DiyaOS Control Plane

Platforms

Tenants

Platform admins

Tenant admins

Credentials

OTP due

Apps ready

Shared Auth Backend

fastapi

diyaos-auth https://auth.diyaos.local

OpenAPI https://auth.diyaos.local/openapi.json

Health https://auth.diyaos.local/health

Agent Protocols

MCP / A2A

OpenAPI active contract

MCP planned

A2A planned

Domains standalone ready

App Integration Readiness

4 apps

DiyaOS Control Plane implemented

Issuer: https://auth.diyaos.com
Standalone: os.diyaos.com, diyaos.com, admin.diyaos.com, account.diyaos.com, os.diyaos.local
Integrated: /apps/os
Backend: fastapi / diyaos-auth

sharedAuthstandaloneDomainsredirectUrisopenApimcpa2a

Diya Email Console implemented

Issuer: https://auth.diyaos.local
Standalone: email.diyaos.local
Integrated: /apps/email
Backend: fastapi / diyaos-email

sharedAuthstandaloneDomainsredirectUrisopenApimcpa2a

Diya Brand House implemented

Issuer: https://auth.diyaos.local
Standalone: brand.diyaos.local
Integrated: /apps/brand
Backend: fastapi / diyaos-brand-api

sharedAuthstandaloneDomainsredirectUrisopenApimcpa2a

Diya Vault planned

Issuer: https://auth.diyaos.local
Standalone: vault.diyaos.local
Integrated: /apps/vault
Backend: fastapi / diyaos-vault-api

sharedAuthstandaloneDomainsredirectUrisopenApimcpa2a

Passwordless Login

primary

WebAuthn passkeys Primary login on trusted devices through diyaos.local

FIDO2 security keys Allowed for roaming keys, backups, and high-assurance admins

OTP step-up 10 minute codes every 30 days, plus recovery and high-risk actions

Selected Auth Posture

2 credentials

Amal laptop passkey webauthn-passkey / platform

YubiKey backup fido2-security-key / cross-platform

Registration Workflows

5 requests

Lina Basri platform admin registration

Scope: Diya Platform
Role: Platform Admin
Responsible: Ravi Menon
Auth: webauthn-passkey, fido2-security-key

Platform Admin may grant Platform Admin in Diya Platform.

Design Studio tenant provisioning

Scope: Design Studio / Diya Platform
Role: Tenant Admin
Responsible: Maya Haddad
Auth: webauthn-passkey

Ravi Menon may create Design Studio and assign Tenant Admin in Diya Platform.

Sara Khalid tenant admin registration

Scope: Construction Studio / Diya Platform
Role: Tenant Admin
Responsible: Maya Haddad
Auth: webauthn-passkey

Tenant Admin may grant Tenant Admin in Construction Studio / Diya Platform.

Nabil Farah tenant user registration

Scope: Construction Studio / Diya Platform
Role: Tenant User
Responsible: Maya Haddad
Auth: webauthn-passkey

Tenant Admin may grant Tenant User in Construction Studio / Diya Platform.

Atelier Admin tenant admin registration

Scope: Atelier Partner / Diya Platform
Role: Tenant Admin
Responsible: Ravi Menon
Auth: webauthn-passkey

Platform Admin may grant Tenant Admin in Atelier Partner / Diya Platform.

Scope Map

5 scopes

Diya Platform active

Diya Core OpsConstruction StudioAtelier Partner

Ravi Menon

Principal

human

Actor

[email protected] active / expires 2026-05-26T11:00:00.000Z

OS Admin DiyaOS

Tenant Responsibility

admins and users

Diya Core Ops active

Platform admin: Ravi Menon Tenant admin: Amal Noor Users: Vault Indexer Agent

Construction Studio active

Platform admin: Ravi Menon Tenant admin: Maya Haddad Users: Omar Salim

Atelier Partner provisioning

Platform admin: Ravi Menon Tenant admin: Amal Noor Users: None yet

Authorization Check

1 roles

Permission Scope

Manage tenants is allowed through OS Admin.

Role Grant Gate

open

Role Scope

OS Admin may grant Tenant Admin in Construction Studio / Diya Platform.

Role Matrix

4 roles / 58 permissions

OS Admin OS

Full DiyaOS authority across the fixed platform, tenants, users, policy, and audit.

