Seed System Identities & Hardening

Seed System Identities & Hardening

To prevent administrative deadlocks and protect critical account structures, Asterisk 2 implements defensive software locks. These controls safeguard core identity records against unwanted lifecycle modifications.


Administrative Account Protection Rules

The flowchart below maps out the validation rules protecting seed identity databases from accidental deletion:

graph LR
    %% User Request
    subgraph AdminConsole["Authenticated Admin Portal"]
        ActionReq["Account Modification Action<br/>(POST /api/Admin/User/Delete)"]
    end

    %% Security Interception
    subgraph ControllerLogic["AdminController Security Pipeline"]
        TargetLookup["Load Target User Profile<br/>(Target.UserName)"]
        SelfCheck["Session Context Evaluation<br/>(Target.Id == ActiveUser.Id)"]
    end

    %% Defense Core
    subgraph DefenseEngine["Account Immutability Logic"]
        SeedCheck["Seed Account Match Engine<br/>(Target.UserName == 'admin')"]
        DbCommit["Execute Database Transaction"]
    end

    %% Rejections
    RejectSelf["Abort Action<br/>(Error: Self-Deletion Prevention)"]
    RejectSeed["Abort Action<br/>(Error: Immutability Violation)"]

    %% Flow vectors
    ActionReq --> TargetLookup
    TargetLookup ==>|"Evaluate Request"| SelfCheck
    SelfCheck -->|"True (Self Action)"| RejectSelf
    SelfCheck ==>|"False"| SeedCheck
    
    SeedCheck -->|"True (Seed Target)"| RejectSeed
    SeedCheck ==>|"False"| DbCommit

    %% Color Matrices
    classDef consoleToken fill:#0f172a,stroke:#38bdf8,stroke-width:2px,color:#fff,rx:6px,ry:6px;
    classDef logicToken fill:#1e293b,stroke:#a855f7,stroke-width:2px,color:#fff,rx:6px,ry:6px;
    classDef defToken fill:#312e81,stroke:#ec4899,stroke-width:2px,color:#fff,rx:6px,ry:6px;
    classDef rejToken fill:#7f1d1d,stroke:#f87171,stroke-width:2px,color:#fff,rx:6px,ry:6px;

    class AdminConsole,ActionReq consoleToken;
    class ControllerLogic,TargetLookup,SelfCheck logicToken;
    class DefenseEngine,SeedCheck,DbCommit defToken;
    class RejectSelf,RejectSeed rejToken;

Operational Hardening Protocols

1. Seed Root Administrator Protection

During application setup, the persistence layer provisions a core administrative record (admin). To ensure platform recovery availability, database controller rules mark this user record as immutable. Deletion commands targeting the root username string are rejected to prevent platform lockouts.

2. Self-Deletion Prevention Rules

To prevent an active administrator session from deleting its own record during management operations, controllers validate target IDs against user authentication claims. If the target matches the active session, the delete action is dropped.

3. Automated Authentication Lockouts

To stop password brute-forcing, user identity engines track unsuccessful login loops. If a user record accumulates multiple failed validation attempts, the profile enters a temporary lockout timeout state, entirely rejecting subsequent login validations.