Security

Role-Based Access Control

Core implements a five-tier permission model with table-level, row-level, and column-level security. Every API request is validated against the caller's permission set before any data operation executes.

Permission Tiers

Tier	Level	Grants	Typical Role
Control	5 (highest)	Full admin: manage users, roles, permissions, system configuration. Includes all lower tiers.	Platform Admin
Create	4	Create and delete tables, manage schemas, configure data quality rules and mirroring.	Data Engineer
Write	3	Write data to existing tables, execute bulk operations, create tombstones.	ETL Service
Read	2	Query data, execute SQL, access OData and MCP endpoints. Subject to row/column filters.	Analyst
Meta	1 (lowest)	List tables, view schemas, check table metadata. No data access.	Catalog Viewer

Security Scopes

Table-Level Row-Level (SQL WHERE) Column-Level

Table-Level: Permissions are assigned per table. A user may have Read access on sales and Write access on staging_sales.
Row-Level Security: Define SQL WHERE clauses that filter rows based on the caller's attributes. For example: region = '{user.region}' ensures users only see data for their assigned region.
Column-Level Security: Exclude sensitive columns from query results. Configure at the role level so analysts never see PII fields like ssn or email.

Audit Logging

Every operation in Core is recorded in a tamper-evident audit log. SHA-256 hash chains ensure that no entry can be modified or deleted without detection. The dual-tier architecture provides both real-time access and long-term archival.

Dual-Tier Architecture

Tier 1 — Redis Streams: Real-time ingestion with sub-millisecond writes. Used for live monitoring, recent queries, and compliance dashboards. Automatic rotation and compaction.
Tier 2 — Parquet Archives: Periodic flush from Redis to compressed Parquet files in object storage. Immutable, versioned, and queryable with SQL. Designed for 7-year regulatory retention.

Hash Chain Integrity

Each audit entry includes a SHA-256 hash computed from the entry's content concatenated with the previous entry's hash. This creates a tamper-evident chain — modifying or deleting any entry breaks the chain and is immediately detectable during verification.

Structured Fields (21 fields per entry)

timestamp

event_type

user_id

user_name

org_id

service

operation

resource_type

resource_id

table_name

version

row_count

byte_size

duration_ms

status_code

ip_address

user_agent

trace_id

hash

prev_hash

metadata

Encryption

Sensitive fields within audit entries are encrypted using Fernet (AES-128-CBC + HMAC-SHA256) before storage. This includes user identifiers, IP addresses, and query text in compliance-sensitive environments.

Retention

Redis Streams: configurable retention (default 30 days)
Parquet Archives: configurable retention (default 7 years)
Export: JSON-lines and CSV formats for external SIEM and compliance tools

Compliance-Ready

Built-in support for DORA incident reporting and SOC2 evidence export.

DORA Incident Reports

Structured incident creation, escalation workflows, and timeline recording. Export-ready for regulatory submissions with complete audit context.

SOC2 Evidence Export

Generate evidence packages for SOC2 audits: access control records, change logs, encryption configurations, and system health metrics.

Flexible Export

Export audit data as JSON-lines or CSV for integration with external compliance tools, SIEM platforms, and data warehouses.