App Suite Security

Multi-Tenant Configuration

Since OX App Suite is designed for SaaS use, it supports a multi-tenant setup. A tenant is a set of certain users that are allowed to interoperate with each other in terms of groupware functionality. At the OX App Suite documentation and APIs the tenant is called "context" or "ctx".

Potential Security Risk

It must not be possible that a tenant shares information with another tenant unless explicitly permitted by authorization.

Current Implementation and Completeness

Every tenant has a unique identifier (throughout whole cluster) the "context-id" / "cid". During authentication of a user, the entered login name is resolved into two parts. The username and the associated context-id are then returned to the application layer. Optionally this mapping can be done by trusted external 3rd party systems through a authentication plugin.

That tenant identifier is also stored in associated users session and is technically requested/verified whenever a tenant-bound operation is performed, e.g. the context-id must always companion a tenant-bound access to database. OX App Suite allows multiple tenants to be kept in one database schema specified by a dedicated JDBC URL. Access to data outside that schema is impossible and prohibited by the database system software.

Therefore, every table specification needs to include the context-id in its primary key. Thus, that identifier separates any access to data in composed SQL statements/queries. As stated above queries are then manually checked for correctness.

Known Security Incidents and Measures

Malformed SQL queries are not properly using/obeying tenant associations. It is practically impossible to enforce any query/statement to properly specify that tenant identifier to only access allowed data in an assigned schema. For newly introduced tables and thus queries for these tables, Open-Xchange performs an automated workflow specifying several iterative steps in which such changes are reviewed. Those checks or automated processes are not performed for 3rd party bundles deployed into the OSGi framework.

Therefore, such 3rd party bundles need to be checked for potential security issues. To enforce that a tenant’s data is secured by the database itself, a one-schema-per-tenant architecture could be configured by the operator for environments with high security requirements.