This project has moved. For the latest updates, please go here.

Security Data Model

One of the key tenants of the OpenIZ immunization management system is privacy and security by design. To that end, OpenIZ’s IMS supports not only external policy enforcement decisions and role providers, but also provides access to internal policy engines (when external policy decision points are not available).

The following figure illustrates the relationships between the various security sub systems tables found in the OpenIZ data model.

image

Table

Column

Type

Description

Policy

(None)

N/A

The policy table is a complete dictionary of policies that can be applied to acts within the OpenIZ IMS.

PolicyId

UUID

Uniquely identifies the policy within the OpenIZ system.

PolicyOid

VARCHAR

A globally unique identifier in the form of an OID for the policy.

Name

VARCHAR

A human readable name for the policy.

Handler

VARCHAR

An assembly qualified name (AQN) of an IPolicyHandler implementation which is triggered when the policy rule fires.

SecurityUser

(None)

N/A

The security user table is used to store a master list of users that have secured access to the OpenIZ IMS functions.

UserId

UUID

A unique identifier for the user.

UserName

VARCHAR

A unique identifier for the security user that a human may use to access the OpenIZ IMS system.

PasswordHash

VARCHAR

A SHA256 hash of the user’s password.

SecurityStamp

VARCHAR

A unique security stamp for the user account. This can include a salt for the user password, or some other security tag for the user.

InvalidLoginAttempts

INT

Identifies the number of times that a person has attempted to access the OpenIZ IMS with invalid credentials.

UserPhoto

VARBINARY

An optional photograph for the user.

Email

VARCHAR

Identifies an electronic mail telecommunications address that can be used to contact the user.

EmailConfirmed

BIT

Indicates whether the email address of the user has been confirmed.

TwoFactorEnabled

BIT

Indicates whether the user account requires two-factor authentication. The TFA mechanism is enabled by the ITwoFactorAuthenticationService implementation.

LockoutEnabled

BIT

Indicates whether the user account is in a state of lockout.

CreationTime

DATETIME

Identifies the time when the user account was created.

CreatedBy

UUID

Identifies the user who was responsible for the creation of the security user.

ObsoletionTime

DATETIME

When populated, indicates the time when the user account did or will become obsolete.

ObsoletedBy

UUID

The identifier of the user who was responsible for obsoleting the record.

ObsoletionReason

VARCHAR

Identifies the reason why the security user was obsoleted.

UpdatedTime

DATETIME

Identifies the last timestamp that the user record was updated.

UpdatedBy

UUID

Identifies the user who was responsible for the last edit of the security user.

SecurityUserClaims

(None)

N/A

The security user claims table is used to store claim tokens associated with a user account/session.

ClaimId

UUID

A unique identifier of the claim

UserId

UUID

Identifies the user to which the claim applies.

ClaimType

VARCHAR

Identifies the type or classification of claim that has been made.

ClaimValue

VARCHAR

Identifies the value of the claim token

SecurityUserLogins

(None)

N/A

The security user logins table is used to track external authorization providers associated with a user account.

LoginProvider

VARCHAR

The provider (google, Microsoft, etc.) which holds the external credential.

ProviderKey

VARCHAR

The key of the user identifier in the provider system.

UserId

UUID

Identifies the user to which the external login applies.

SecurityRole

(None)

N/A

The security role table is used to store security (user) roles that can be used in policy based decisions.

RoleId

UUID

Uniquely identifies the security role.

Name

VARCHAR

A human readable name for the role.

CreationTime

DATETIME

Identifies the moment in time when the security role was created.

CreatedBy

UUID

Identifies the user who was responsible for the creation of the role.

ObsoletionTime

DATETIME

When present, identifies the date/time when the role became obsolete.

ObsoletedBy

UUID

Identifies the user who was responsible for the obsoletion.

ObsoletionReason

VARCHAR

Indicates the reason for the obsoletion of the record.

SecurityUserRole

(None)

N/A

An associative entity table between a security user and role.

UserId

UUID

Identifies the user of the association.

RoleId

UUID

Identifies the role to which the association applies.

SecurityRolePolicy

(None)

N/A

The security role policy is an associative entity table that links security roles to policies which can be used in a policy decision.

RolePolicyId

UUID

Uniquely identifies the tuple

RoleId

UUID

Identifies the role to which the security role policy association applies.

PolicyId

UUID

Identifies the policy that is being applied to the role.

IsDeny

INT

When true, indicates that the policy decision process should deny all requests to the policy.

CanOverride

BIT

When true, indicates that when a policy decision is made, a user within the role can override the decision.

PolicyOverride

(None)

N/A

A table that stores data related to policy overrides.

PolicyOverrideId

UUID

Uniquely identifies the policy override record.

PolicyId

UUID

Identifies the policy that was overridden.

UserId

UUID

Identifies the user who was responsible for the override.

ReasonConceptId

UUID

Identifies the reason why the policy was overridden.

OverrideTime

DATETIME

The time that the override occurred.

CreationTime

DATETIME

Identifies the time when the override record was created.

CreatedBy

UUID

Identifies the user who was responsible for the creation of the override record.

ActPolicy

(None)

N/A

The ActPolicy table is used to associate a policy with an act.

ActPolicyId

UUID

A unique identifier for the policy identifier.

EffectiveVersionId

UUID

Identifies the version of the act whereby the policy is active.

ObsoleteVersionId

UUID

Indicates the version of the act where the policy no longer applies.

PolicyId

UUID

Identifies the policy that is associated with the act.

SecurityDevice

(None)

N/A

The security device table is used to store data related to an authorized device that can access the OpenIZ IMS.

DeviceId

UUID

Uniquely identifies the device.

DeviceSecret

VARBINARY

A secret that is used to verify whether the device can connect.

CreationTime

DATETIME

Indicates the time when the record was created.

CreatedBy

UUID

Identifies the user responsible for the creation of the record.

ObsoletionTime

DATETIME

When present, indicates the time when the device record became or will become obsolete.

ObsoletedBy

UUID

Identifies the user that is responsible for the obsoletion of the device.

ReplacesDeviceId

UUID

Indicates the old device that the current device would replace.

SecurityDevicePolicy

(None)

N/A

An associated entity that links a security device to a policy.

DevicePolicyId

UUID

A unique identifier for the device policy association.

DeviceId

UUID

Identifies the device to which the association applies.

PolicyId

UUID

Indicates the policy to which the association applies.

IsDeny

BIT

When true, instructs the decision engine to deny access to an act or policy.

SecurityApplication

(None)

N/A

The security application table is used to store records associated with an application.

ApplicationId

UUID

Uniquely identifies the application.

ApplicationSecret

VARBINARY

A secret that is used by the application to authenticate itself.

CreationTime

DATETIME

The time when the application was created.

CreatedBy

UUID

The user responsible for registering the application.

ObsoletionTime

DATETIME

The time that the application record did become or will become obsolete.

ObsoletedBy

UUID

Indicates the user that the obsoleted the record.

ReplacesApplicationId

UUID

Identifies the application that this current version of the application record replaces.

SecurityApplicationPolicy

(None)

N/A

An associated entity that links a security application to a policy.

ApplicationPolicyId

UUID

A unique identifier for the application policy association.

ApplicationId

UUID

Identifies the application to which the association applies.

PolicyId

UUID

Indicates the policy to which the association applies.

IsDeny

BIT

When true, instructs the decision engine to deny access to an act or policy.

Last edited Jan 13, 2016 at 6:57 PM by jf03cg, version 3