Account Security
The following split document Account model takes effect from Formbird versions 1.3.xxx onward.
There are three (4) Formbird documents that define a user's access and permissions to the Formbird application.
-
account - generally editable by the user and used by the application to control application behaviour that a user can interact with.
-
accountControl - ability to have an "admin" key against it so that it is read only to the user. It is expected that systems would be configured so that most users cannot modify this document for their own account. Accounts with access to the necessary keys would be able to modify this document.
-
accountSecurity - ie. password and apiKey - to never leave the server and sent to the client.
-
accountGroupConfig - Used to store user-related application configuration and can be linked with multiple user accounts.
account document
The account document contains the following:
Part | Description |
---|---|
The email address of the user, used as the login. | |
defaultURL | This is the default page the user will land on once logged into Formbird. |
menu | This stores the array of menu items that the user has added to their menu on the left hand pane of Formbird (when opened). |
Other attributes and fields may be added to this document, as this will be the modifiable "User Account" form that people see in the system.
accountControl document
The accountControl document contains the following attributes, which are stored here so a corresponding user cannot modify their own access without explicit permission/allowance :
Part | Description |
---|---|
verified | Flag denoting the account as being a of a verified user. |
accessKeys | Array of permissions to particular security keys. |
attachKeys | Array of keyIds which would be added to any document the user creates. |
accountRel | Link to the corresponding account document. |
disableEmailNotification | If set to true, the user will not receive an email notification for account activation. |
Sample accountControl document
{
"documentId": "b334a702-12ab-11e8-94b9-cbba9a646574",
"systemHeader": {
"templateId": "54d96f610bc006eb84369a8d",
"systemType": "accountControl",
"createdWith": "54d96f610bc006eb84369a8d",
"keyIds": [
"05D0CCF4-3CB7-4183-8E33-082D77DD949B"
],
"versionId": "6c2c5542-12b7-11e8-97a6-85e4002fe04c",
"excludeGeneralSearch": false,
"currentVersion": true,
"createdDate": "2018-02-16T01:19:23.797Z",
"createdBy": "540e51dd83fb24502699c931",
"serverUpdatedDate": "2018-02-16T01:19:23.879Z",
"serverCreatedDate": "2018-02-16T01:19:23.879Z",
"previousVersionId": "48e4a7e2-12b7-11e8-97a6-85e4002fe04c"
},
"accessKeys": [
{
"keyId": "543c99dd2dafa7c211b38488",
"rights": [
"Create",
"Update",
"Read"
]
},
{
"keyId": "452dda8d6803fa98058b1236",
"rights": [
"Read"
]
},
{
"keyId": "56396997d95e72dc090e09de",
"rights": [
"Create",
"Update",
"Read"
]
}
],
"attachKeys": [
"0b9385c7-d73e-45a5-b9db-99f55d243807",
"2a26394c-5c98-468d-8403-64af2033dd58"
],
"verified": true,
"disableEmailNotification": false,
"accountRel": [
{
"documentId": "85100e92-2a6e-11e6-98b2-c32ee74e5f0f",
"name": "User Account - johndavis@formbird.com"
}
]
}
Disabling Email Notification
To disable email notifications for users, set "disableEmailNotification"
: true in the accountControl document, as shown in the sample above. The account template must include the following component definition to allow administrators to enable or disable this feature:
{
"componentName": "sc-check-box",
"name": "disableEmailNotification",
"label": "Notify User of this change"
}
- Note: Disabling email notifications currently only applies to account activation emails. Soon, it will be extended to other user email notifications as well.
accountSecurity document
The accountSecurity document contains the following attributes.
Part | Description |
---|---|
password | The users password, encrypted. |
provider | This is for the passport provider, eg. 'local', 'okta'. This has contained social media values in the past like google and facebook. |
apiKey | The apiKey for an api key login. This can exist in the same accountSecurity document as a password if an account is used for integrations as well as password login |
apiHosts | The apiHosts for an apiKey login |
accountRel | Link to the corresponding account document. This uses the same related document structure as for accountControl.accountRel. |
Account Templates
The account, accountControl and accountSecurity documents all need to have a configured template that they are written with. These template documentIds then need be stored in the Formbird application configuration document:
Setting (under \serverConfiguration\) | Description |
---|---|
accountTemplateId | The documentId of the account template. |
accountControlTemplateId | The documentId of the accountControl template. |
accountSecurityTemplateId | The documentId of the accountSecurity template. |
These templates can be configured by the implementor. They may vary from implementation to implementation.
Generally it would be suggested that only high level users (administrators) have editing access to accountControl and accountSecurity templates.
accountRel field
The accountControl and accountSecurity templates both require a field able to provide the link to the corresponding account document.
This uses a related document construct to link to an account. The related document construct is what is saved by a sc-related-document component or similar. This is an array structure, but must be limited to one entry.
Eg:
"accountRel": [
{
"documentId": "85100e90-2a6e-11e6-98b2-c32ee74e5f0f",
"name": "User Account - [johndavis@formbird.com](mailto:johndavis@formbird.com)"
}
]
So for any template for the accountControl document, we need to have the singleSelection option set to true, eg.:
{
"componentName": "sc-related-document",
"label": "Account",
"mandatory": false,
"name": "accountRel",
"singleSelection": true, <<<<<< SINGLE SELECTION TRUE
"fullWidth": false,
"enabled": true,
"filter": "{'query':{'bool':{'must':[{'term':{'systemHeader.systemType':'account'}}]}}}",
"showDropDown": true
}
AccountGroupConfig Document
The accountGroupConfig
document is designed to store user-related application configuration and can be linked with multiple users. It provides a way to manage group-based settings or preferences shared across different user accounts.
In order to link to a user, accountGroupConfig
needs to be added to accountGroupConfigRel
of user's accountControlDocument
.
An example of account group configuration:
{
"systemHeader" : {
"templateId" : "74746c80-8378-11e6-99b1-71ee944cf59f",
"systemType" : "accountGroupConfig",
}
"documentId" : "36bee7e4-6344-4fc1-82a7-f73cc95b0baf",
"name" : "Offline Group Config"
}
This can be linked to user's accountControlDocument
with accountGroupConfigRel
field:
{
"documentId": "b334a702-12ab-11e8-94b9-cbba9a646574",
"systemHeader": {
"templateId": "54d96f610bc006eb84369a8d",
"systemType": "accountControl"
},
"accountGroupConfigRel" : [
{
"documentId" : "36bee7e4-6344-4fc1-82a7-f73cc95b0baf",
"name" : "Offline Group Config"
}
]
}