H.A.R.D. — internal portal

Sign in

Every Assessment-Provider and departmental user signs in through Microsoft Entra ID with MFA. This demo defaults to the temp-login mode (auth-mode D) so the journey runs with zero Entra dependency, while still enforcing role and FAS-lot scope (spec §8.2 / variant V13).

Each user maps to an Entra group and an app role, exactly as the seeded roster does.
Enter the shared temp-login secret (HARD_SEED_PASSWORD). It is the same for every seeded user; there is no per-user secret.

The Entra OIDC path (Authorization Code + PKCE) is architecturally preserved and switchable by configuration once the department tenant details land (spec §5, §11).

Role scope (spec §2)

  • Caseworker — upload, distribute, own lot
  • Team Lead — + reassign, audit own lot
  • DWP Admin — RBAC, cross-lot audit, no data plane
  • Reporting — read-only metrics
  • Audit Viewer — read-only audit