Most identity systems today treat the user as a flat record: a set of attributes pinned to a persistent identifier. That works for login, but fails when the same person behaves differently at work, at home, or under stress. We need a model that respects context—a stack that layers identity components so systems can adapt without losing coherence. This guide walks through a practical multi-layer identity stack, how to deploy it, and where it breaks.
Why the Flat Identity Model Falls Short
The traditional identity model—a user object with name, email, roles, and a few custom fields—was designed for access control, not for experience. It assumes consistency: the same person should see the same permissions and preferences everywhere. But real human behavior is inconsistent. A manager approving expenses acts differently than the same person browsing a learning portal on a Sunday evening. Flat models collapse these contexts into one, forcing either rigid rules or messy overrides.
Teams often find that adding context flags (e.g., 'isAtWork', 'isOnMobile') to the user object creates combinatorial complexity. Each new context multiplies the number of states, and the logic to resolve conflicts grows faster than the team can maintain. The result is either a system that ignores context or one that's brittle and unpredictable.
What's needed is a layered architecture where each layer represents a different scope of identity—from durable core traits to ephemeral states—and where higher layers can override lower ones in a controlled way. This is the identity stack.
The Cost of Ignoring Context
Without context awareness, systems produce jarring experiences: a doctor sees patient records from a previous clinic role after switching departments; a customer gets promotional emails for a product they already bought. These are not edge cases—they are daily friction that erodes trust. A multi-layer model doesn't eliminate the friction but gives architects a framework to manage it explicitly.
Core Layers of the Identity Stack
The identity stack we propose has four layers, each with a distinct scope and update frequency. From bottom to top: core identity, role identity, state identity, and narrative identity. Each layer inherits from the one below but can override attributes for its scope.
Layer 1: Core Identity
Core identity holds immutable or slowly changing attributes: legal name, date of birth, government IDs, biometric hashes, and a persistent identifier. This layer is the anchor. It rarely changes and is the source of truth for compliance and audit. In deployment, core identity is often stored in a dedicated directory or vault with strong access controls. Changes require multi-party approval.
Layer 2: Role Identity
Role identity captures attributes tied to a person's function in a specific context: job title, department, project memberships, organizational roles. These change when a person switches teams, gets promoted, or takes on a temporary assignment. Role identity is scoped—a person can have multiple role profiles active simultaneously (e.g., 'Engineering Lead' and 'Safety Officer'), and the system resolves conflicts by priority or by context.
Layer 3: State Identity
State identity reflects transient conditions: current location, device type, network, time of day, recent actions, emotional state (inferred). This layer is highly dynamic—updated in real-time or near-real-time. State identity should not be stored long-term; it is evaluated at request time and discarded. It enables adaptive experiences: showing a simplified UI on a mobile device, or requiring step-up authentication from an unfamiliar network.
Layer 4: Narrative Identity
Narrative identity is the highest layer, representing the user's ongoing story: recent interactions, goals, progress, preferences learned over time. It is built from history but is not a simple log—it's a curated model of what the system knows about the user's current journey. Narrative identity allows personalization without hardcoding rules. For example, a user who has completed three beginner tutorials is moved to intermediate content automatically.
How the Stack Works: Resolution and Overrides
The stack is not just a taxonomy; it defines a resolution order. When a system needs an attribute (e.g., 'display language'), it checks from top to bottom: narrative identity first (because it's most context-specific), then state, then role, then core. If a layer provides a value, that value is used; if not, the lookup falls to the next layer. This allows fine-grained overrides without breaking the default.
For example, a user's core identity might list English as preferred language. Their role identity (working on a German project) might set language to German for project-related tools. Their state identity (currently using a public terminal) might force a read-only interface regardless of language. The resolution engine would apply the state override first, then role, then core. The result: the user sees a read-only interface in German on the public terminal, but English elsewhere.
This layered resolution requires careful design to avoid infinite loops or conflicting overrides. A common pattern is to assign a priority score to each layer and, within a layer, to each attribute source. The engine resolves conflicts by highest priority, with a tiebreaker rule (e.g., most specific context wins).
Implementation Considerations
In practice, the stack is not a single database but a federation of sources. Core identity might live in an LDAP directory, role identity in an HR system or SCIM provider, state identity in a session store like Redis, and narrative identity in a profile service backed by a document database. The resolution engine is a middleware layer that queries these sources and caches results for the request's duration. Teams should instrument each layer's hit rate to understand which layers are doing the work and which are rarely used.
