NOTE: Trivore ID Documentation has moved to https://trivoreid.com

The content on this site IS OUT OF DATE!

This space has been archived!

Please go ahead to the new site!

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

This page describes the logical locations of data for both user accounts and applications/services. The rationale combining these two seemingly different entities is simple: both may own similar objects, and both may share same objects. This sharing capability is of course controlled and safe when done right.

The graph above has four main entities, two user accounts and two applications/services (all darker blue). We use here both terms “application” and “service” interchangeably as they are the same thing in this context, yet many people only use the other term. We cover these more carefully later.

The fifth blue box represents the traditional user account group. These are shown here mostly due to them being able to carry access control and thus give access for their members.

There are three kind of private data types (all yellow), which are some of the main entities we concentrate on in this page. For user accounts the data types are user tags, and user custom fields. Each user account owns its own user tags, and custom fields. For accounts/services the private data type is application private tokens. Each application owns its own set of these tokens. For all these, we cover the access below.

In addition to the private data types, there are two public data types (both green). These data types are relatively close to each other by access control and usage. The main difference is in data structures to be stored. User tokens are simple, but data storage may store almost anything in it.

First we need to cover briefly few major terms.

Access control

A broad subject covering means to allow or deny access. Default access is always denying access.

Access control is defined often in lists, one for read+write and one for read-only. If an entity such as user or service is in a list, it will get appropriate access. Term access control list (ACL) and access control entry (ACE) are often used. ACE is one item in ACL. Access control is used purely for security purposes, not per permission management.

Another layer to access control is OAuth 2.0 and related user access tokens, which are entitled during signing in to the Trivore Identity Service OpenID Connect Provider. This mean to gain access is available for user accounts, and it may give access to additional data.

Similar to the above OAuth 2.0 is the management API, and management API clients. Integrating applications and services have very often a management API client defined for them. That is, management API client is used by applications and services. This client has security credentials, but more importantly it has permissions allocated to it. Those permissions give it access to data and other functionality.

Please note the access control is totally different internal control layer from user access token and management API client, which cover broader access capability from outside of service. For effective access state all three must be considered.

Trivore Identity Service (TIS) can be used to store small amounts of application specific data. There are a number of different types of data persistence points for different kinds of data. This chapter covers the basics of those points and gives recommendations on which point to use in which situation.

User related data persistence

The data persistence points in this section are related to user accounts in some way. The user tags are the most lightweight data structures, but they do not offer access control and can only store pieces of strings.

The user custom fields are key-value pairs and can hold more complex data than the user tags, but custom fields also do not have support for complex access management.

The user tokens are the most advanced user related data structure with access management support. User tokens are key-value pairs, but many types of data can be stored in them.

User Tags

User tags are pieces of strings, which are attached to the user account. The user tags are indexed and users can be queried by tags. User tags can also be thought as lightweight groups, where a tag is the name of the group. TIS does not internally use user tags for anything and makes no interpretations on the meaning of the tags. It is up to the external application to

Namespace default tags can also be set for each namespace. The default tags are suggested in user tag editor field in the Web UI's user editor. Users can edit their own tags without any special permission. Also Management API Clients and users with ACCOUNT_MODIFY permission can change tags of any users belonging to an accessible namespace.

See User tags page for more information on how to use tags efficiently.

User custom fields

Custom fields are a set of freely specified field names and values. The values can be strings, booleans, numbers or objects. They can be used in user search by using filter keys like 'customFields.{fieldName}'.

User Custom fields can be used to add and manage application specific user related data for each user.

User custom fields are visible to all Management API Clients with ACCOUNTS_VIEW permission and access to the user's namespace. Custom fields are also always visible to users themselves. Also, the custom fields can be modified by any management api client with ACCOUNTS_MODIFY permission and access to user's namespace.

User tokens

User tokens are access controlled key-value pairs attached to user accounts. User tokens have a list of entities, which are allowed to read the token and another list with entities, which are allowed to modify the token.
User tokens can be queried by key.

Others

The other data persistence points are not user related and can be used to store any application specific data. The limitations of these storage methods are explained in the more detailed documents.

Data storages

The Data Storage is intended to be a light-weight database to store structured data in searchable form. It is not a full-blown relational database management system, but it serves most use cases for cloud and mobile-first applications. It has built-in access control, which can be used to grant read-only or read-write access to users, groups of users, or Management API Clients.

The detailed data storage documentation can be found on Data storages .

Application private tokens

As the name suggest, the application private tokens are application specific and visible and accessible only to the Management API Client, that created them. The application private tokens can be used to store relative data. Each entry has a relatedId, key and a value. The application private tokens do not have support for complex access management. The use of application private tokens does not require any specific permission and any Management API client can utilise them.

Application private tokens are documented in much greater detail in the Application Private Tokens page.

Matrix

The matrix below shows the difference and similarity of each data type.

Data type

Scope

REST API access

Accessible with

Max amount

Considerations

User account custom fields

User account

/api/rest/v1/user/{userId}/customfields

  • User access token

  • Management API Client Credentials

Limited by combined user document size limit.

All fields are managed in bulk via REST. Take care when sharing between services.

User tokens

User account

User tokens have their own REST API endpoint:

/api/rest/v1/user/{userId}/token

  • User access token

  • Management API Client Credentials

  • Access control

Multiple may exist. For max size, see table below.

Good for smaller and low volume, controlled data sharing.

Application private tokens

External service, each Management API client has their own set of private tokens.

Application private tokens have their own REST API endpoint:

/api/rest/v1/token

  • Management API Client Credentials (for the owning service only)

Multiple tokens may exist. For max size, see table below.

Having too many tokens may decrease application performance. Optimal single token size is usually around 1 kilobyte. Design application carefully.

Data storage

Anything (Scope varies between data storages)

REST API endpoint:

/api/rest/v1/datastorage

  • User access token

  • Management API Client Credentials

  • Access control

Unlimited amount of tokens may exist. For max size for one, see table below.

Very performant. Each data storage may have different access controls.

User account (including identifying data and tags)

User account

/api/rest/v1/user

/api/rest/v1/user/{userId}/profile

OpenID UserInfo endpoint:

/openid/userinfo

  • User access token

  • Management API Client Credentials

For max size for one user account, see table below.

Holds some of the auxiliary user account data. Also holds all user identity data.

Table below shows important developer information on maximum data sizes. Total size includes keys, names, and some meta data, not only the main payload.

Data type(s)

Maximum combined total size

Allowance

User account (including tags, custom fields, identity data)

16 MB per user account

Unlimited amount of user accounts

User tokens

16 MB

Multiple tokens up to max size for each user account

Application private tokens

16 MB (current limit for all tokens of one service)

Multiple tokens up to max size for each service

Data storage

16 MB per storage

Multiple for each user account and for each service

  • No labels