Application Security Model
BluBØX’s application security model is based on the notion of Access Control Lists (ACLs). An ACL is a set of rules which specify which users can access with objects in a system. This concept will be familiar to anyone who uses a file server. The administrator of the file server establishes permissions for files, directories or folders, and executable programs. These permissions specify such properties as to who may read, write or execute the resource(s) in question, and under what circumstances they may do so.
In BluBØX applications, the same concepts are used, both explicitly at the UI level, as in the case of our Tiered Administration capabilities, and implicitly, in a behind-the-scenes “matrix” that indicates, for every object in the system, which authenticated entities may look at or alter the object.
For example, the object representing the control panel in an office may be accessed by any Administrator in your account who has sufficient permissions to do so. No Administrator outside of our account can see or make changes to the control panel.
Can an Administrator from another account get around these restrictions? Can they get around the application restrictions by accessing directories or files directly? The answer is “No” and the detailed technical reasons are explained in the next section.
BluBØX has implemented a computer industry standard application security model known as instance-based security. This approach is based on a programming model and set of modules which allows developers to implement a set of security measures that are consulted each time an end-user attempts to access an instance of data, such as a user record.
In contrast to some application designs (web-based as well as other technologies), the security framework enforces permissions not only when an end-user enters the application, but each and every time that user attempts to perform an operation on an object. In other words, a user’s permissions (such as those of an Administrative login) are checked each time an action is attempted. This means that even if an Administrator from another account attempts to gain access to another account (e.g., by altering URLs), the attempt will fail because that Administrator will not pass the authorization check for the object he or she is trying to change.