Authorization
BSI IT-Grundschutz 2023 sections covered by this page
- CON.10
- APP.3.1
The permission layer secures every API published by OX App Suite middleware. The permission layer is a folder-based ACL description for objects managed within OX App Suite (appointments, tasks, contacts, messages, etc.).
A folder permission provides OX App Suite with the level of access a user has been granted when accessing a particular folder. Folder permissions are defined in the properties of each folder along with other attributes. By default, a private folder permission means that only a user (the user being the owner of the folder) can read it. If the user wants other people to be able to manipulate these folders, the user must give them specified access rights. However, after the user has set permissions on, for example, the users inbox, any folder created as a sub-folder of this inbox will inherit the same permissions, avoiding the need to set permissions manually on new folders.
This process applies to any new sub-folder so it will inherit the permissions from the folder directly above it. Every folder has a unique permission and can hold permissions for more than one user, with each user being able to have varying degrees of access. The user can give permissions to whole groups of people without needing to specify every person individually.
Below you will find the architectural diagram:
The picture shows that the permission layer controls any possible access to objects and/or entities available in OX App Suite.
Potential Security Risk
An administrator or developer may gain direct access to objects and bypass API level authorization offered by OX App Suite middleware. This may include cases where those roles can issue custom SQL statements or directly access information storage systems. Protecting sub-systems is not considered in scope of OX App Suite.