App Suite Security

Authentication and authorization

BSI IT-Grundschutz 2023 sections covered by this page
  • CON.10
  • CON.8
  • OPS.1.1.1
  • OPS.1.1.2
  • OPS.1.1.4
  • OPS.1.1.7
  • ORP.4

OX App Suite provides three sets of administrative accounts and one set of user accounts. Each account type is limited to its specific purpose and can not "read down" or "write up". Note that authentication for oxadminmaster and oxadmin can be disabled through system configuration, which is highly discouraged. Authentication is enabled by default.

As a general concept, any authentication and authorization decision is performed on the server-side, regardless of the interface used. Client-side validation is only executed to avoid user input mistakes to improve usability.

oxadminmaster

The unique "oxadminmaster" account takes care of low-level provisioning of system resources, for example, to reference database systems that shall be used, to define server instances, or to create contexts. Credentials for this kind of account are stored as a password at the /opt/open-xchange/etc/mpasswd using the BCrypt hashing algorithm by default. Access to this file is restricted to super-user accounts and the open-xchange system user account. Local or remote (e.g., SOAP, RMI) provisioning calls related to oxadminmaster functionality are validated against the password hash. The "oxadminmaster" account is mandatory.

reseller

One or more "reseller"-type accounts can be created to allow trusted third parties to manage portions of the deployment, for example, by creating contexts, but they are restricted from low-level administration. Credentials for this kind of account are stored as a password in the database (user table) using the SHA-256 hashing algorithm by default. Local or remote (e.g., SOAP, RMI) provisioning calls related to reseller functionality are validated against the password hash. "reseller" accounts are optional and require specific system configuration.

oxadmin

One "oxadmin" account will be created for each context. It allows the management of resources within the related context, including user accounts and resources. Credentials for this kind of account are stored as a password in the database (user table) using the SHA-256 hashing algorithm by default. Local or remote (e.g., SOAP, RMI) provisioning calls related to oxadmin functionality are validated against the password hash. "oxadmin" accounts are mandatory.

user

One or more "user" accounts can be created for each context. It allows access to end-user functionality within the related context, including access to mail, calendaring or cloud storage features. Depending on the chosen authentication concept, credentials are either stored outside the system and access to OX App Suite is granted by validating tokens (e.g., using OpenID Connect), or credentials are stored as a password in the database (user table) using the SHA-256 hashing algorithm by default.

User-level accounts can be restricted to access specific product features via user-object configuration or through advanced taxonomies invoked through context sets or user group configuration. Access to user content is restricted through ACLs that, depending on permissions, can be defined by users themselves. Content access control is largely a self-management process for the user population.

Any user-level access is checked against local or external user credentials or derived authentication tokens, including all HTTP and DAV API access. User accounts are generally restricted to the context in which they were provisioned. Cross-context sharing is available depending on system configuration; however, this does not migrate user accounts but creates guest accounts instead. "user" accounts are mandatory.