HomeSecurity & Governance › Security model overview

Security model overview

Purpose: How authentication and authorisation actually work across author and publish, and the defaults to verify.

Who this page is for

AudienceWhy it matters to you
All engineersThe mental model under every permissions question

Two very different tiers

AuthorPublish
UsersReal humans via SSO (SAML) + service usersMostly anonymous + service users; members if authenticated site
AuthZ concernWho may edit/publish whatWhat anonymous may READ
ExposurePrivate network onlyInternet-facing (behind dispatcher)

The publish-side question people forget: replicated ACLs decide what anonymous can read. Content that renders fine on author can 404 on publish (ACL not replicated / no anonymous read) or — worse — internal content can be readable because a broad allow went out with the tree.

Request → decision pipeline

Request → Authentication handler (SAML/token/basic/anonymous)
        → Session with principal + group memberships
        → Every repository access checked against ACLs (walk-up evaluation — nearest rule wins)
        → Render only what the session may read

There is no "the app checks permissions" layer to forget — Oak enforces on every read/write. Your job is correct ACLs and correct sessions (service users, not admin).

Defaults to verify on every environment

Quick navigation