Module Configuration
Data Entity
Description
Per-organization toggle record that controls whether a functional area (module) is enabled or disabled for a given tenant. One row per organization per module. The backend uses this table as the authoritative source of truth for all module-gating decisions; clients read the enabled set at bootstrap and never make gating decisions locally.
Data Structure
| Name | Type | Description | Constraints |
|---|---|---|---|
id |
uuid |
Surrogate primary key. | PKrequiredunique |
organization_id |
uuid |
Foreign key to the organization this configuration row belongs to. | required |
module_id |
string |
Canonical area ID from the area taxonomy (e.g. 'expense-reimbursement', 'encrypted-assignments', 'certification-training'). Must match a registered area ID in the module registry definition. | required |
is_enabled |
boolean |
Whether this module is currently active for the organization. Defaults to false at provisioning; always-on modules are set to true and locked. | required |
is_always_on |
boolean |
When true, the module is part of the non-toggleable core set for this product and cannot be disabled via the admin UI or API. | required |
configuration |
json |
Optional per-module configuration values for dimensions that vary within an enabled module (e.g. speech_to_text_enabled, receipt_required_threshold_nok, max_bulk_registration_size). Never used for the on/off toggle itself. | - |
enabled_at |
datetime |
Timestamp of the most recent enable action. Null if the module has never been enabled (beyond provisioning default). | - |
disabled_at |
datetime |
Timestamp of the most recent disable action. Null if the module has never been explicitly disabled. | - |
changed_by_user_id |
uuid |
User ID of the actor who last toggled or reconfigured this row. Null for rows provisioned automatically at org creation. | - |
dependency_module_ids |
json |
Array of module IDs that must also be enabled when this module is enabled. Derived from the registry definition but persisted here as a snapshot so runtime enforcement does not require the registry to be loaded. | - |
created_at |
datetime |
Row creation timestamp, set at org provisioning. | required |
updated_at |
datetime |
Last modification timestamp, updated on any column change. | required |
Database Indexes
idx_module_configurations_org_module
Columns: organization_id, module_id
idx_module_configurations_org_enabled
Columns: organization_id, is_enabled
idx_module_configurations_module_id
Columns: module_id
Validation Rules
module_id_registered
error
Validation failed
module_id_kebab_case
error
Validation failed
unique_org_module_pair
error
Validation failed
configuration_schema_valid
error
Validation failed
enabled_at_set_on_enable
warning
Validation failed
disabled_at_set_on_disable
warning
Validation failed
changed_by_required_on_manual_toggle
error
Validation failed
Business Rules
always_on_immutable
Rows where is_always_on = true cannot have is_enabled set to false. Any toggle request targeting an always-on module must be rejected with a 400 error. Always-on sets differ per product: Mobile App always-on = authentication-access-control, home-navigation, accessibility, help-support, profile-management. Admin Portal always-on = admin-dashboard, admin-user-management, admin-organization, admin-security.
dependency_cascade_on_enable
When a module is enabled, all module IDs listed in dependency_module_ids must also be enabled in the same transaction. The admin UI makes cascading dependencies visible before the user confirms.
dependency_block_on_disable
A module cannot be disabled if another currently-enabled module lists it as a dependency. The service must check for reverse dependencies and return a descriptive error naming the blocking module(s).
full_set_provisioned_at_org_creation
When a new organization is created, one module_configurations row must be inserted for every registered module ID in the module registry definition, with is_enabled = false except for always-on modules which are set to true and is_always_on = true.
rbac_org_admin_only
Only users with the Organization Administrator role for the target organization, or a Global Administrator with active support access to that organization, may write to this table. All other write attempts must be rejected at the API layer.
backend_gating_on_every_request
Every API endpoint that belongs to a module must query this table (or a cache derived from it) for the requesting user's organization before processing. A disabled module must return 403 regardless of the client's cached bootstrap state.
audit_all_toggle_changes
Every is_enabled transition and configuration change must produce an audit log entry recording the acting user, the previous and new values, and the timestamp.