Worked Example: A Healthcare Portal
Consider a healthcare portal used by clinicians, administrators, and patients. A single person, Dr. A, has multiple roles: attending physician (core role), researcher on a clinical trial (temporary role), and patient (for her own health records). The flat model would struggle to present the right views without context.
Using the identity stack, Dr. A logs in from a hospital workstation (state: on-premises, hospital network). The resolution engine checks state identity first: on-premises access allows full clinical tools. Then role identity: she has two active roles—attending physician (priority 10) and researcher (priority 5). The engine selects the highest priority role for the default session, but the UI offers a context switcher. She chooses researcher mode. Now narrative identity kicks in: the system shows recent trial data and pending tasks. When she accesses her own patient record, the system detects a conflict (she is both patient and clinician) and applies a policy: clinical access is blocked for self-records, and she is redirected to the patient portal view.
This example shows how layers interact: state (location) enables or disables capabilities; role determines default scope; narrative provides continuity; core identity enforces compliance rules. Without the stack, each of these decisions would require custom code scattered across the application.
What Could Go Wrong
In this deployment, the team discovered that role priority was not enough. Dr. A's researcher role had lower priority than attending, but when she explicitly switched to research mode, the engine still applied attending defaults for some attributes (e.g., default department). The fix was to add a 'user intent' signal as part of state identity—a simple flag set when the user explicitly chooses a context. This flag overrides automatic priority resolution. The lesson: layers need to support explicit overrides, not just automatic ones.
Edge Cases and Exceptions
No identity model is universal. Here are common edge cases where the stack requires adaptation.
Ambiguous Contexts
What happens when a user is in two conflicting states simultaneously? For example, a user is both a manager and a direct report in the same system. The stack can handle this by assigning each role a scope (e.g., manager role applies to team members, direct report role applies to own manager). But when the user tries to approve their own time-off request, the system must detect the conflict and either block it (safe default) or escalate. The resolution engine needs a conflict detection module that flags circular overrides.
Transient Identities
Some users have ephemeral identities: temporary workers, API clients, or guest shoppers. For these, the core identity layer might be minimal (a session ID, no legal name). The stack still works, but the lower layers are thin, and most attributes come from state and narrative. Teams must ensure that compliance rules (e.g., data retention) are not bypassed by a thin core layer. A common pattern is to assign a 'tier' to the core identity (e.g., full, limited, anonymous) and adjust what attributes are available.
Privacy and Consent
The narrative identity layer, because it builds a profile from history, raises privacy concerns. Users may not want their behavior tracked across contexts. The stack must include consent signals at each layer. For example, a user might consent to personalization within a single application but not across applications. The resolution engine should check consent before using narrative attributes. If consent is withdrawn, the engine falls back to lower layers, effectively degrading personalization gracefully.
Limits of the Multi-Layer Approach
The identity stack is powerful but not a silver bullet. It introduces complexity that some teams underestimate.
Performance Overhead
Querying multiple sources for every request adds latency. Even with caching, the resolution engine must aggregate data from different stores, each with its own consistency model. In high-throughput systems, this can become a bottleneck. Mitigation strategies include pre-fetching attributes for known contexts, using local caches with short TTLs, and designing the stack so that most requests resolve from the top two layers (state and narrative) without hitting core or role stores.
Governance Challenges
Who owns each layer? In many organizations, core identity is owned by IT security, role identity by HR, state identity by application teams, and narrative identity by product. This fragmentation leads to conflicts: HR might change a role without notifying the application team, breaking the resolution engine. Clear ownership and change notification processes are essential. Some teams adopt a 'stack manifest'—a configuration file that defines which attributes come from which layer and who approves changes.
When Not to Use the Stack
For simple applications with a single user type and no context switching, the stack is overkill. A flat user model with a few boolean flags is easier to maintain. The stack pays off when you have multiple contexts, role conflicts, or adaptive experiences. If your system has fewer than three distinct user contexts, start with a simpler model and evolve only when the pain becomes real.
Ultimately, the identity stack is a tool for architects who need to model the complexity of human identity without drowning in it. Start with the core and role layers, add state and narrative only when the use cases demand them. Measure the hit rate of each layer, and prune what isn't used. The goal is not a perfect model but a working one that adapts as your understanding of your users deepens.
Comments (0)
Please sign in to post a comment.
Don't have an account? Create one
No comments yet. Be the first to comment!