Security Model for Data at Rest

The TRELLIS framework creates a strong security model to protect Data at Rest. Within a single TRELLIS database component deployment, there are two root level Instance concept types:

A single deployment of a TRELLIS database can have multiple User Profiles (one for each person with access to the solution) and multiple Workspaces (to protect actual Instance data).

Each TRELLIS database will contain a “Server Owner” Workspace, which contains all the configuration data required by the solution. The database can also contain one or more “Customer” Workspaces to host the data that will be made available by the solution. The ability to host multiple “Customer” Workspaces was added for multi-tenant deployments within a single TRELLIS database.

Every Instance of data created within a Workspace is contained within a compartmentalised security zone defined by the Workspace. This means that an Instance record created in Workspace A is never visible to Workspace B.

If necessary, Instance data from Workspace A can be shared with Workspace B using the Data in Motion components – this will preserve the integrity of the security model of the Workspaces. An interesting use-case for this scenario is creating Workspaces for each “Branch” of a business and then using Data in Motion to aggregate summary data into an “Executive” Workspace for reporting and analysis.

Access to Workspaces is granted to specific people by means of a User Profile. A User Profile uniquely identifies a person (or external system). The mechanism for generating a User Profile depends upon the security model chosen. Currently TRELLIS implements three models:

Having a User Profile GUID doesn’t directly grant access to Workspace Instance records. A person first must be invited to join the Workspace. When the person has completed the join process, a User record is created for the person which references their User Profile GUID. The User record allows the person to access an authorised set of Instance records and functionality.

A person may join multiple Workspaces, so that they have single sign-on within the TRELLIS database of Workspaces. They may also join the same Workspace multiple times to access different sets of Instance records with different functionality. For example, the same person may typically access a Workspace using a “normal” user role, but on occasion may need to escalate to an administrative role. People may also be assigned different User privileges to access different operational roles, such as Customer Service and Human Resources.

The User security model is relatively simple and divides the authorisation into two distinct areas:

The Instance records (User, Group, Team, Application and Role) are maintained as managed XML data. The Tables (UserGroups, UserTeams, UserApps, UserRoles) are implemented as regular database tables for performance reasons.

To simplify the onboarding process for new Users, a Workspace User Administrator can define multiple “Invite User” templates that provide a default of set of Groups, Teams, Applications and Roles for each User. When a User receives an invitation to join a workspace, they are provided with a GUID to the “Invite User” template. As they complete the join process, their new User record is provisioned according to the template. The Workspace User Administrator can also include a manual authentication step to prevent unauthorized people from using the invitation to gain access to the Workspace.