You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
"selector" : "Selectors are SQL-like clauses that specify which records an API should act on. They are analogous to WHERE clauses in SQL. Each API (accessor/mutator) is associated with exactly one selector. The selector is specified at accessor/mutator creation time, either as a free text input in the UI, or as a string through the API. An example of a selector is: `{DateCreated} < ? AND {DateCreated} >= ?`. Each ? represents a parameter that is passed in an array, called SelectorValues, at API invocation time.",
3
+
"accessor": "Accessors are configurable APIs that allow a client to retrieve data from the user store. Accessors are intended to be use-case specific. For example, you might configure two separate accessors GetEmailForMarketing and GetEmailForAuthentication. They enforce data usage policies and minimize outbound data from the store for their given use case.",
4
+
"mutator": "Mutators are configurable APIs that allow a client to write data to the User Store. Mutators (setters) can be thought of as the complement to accessors (getters). Mutators are intended to capture and store purpose alongside the sensitive data. The mutator will save a configurable set of purposes alongside the data, such as operations, personalization or marketing.",
5
+
"access policy": "Access Policies control the circumstances in which data can be retrieved or edited. Practically, access policies are functions that receive contextual data and return true or false according to whether access is allowed or denied. Access policies can be composed from other access policies or access policy templates.",
6
+
"access policy template": "Access Policy Templates are parametrizable functions that can be parametrized to create multiple access policies with parallel logic. For example, you might create a template `User is over X years old`. You may use this template to create several access policy instances, allowing you to create conditional logic on a user's age group.",
7
+
"data transformer": "Data transformers are re-usable functions that manipulate data in UserClouds. They allow you to minimize the data that you pass or store for each use case. This is key for complying with the data minimization principles in regulations like GDPR. For example, you may use a transformer to pass the last 4 digits of an Social Security Number, rather than the raw SSN, from the store.",
8
+
"column": "The user data table is built from columns and populated with records. Each column has a primitive type (describing what the column stores, like string or boolean) and logical type (describing what the column represents, like address or phone number). Columns can store a single data value or multiple values, in which case they are called array columns.",
9
+
"tokenize": "When you tokenize a piece of sensitive data, you replace it with a secure (but usable) reference token. The token is then used in place of the data throughout systems. The token can be configured to retain the structure of the underlying data to prevent validation errors. The token is associated with an access policy which controls the circumstances in which the token can be exchanged for the original raw data.",
10
+
"resolve": "Exchange a token for the raw data it represents. Token resolution is controlled by the token's access policy.",
11
+
"context": "Context is evaluated by access policies to determine whether data access is allowed. Context is automatically generated by the server and can be augmented with additional data, generated and passed by the client.",
12
+
"token resolution policy": "An access policy applied to token resolution. This controls the circumstances in which the token can be resolved.",
13
+
"tenant": "A single, isolated instance of UserClouds's tech (APIs, user store etc). Typically, customers set up one tenant per environment (e.g.. dev / testing / production).",
14
+
"company": "A collection of team mates and tenants, used for billing and role management. Companies represent UserClouds's customers - e.g. the company that you work at.",
15
+
"organization": "Organizations are primarily used by B2B customers of UserClouds. They represent UserClouds's grand-customers (i.e. your customers). You’ll configure one organization for each client you serve, plus one organization for your employees (the Company Organization).",
16
+
"application": "A single OAuth2 client that can call the APIs of any IDPs configured in your tenant (e.g. primary - Auth0, back-up - Plex, third party - social). It is where you will configure how authentication works for your project. For example, you might configure the application to require two factor authentication via SMS or offer passwordless login.",
17
+
"permission": "A permission gives a user a right to take a particular action on an object in your system. Examples of permissions are view, edit, and manage-members.",
18
+
"object": "Objects are the nodes of your authorization graph. Each object represents a single user, group or asset (like a file or folder) in your system.",
19
+
"edge": "Edges are one-way connections between the objects on your graph. An edge give a source object a bundle of permissions on a target object. Each edge represents a real-world relationship between two objects in your systems, e.g. owner, manager, viewer.",
20
+
"edge type": "An edge type is a possible relationship between two object types. Each edge has exactly one type. Edge types specify a source object type, a target object type and a set / bundle of attributes (like read, edit or manage-members)",
21
+
"object type": "Object types are used to represent and enforce the common properties of objects in your graph. Every object must have exactly one type. Together with edge types, object types define the structure of the authorization model.",
22
+
