trails, and ensures governance policies are consistently applied without relying on manual processes. It also improves the user experience for blocked users by surfacing the correct admin portal URL for their organization, reducing support ticket volume and directing users to the appropriate tool immediately.

This is a low-complexity service component but acts as a critical dependency for the No-Access Screen and the route guard system, meaning it must be completed early in the sprint to unblock downstream UI work. It depends on the No-Access Route Guard and the No-Access Config Repository, so those must be scoped and delivered in the same iteration or prior. Testing requirements include unit tests for isMobileAccessDenied() covering all defined UserRole values, and integration tests for getAdminPortalUrl() against the config repository. Any delay in defining the list of blocked roles or the config data structure will directly impact the delivery timeline for the access denial feature.

AccessDenialService is a mobile-layer service that wraps the role-based access control (RBAC) evaluation logic for mobile-specific permission checks. The isMobileAccessDenied(UserRole role) method checks the given role against a configurable blocklist sourced from NoAccessConfigRepository, returning a boolean used by the route guard. getAdminPortalUrl(String organizationId) queries the config repository for the organization-specific admin portal URL surfaced on the no-access screen. getBlockedRoles() exposes the full blocklist for inspection or UI rendering.

The service should expose a reactive notifier or stream so NoAccessRouteGuard can subscribe to role changes and trigger navigation without polling. Data model dependency is user_role; ensure UserRole enum values are synchronized with the backend role definitions to avoid silent mismatches.

Responsibilities

  • Check whether the authenticated user's role is permitted for mobile app access
  • Return the configured admin portal URL for the blocked user's organization
  • Expose a stream or notifier that the router guard subscribes to for navigation decisions

Interfaces

isMobileAccessDenied(UserRole role): bool
getAdminPortalUrl(String organizationId): String
getBlockedRoles(): List<UserRole>

Relationships

Dependencies (2)

Components this component depends on

data No-Access Configuration Repository service No-Access Route Guard Shared

Dependents (1)

Components that depend on this component

ui No-Access Screen

Related Data Entities (2)

Data entities managed by this component

User 13 fields core User Role 13 fields core

API Contract

View full contract →
REST /api/v1/access-denial 3 endpoints
GET /api/v1/access-denial/blocked-roles Get all roles blocked from mobile access
GET /api/v1/access-denial/check Check whether a given role is denied mobile access
GET /api/v1/access-denial/admin-portal-url Get the admin portal redirect URL for an organization