One of the key tenants of the OpenIZ immunization management system is privacy and security by design. To that end, OpenIZ’s IMS supports not only external policy enforcement decisions and role providers, but also provides access to internal policy engines (when external policy decision points are not available).
The following figure illustrates the relationships between the various security sub systems tables found in the OpenIZ data model.
Table |
Column |
Type |
Description |
Policy |
(None) |
N/A |
The policy table is a complete dictionary of policies that can be applied to acts within the OpenIZ IMS. |
PolicyId |
UUID |
Uniquely identifies the policy within the OpenIZ system. |
|
PolicyOid |
VARCHAR |
A globally unique identifier in the form of an OID for the policy. |
|
Name |
VARCHAR |
A human readable name for the policy. |
|
Handler |
VARCHAR |
An assembly qualified name (AQN) of an IPolicyHandler implementation which is triggered when the policy rule fires. |
|
SecurityUser |
(None) |
N/A |
The security user table is used to store a master list of users that have secured access to the OpenIZ IMS functions. |
UserId |
UUID |
A unique identifier for the user. |
|
UserName |
VARCHAR |
A unique identifier for the security user that a human may use to access the OpenIZ IMS system. |
|
PasswordHash |
VARCHAR |
A SHA256 hash of the user’s password. |
|
SecurityStamp |
VARCHAR |
A unique security stamp for the user account. This can include a salt for the user password, or some other security tag for the user. |
|
InvalidLoginAttempts |
INT |
Identifies the number of times that a person has attempted to access the OpenIZ IMS with invalid credentials. |
|
UserPhoto |
VARBINARY |
An optional photograph for the user. |
|
|
VARCHAR |
Identifies an electronic mail telecommunications address that can be used to contact the user. |
|
EmailConfirmed |
BIT |
Indicates whether the email address of the user has been confirmed. |
|
TwoFactorEnabled |
BIT |
Indicates whether the user account requires two-factor authentication. The TFA mechanism is enabled by the ITwoFactorAuthenticationService implementation. |
|
LockoutEnabled |
BIT |
Indicates whether the user account is in a state of lockout. |
|
CreationTime |
DATETIME |
Identifies the time when the user account was created. |
|
CreatedBy |
UUID |
Identifies the user who was responsible for the creation of the security user. |
|
ObsoletionTime |
DATETIME |
When populated, indicates the time when the user account did or will become obsolete. |
|
ObsoletedBy |
UUID |
The identifier of the user who was responsible for obsoleting the record. |
|
ObsoletionReason |
VARCHAR |
Identifies the reason why the security user was obsoleted. |
|
UpdatedTime |
DATETIME |
Identifies the last timestamp that the user record was updated. |
|
UpdatedBy |
UUID |
Identifies the user who was responsible for the last edit of the security user. |
|
SecurityUserClaims |
(None) |
N/A |
The security user claims table is used to store claim tokens associated with a user account/session. |
ClaimId |
UUID |
A unique identifier of the claim |
|
UserId |
UUID |
Identifies the user to which the claim applies. |
|
ClaimType |
VARCHAR |
Identifies the type or classification of claim that has been made. |
|
ClaimValue |
VARCHAR |
Identifies the value of the claim token |
|
SecurityUserLogins |
(None) |
N/A |
The security user logins table is used to track external authorization providers associated with a user account. |
LoginProvider |
VARCHAR |
The provider (google, Microsoft, etc.) which holds the external credential. |
|
ProviderKey |
VARCHAR |
The key of the user identifier in the provider system. |
|
UserId |
UUID |
Identifies the user to which the external login applies. |
|
SecurityRole |
(None) |
N/A |
The security role table is used to store security (user) roles that can be used in policy based decisions. |
RoleId |
UUID |
Uniquely identifies the security role. |
|
Name |
VARCHAR |
A human readable name for the role. |
|
CreationTime |
DATETIME |
Identifies the moment in time when the security role was created. |
|
CreatedBy |
UUID |
Identifies the user who was responsible for the creation of the role. |
|
ObsoletionTime |
DATETIME |
When present, identifies the date/time when the role became obsolete. |
|
ObsoletedBy |
UUID |
Identifies the user who was responsible for the obsoletion. |
|
ObsoletionReason |
VARCHAR |
