Authentication Database

The Carapace Authentication database holds information about users -- names, addresses, passwords etc. -- as well as information about the roles they can perform and the resources they can access. The following authentication information about users is stored within the Carapace database:

• basic details such as a userId, password etc.
• addresses -- a user can have many names or addresses e.g. several email addresses for Internet email, several X.400 addresses etc.
• roles -- a user can perform several roles such as a simple read-only role or a powerful system administration one
• resources -- each role gives access to one or more resources.

The Auth interface defines functions for querying this authentication information. This is available both from Carapace script and from COM.

The Admin interface is the general administration interface for the Carapace database. As such it provides a set of methods for administering the Authorisation information. Since it is more likely that administration will be done by a person than by another computer system, the Admin interface can be accessed using a Web front end using any standard browser.

Basic Details

The following basic details are stored for each user within the Authentication database:

userId	a unique identifier for the user
password	the user's password
validFrom	date & time when the password is first valid
expiryTime	date & time when the password expires
description	a brief description of the user
title	Mr, Ms etc.
givenName	the user's given or first name
initials	the user's initials
surname	the user's surname or family name
postalAddress	the full postal address
city	city within their postal address
area	area or region within their postal address
country	name of the country
postcode	postcode or ZIP code
telephone	contact telephone number
fax	contact fax number
organisation	name of the organisation for which the user works
jobTitle	user's job title within that organisation

Addresses & Address Types

A user can have many different addresses of many different types. For example, using Internet email, a user may have all of the following addresses assigned to them:

fred.flintstone@cavedwellers.com f.flintstone@cavedwellers.com flinty@cavedwellers.com

Similarly, Fred Flintstone may also have equivalent X.400 addresses:

G=Fred/S=Flintstone/P=CaveDwellers/A=StoneMail/C=US I=F/S=Flintstone/P=CaveDwellers/A=StoneMail/C=US G=Flinty/P=CaveDwellers/A=StoneMail/C=US

Carapace allows multiple address types to be defined. A user can then have multiple different addresses of the same or of different types.

The Admin interface defines functions for administering the address types and the user's addresses. This has a Web front end for human users.

Roles & Resources

A user can perform several different roles. For example, even though Michelle is a system administrator, she generally wants to connect to the system with the privileges of a basic user since this protects against dangerous actions being done. In this example, Michelle therefore has two roles:

• basic user
• system administrator.

The things users can do -- i.e. the resources which they can access -- are defined by the roles they perform.

Carapace therefore allows multiple roles and multiple resources to be defined. In addition, the list of resources a role can access is configurable as is the list of roles a user can perform.

When a user attempts to connect to the system with a given role, Carapace checks the stored information and if the security details are OK, the user is given access to the resources identified by that role.

Contents

Index

Current topic: Carapace Hub

Related topics: message store