"role": "In these docs, a role is a special type of relationship (edge type) that has a source object of type user. A role declares a bundle of attributes that users can have on another type of obejct. For clarity, we will try to use the naming convention {Target}-{Role} when discussing roles, e.g. tenant-owner, organization-member.",
23
+
"role instance": "A role instance is a single edge of a given role, e.g. if Alice is a member of Apple, we will refer to the edge of type organization-member from Alice to Apple as a role instance.",
24
+
"inherit": "One of the three attribute types. Inherit attributes are used to pass a permission from one user or group to another. Inherit states: if the target object has the attribute on a third object, the source object ‘inherits’ that attribute on the third object.",
25
+
"propagate": "One of the three attribute types. Propagate attributes are used to propagate permissions down a hierarchy of nested resources. Propagate states: if a third object has the attribute on the source object, the third object also gets the attribute on the target object",
26
+
"direct": "One of the three attribute types. Direct attributes are used for non-hierarchical relationships. They give the source object the permission on the target object.",
27
+
"token": "A token is a secure string that references and represents a piece of sensitive data. The token is used in place of sensitive data throughout systems. The token is associated with an access policy that controls the circumstances in which a service or user can exchange the token for the raw data.",
28
+
"attribute name": "Each attribute has a name and a scope. Attribute names describe the permission given by the attribute. Attribute names are modeled as strings like create, delete and manage-members.",
29
+
"attribute scope": "Each attribute has a name and a scope. Attribute scopes describe which object gets the permission and which object the permission is given on. They allow you to traverse the graph, so you can incorporate arbitrarily deep hierarchy in your authorization logic. There are three attribute scopes: direct, inherit and propagate.",
30
+
"purpose": "Purposes are used to track, enforce and audit user consent in User Store. Purposes have names like marketing, analytics and operations that map to the data processing purposes described in your privacy policy and terms of service. When users share data with you, they consent to a set of purposes for each piece of data that they share. For example, they might consent to using their email address for personalization, but not marketing. System columns are not associated with purposes.",
31
+
"data normalizer": "Data normalizers are used in mutators (write APIs) to manipulate inbound data. Any data transformer of type Transform or PassThrough can be used as a data normalizer. Transformers that tokenize data (i.e. of types 'Tokenize by Value' and 'Tokenize by Reference') cannot be used as normalizers.",
32
+
"Tokenize by Value": "Tokenize By Value Transformers create a resolvable token with an associated access policy. If the value of the raw data later changes, the token will resolve to the value of the data at the point of transformation (not the latest value). Token resolution does not consider user consents.",
33
+
"Tokenize by Reference": "Tokenize By Reference Transformers create a resolvable token with an associated access policy. If the value of the raw data later changes, the token will resolve to the latest value of the data (not the value at tokenization time). Tokens generated by reference also respect user consent changes, i.e. resolution will be blocked if the user no longer consents to the accessor's data processing purpose for the given piece of data.",
34
+
"consent": "User consents indicate which data processing purposes a user has consented to. Users can give and revoke consent for a particular purpose for any column of data. For example - they might consent to marketing by email but not by phone.",
35
+
"SelectorValues": "An array or list of values that are used to replace value placeholders in a selector. These values must be provided in the same order as the placeholders appear in the selector, and the type of each value must match the expected type of the variable placeholder.",
36
+
"term": "The basic component of a selector clause, representing a single condition that can be evaluated as true or false. Terms can involve comparisons between columns and values or other expressions.",
37
+
"conjunction": "A logical operator (e.g., AND, OR) that combines multiple TERMS in a selector clause, allowing for the construction of complex conditional logic.",
38
+
"column_identifier": "A reference within a selector to a specific column in UserClouds. This identifier is used to apply conditions or operations to that column.",
39
+
"value placeholder": "Specifically refers to the `?` symbol used in selectors, acting as a stand-in for a value to be supplied at the time the selector is executed.",
40
+
"operator": "A symbol or keyword used in selectors to compare values or perform arithmetic, logical, or other operations. Operators include equality checks (=, !=), comparisons (<, >, <=, >=), and pattern matching (LIKE, ILIKE).",
41
+
"system column": "The following are system columns in UserClouds: id, created, updated, organization_id, and version. UserClouds does not store user consents for system columns, so system columns may always be used in accessor selector clauses, regardless of accessor purpose/user consents.",
42
+
"purpose check": "Accessors (read APIs) are used to retrieve a pre-specified set of columns of data for 1+ users. Every accessor is associated with a purpose at creation time. At execution time, the accessor runs a purpose check. The purpose check filters out all users that have not consented to the accessor's specified purpose for all non-system columns that are retrieved or used in the selector. Note that since system columns are not associated with purposes, they are not subject to purpose checks."
0 commit comments