Indicates the reason for the obsoletion of the record. |
|
SecurityUserRole |
(None) |
N/A |
An associative entity table between a security user and role. |
UserId |
UUID |
Identifies the user of the association. |
|
RoleId |
UUID |
Identifies the role to which the association applies. |
|
SecurityRolePolicy |
(None) |
N/A |
The security role policy is an associative entity table that links security roles to policies which can be used in a policy decision. |
RolePolicyId |
UUID |
Uniquely identifies the tuple |
|
RoleId |
UUID |
Identifies the role to which the security role policy association applies. |
|
PolicyId |
UUID |
Identifies the policy that is being applied to the role. |
|
IsDeny |
INT |
When true, indicates that the policy decision process should deny all requests to the policy. |
|
CanOverride |
BIT |
When true, indicates that when a policy decision is made, a user within the role can override the decision. |
|
PolicyOverride |
(None) |
N/A |
A table that stores data related to policy overrides. |
PolicyOverrideId |
UUID |
Uniquely identifies the policy override record. |
|
PolicyId |
UUID |
Identifies the policy that was overridden. |
|
UserId |
UUID |
Identifies the user who was responsible for the override. |
|
ReasonConceptId |
UUID |
Identifies the reason why the policy was overridden. |
|
OverrideTime |
DATETIME |
The time that the override occurred. |
|
CreationTime |
DATETIME |
Identifies the time when the override record was created. |
|
CreatedBy |
UUID |
Identifies the user who was responsible for the creation of the override record. |
|
ActPolicy |
(None) |
N/A |
The ActPolicy table is used to associate a policy with an act. |
ActPolicyId |
UUID |
A unique identifier for the policy identifier. |
|
EffectiveVersionId |
UUID |
Identifies the version of the act whereby the policy is active. |
|
ObsoleteVersionId |
UUID |
Indicates the version of the act where the policy no longer applies. |
|
PolicyId |
UUID |
Identifies the policy that is associated with the act. |
|
SecurityDevice |
(None) |
N/A |
The security device table is used to store data related to an authorized device that can access the OpenIZ IMS. |
DeviceId |
UUID |
Uniquely identifies the device. |
|
DeviceSecret |
VARBINARY |
A secret that is used to verify whether the device can connect. |
|
CreationTime |
DATETIME |
Indicates the time when the record was created. |
|
CreatedBy |
UUID |
Identifies the user responsible for the creation of the record. |
|
ObsoletionTime |
DATETIME |
When present, indicates the time when the device record became or will become obsolete. |
|
ObsoletedBy |
UUID |
Identifies the user that is responsible for the obsoletion of the device. |
|
ReplacesDeviceId |
UUID |
Indicates the old device that the current device would replace. |
|
SecurityDevicePolicy |
(None) |
N/A |
An associated entity that links a security device to a policy. |
DevicePolicyId |
UUID |
A unique identifier for the device policy association. |
|
DeviceId |
UUID |
Identifies the device to which the association applies. |
|
PolicyId |
UUID |
Indicates the policy to which the association applies. |
|
IsDeny |
BIT |
When true, instructs the decision engine to deny access to an act or policy. |
|
SecurityApplication |
(None) |
N/A |
The security application table is used to store records associated with an application. |
ApplicationId |
UUID |
Uniquely identifies the application. |
|
ApplicationSecret |
VARBINARY |
A secret that is used by the application to authenticate itself. |
|
CreationTime |
DATETIME |
The time when the application was created. |
|
CreatedBy |
UUID |
The user responsible for registering the application. |
|
ObsoletionTime |
DATETIME |
The time that the application record did become or will become obsolete. |
|
ObsoletedBy |
UUID |
Indicates the user that the obsoleted the record. |
|
ReplacesApplicationId |
UUID |
Identifies the application that this current version of the application record replaces. |
|
SecurityApplicationPolicy |
(None) |
N/A |
An associated entity that links a security application to a policy. |
ApplicationPolicyId |
UUID |
A unique identifier for the application policy association. |
|
ApplicationId |
UUID |
Identifies the application to which the association applies. |
|
PolicyId |
UUID |
Indicates the policy to which the association applies. |
|
IsDeny |
BIT |
When true, instructs the decision engine to deny access to an act or policy. |