Bosca

Security

Practical, role-based security with clear controls for public and private content.

Bosca’s security model is simple to reason about and flexible enough for complex organizations. It’s built around four concepts:

  • Principals (users)
  • Credentials (passwords or OAuth2 providers)
  • Groups (roles)
  • Permissions (what groups can do)

Authentication options:

  • Bearer tokens (JWT), Basic Auth, or cookie-based sessions
  • OAuth2 providers are configurable (Google is enabled by default in application.yaml)

How permissions work:

  • Assign users (Principals) to Groups
  • Grant permissions to Groups (view, edit, manage, delete, execute)
  • Apply permissions to Collections, Metadata, and Workflows for fine-grained control

Public content controls:

  • Collections can be marked public or publicList to allow unauthenticated access when published
  • Metadata can be marked public, publicContent, or publicSupplementary
  • Public access is only available when content is in a Published state via Workflows

Why this helps organizations:

  • Clear separation of roles and actions reduces mistakes
  • Consistent, predictable rules across content types
  • Easy to review and audit access

Technical Reference (for developers)

Principal

type Principal {
    groups: [Group!]!
    id: String!
}

type Group {
    id: String!
    name: String!
}

Permissions

enum PermissionAction {
    DELETE
    EDIT
    EXECUTE
    LIST
    MANAGE
    VIEW
}

type Permission {
    action: PermissionAction!
    group: Group!
    groupId: String!
}

See More

Deployment

Bosca supports multiple deployment options so you can start small and scale with confidence.

Telemetry

See how your system behaves in real time with tracing and error reporting.