Read principalsManage principalsRead authenticatorsManage authenticatorsIssue OTP step-upRead role policyAssign rolesRead platformsManage platform configurationManage platform adminsRead tenantsManage tenantsRead tenant usersManage tenant usersManage tenant adminsRead audit eventsAccess appsDelegate agentsRead catalog itemsManage catalog itemsRead catalog experiencesManage catalog experiencesPublish catalog channelsRead catalog exportsRead catalog analyticsRead brand workspacesManage brand workspacesRead brand guidelinesWrite brand guidelinesReview brand guidelinesPublish brand guidelinesRead brand assetsUpload brand assetsApprove brand assetsArchive brand assetsRead brand templatesManage brand templatesRead brand tokensExport brand tokensCreate brand requestsTriage brand requestsRead brand analyticsManage brand portalsRun Brand QARead voice sessionsCreate voice sessionsEnd voice sessionsMonitor voice sessionsInvoke voice agentsConfigure voice agentsRead voice transcriptsRead email connectionsManage email connectionsRead email sender identitiesManage email sender identitiesSend emailRead email statusRead email audit

Platform Admin Platform

Runs tenant operations under the fixed DiyaOS platform and manages tenants, admins, users, and delegated agents.

Read principalsRead authenticatorsManage authenticatorsIssue OTP step-upRead role policyAssign rolesRead platformsManage platform configurationManage platform adminsRead tenantsManage tenantsManage tenant adminsRead tenant usersManage tenant usersRead audit eventsAccess appsDelegate agentsRead catalog itemsManage catalog itemsRead catalog experiencesManage catalog experiencesPublish catalog channelsRead catalog exportsRead catalog analyticsRead brand workspacesManage brand workspacesRead brand guidelinesWrite brand guidelinesReview brand guidelinesPublish brand guidelinesRead brand assetsUpload brand assetsApprove brand assetsArchive brand assetsRead brand templatesManage brand templatesRead brand tokensExport brand tokensCreate brand requestsTriage brand requestsRead brand analyticsManage brand portalsRun Brand QARead voice sessionsCreate voice sessionsEnd voice sessionsMonitor voice sessionsInvoke voice agentsConfigure voice agentsRead voice transcriptsRead email connectionsManage email connectionsRead email sender identitiesManage email sender identitiesSend emailRead email statusRead email audit

Tenant Admin Tenant

Runs one tenant and manages tenant users, memberships, app access, and local audit review.

Read principalsRead authenticatorsManage authenticatorsIssue OTP step-upRead role policyAssign rolesRead tenantsManage tenant adminsRead tenant usersManage tenant usersRead audit eventsAccess appsRead voice sessionsCreate voice sessionsEnd voice sessionsMonitor voice sessionsInvoke voice agentsRead voice transcriptsRead email connectionsRead email sender identitiesManage email sender identitiesSend emailRead email statusRead email auditRead catalog itemsManage catalog itemsRead catalog experiencesManage catalog experiencesPublish catalog channelsRead catalog exportsRead catalog analyticsRead brand workspacesManage brand workspacesRead brand guidelinesWrite brand guidelinesReview brand guidelinesPublish brand guidelinesRead brand assetsUpload brand assetsApprove brand assetsArchive brand assetsRead brand templatesManage brand templatesRead brand tokensExport brand tokensCreate brand requestsTriage brand requestsRead brand analyticsManage brand portalsRun Brand QA

Tenant User Tenant

Uses tenant applications and reads the tenant context available to their memberships.

Read tenantsAccess appsCreate voice sessionsInvoke voice agentsRead email sender identitiesSend emailRead email statusRead catalog itemsRead catalog experiencesRead brand workspacesRead brand guidelinesRead brand assetsRead brand templatesRead brand tokensCreate brand requestsRun Brand QA

Permission Catalog

risk tiers

Identity

Read principals low

Manage principals high

Authentication

Read authenticators low

Manage authenticators high

Issue OTP step-up medium

RBAC

Read role policy low

Assign roles high

Platform

Read platforms low

Manage platform configuration high

Manage platform admins high

Tenant

Read tenants low

Manage tenants high

Read tenant users low

Manage tenant users medium

Manage tenant admins high

Audit

Read audit events low

Apps

Access apps low

Agents

Delegate agents medium

Read voice sessions low

Create voice sessions medium

End voice sessions medium

Monitor voice sessions high

Invoke voice agents medium

Configure voice agents high

Read voice transcripts medium

Communication

Read email connections low

Manage email connections high

Read email sender identities low

Manage email sender identities high

Send email medium

Read email status medium

Read email audit medium