Auth /

Concept

In todays Internet matters privacy, safety and secrecy. Well, the one more or less than the other. We all know the user entity and attach a name and password to it. Boxary steps further and introduces Account as the necessary addition.

Registration.

Various registration systems are possible. Well known are LDAP, OpenID and Oauth (like Google, FaceBook and the like). Boxary provides also a native registration in the platformDataBase. Only real persons can register.

Authentication.

For remote registrations Boxary relies on the remote identification provider. For native registrations, which come with a invitation system, Boxary verifies by email the validity of the entered credentials. For the time being that is pure existence of the email address.

RBAC as base implementation.

Rights are defined being read, write and execute. These Rights are distributed over the platformContent and the platformUsers and must match to obtain a grant for access. The mechanism is organised with Roles and Groups. Rights are defined for the owner of the content, for the group of the user, for all users and for the anonymous guest. Read about access granting.

Best practice is to equip plugins with scripts (and templates) for admin, public, private and anonymous. This makes sense to show different structured content for the various visitors.

Audit Logging.

All Registration attempts are logged. Grants for privileges are logged also. Think of becoming a member of a group, or issuing invitations and being invited.


Sensitive data and sharing.

Boxary knows about accounts too. Accounts have members (accountUsers). A platformUser can be member in several Accounts. And while the platformUser accesses the platform content, the accountUser is privileged to access the accountContent.
Because sometimes the data-owner is not the platformUser, but the account is. All accountUsers share the same rights. Users must be invited to a account and can be removed which means that they loose access to the account content.
Every Group has a default account, but platformUsers don't. Meaningful use of platformContent is only feasible when having a personal account or being a member of some group. Of course, there will be plenty of anonymous content.

Examples: think of
  • a real family that is sharing their common (and private) reminders, todo's or calendars,
  • a private gamer group that is sharing some specific scenario's,
  • a festival that is broadcasting their events to registered attendants.