Entity Associations
Content
Overview
ULM entities are linked to each other using associations defined by permission flags and, in some cases, attributes.
Entities can be one-to-one (one user to one account) or one-to-many (one user to an account, a group, multiple subscriptions, and so on). Every association needs an owner entity and a target entity. The owner entity grants a particular permission or access to the target entity (e.g. user to an account). User, Runtime, and Group are the only three entities that can be owners. All others can be targets.
Attributes
Like with primary ULM entities, attributes may be added to an association in order to better define the relationship between those entities. For example, if a user configures Multi-Factor Authentication (MFA), and opts to trust a device during an MFA check, that trust is captured as an attribute on the User-to-Runtime association.
Association Flags
By default, any association comes with various association flags. These flags act as permission switches to be toggled on or off, so as to define what an owner entity can enact on a target entity.
For example: Hank pays for a music streaming service. In ULM Cloud, Hank's User entity is associated to the ULM Account, Subscription, and Feature entities that represent the streaming account and service. The association flags between the User entity and the Subscription entity enable Hank to listen to music (read flag), add music to a playlist (write flag), or delete existing playlists or favorites (delete flag).
Consider if Hank adds his friend Dale to his user group, and then shares access to his streaming service with Dale. Dale's User entity will then be associated to the same Subscription or Feature entity as Hank, but the flags for that association only support the ability to listen to music ("read" flag).
There are 2 permission types: primary user and regular user permissions.
A primary user's permissions are the following:
| Primary User Permissions |
|---|
mint.permission.delete
mint.permission.read
mint.enabledByUser
mint.permission.write
mint.permission.execute
mint.role -> mint.role.primary
|
A regular user's permissions are the following:
| Regular User Permissions |
|---|
mint.permission.read
mint.enabledByUser
mint.permission.execute
mint.role -> "mint.role.user
|
Account/Subscription/Feature Associations
Most ULM entities exist independent of each other before they are associated to each other. Much of our ULM documentation uses simplified entity relationship diagrams that reflect this.
However, as an exception to this rule a ULM feature cannot exist independent of a parent ULM subscription, and a subscription cannot exist independent of a parent ULM account. While still an association, the relationship between accounts, subscriptions, and features more resembles a containership or ownership. To give you a better idea, the following diagram is a slightly more accurate version of the previous diagram in the intro section above.
