C3 Agentic AI Platform Security Terms and Definitions

A foundation of security and cryptography terms and C3 AI security-related Types is paramount to understand the secure transactions and communication offered by the C3 Agentic AI Platform.

Copy link to this section

Authentication

Authentication confirms that users are who they say they are. All the authentication related functionality is currently mapped to the Authenticator Type in the C3 Agentic AI Platform.

Authentication: The process of identifying who is attempting to access resources on the C3 Agentic AI Platform. Users can authenticate to the platform using various mechanisms listed below.

IdentityProvider (IdP): IdPs are entities that manage users, credentials (for example, passwords, keys) and other attributes, such as groups or roles. See the IdentityProvider Type for more information.

Usually, all information related to group assignment of users on the C3 Agentic AI Platform would be fetched from the external IdP, but the platform can also have its own internal user management system that allows Users to be added to UserGroups.

Identity Provider (IdP) Single-Sign On (SSO): Identity Provider (IdP) initiated SSO is a type of SSO where the authentication process is initiated by the IdP, rather than by the service provider (SP). In this case, the user first logs into the IdP and is then redirected to the SP, where they are granted access without having to enter their login credentials again.

An example of this would be an employee of a company logging into their company's IdP (for example, Okta) and then being able to access multiple applications like Salesforce, Slack, NetSuite, for example, without having to enter their login credentials again. This is possible because all these applications are integrated with the company's IdP.

Lightweight directory access protocol (LDAP): An authentication protocol that helps users find data about organizations, persons, and more. LDAP has two main goals: to store data in the LDAP directory and authenticate users to access the directory. It also provides the communication language that applications require to send and receive information from directory services. A directory service provides access to where information on organizations, individuals, and other data is located within a network. The authentication process is a client-server model of authentication, and it consists of these key players Directory System Agent (DSA), Directory User Agent (DUA), Distinguished Name (DN), and Relative Distinguished Name (RDN). See the LdapIdp Type for more information.

OpenID Connect (OIDC): OIDC is an authentication layer protocol built on top of the OAuth 2.0 framework. OIDC securely authenticates a user against an IdP and redirects the user to the C3 Agentic AI Platform after the authentication is successful. User credentials are never exposed to C3 Agentic AI Platform. This protocol is mapped to the Oidc Type in the C3 Agentic AI Platform.

OpenID Provider (OIDP): An OpenID Provider is a service that authenticates users and provides them with an OpenID, which is a unique identifier that can be used to authenticate the user across different websites. An OpenID Provider allows users to use a single set of login credentials (username and password) to access multiple websites, without having to create a separate account for each one.

An example of an OpenID Provider is Microsoft. When users sign in to their Microsoft account, they are given an OpenID that they can use to authenticate themselves on other websites that support OpenID, such as GitHub.com or Confluence. This way, users don't have to create and remember multiple sets of login credentials for different websites, they can just use their Microsoft account.

This is because these two are OpenID Providers and have gone through the process of certifying themselves so that other third party applications can trust their user management.

Security Assertion Markup Language (SAML): SAML is an open standard for authentication. It is similar to OIDC, which authenticates a user against an IDP and redirects the user to the C3 Agentic AI Platform after the authentication is successful. This protocol is mapped to the Saml Type in the C3 Agentic AI Platform. See Saml for more information.

SAML Response: A SAML Response is a message that is sent from the IdP to the SP containing authentication and authorization information about a user, in response to a SAML Authentication Request. An example of a SAML Response would be, a user trying to access a service provided by a company (SP) and the company uses an Identity Provider (IdP) for authentication. When the user tries to access the service, the SP sends a SAML Authentication Request to the IdP asking for the user's authentication. If the user is successfully authenticated, the IdP sends a SAML Response to the SP containing information about the user, such as their username, email address and group membership, along with an assertion that the user is authenticated. The SP then uses this information to grant the user access to the service.

Single-sign On: Single Sign-On (SSO) is a method of authentication that allows users to access multiple applications with a single set of login credentials (username and password). An example of SSO is a user or employee logging into an organization's account, which gives them access to the company email, company's cloud storage provider, and other company services without having to enter their password multiple times. This is made possible by the fact that all these services are integrated with the company or organization's SSO system.

Copy link to this section

Authorization

Authorization gives users permission to access a resource. Within the C3 AI ecosystem it involves the decision to approve or reject the execution of C3 AI Actions that were invoked by a user.

Authorizer: The C3 AI system that performs authorization. Refer to the Authorizer Type for more information.

Data Permissions: An expression that defines a filter on a Permission for data access. Refer to the DataPermission Type for more information.

OAuth: An authorization delegation protocol that allows third party clients to access the C3 Agentic AI Platform on behalf of the users. This protocol is mapped to OAuth in C3 Agentic AI Platform. See the OAuth Type for more information.

Permissions: These define C3 AI actions that can or can not be performed. Refer to the Permission for more information.

Copy link to this section

Authentication and authorization tokens

An authentication token, is issued by C3 Agentic AI Platform to a user after the user is authenticated successfully. In the case of the Basic Auth workflow, a user provides credentials and the C3 Agentic AI Platform responds with an authentication token after verifying the user-provided credentials.

Various types of authentication tokens used in the C3 Agentic AI Platform are defined below.

access token: In the context of OAuth 2.0 and OIDC, a security token used by an application to call an API.

JSON Web Token (JWT): A JWT (JSON Web Token), Jwt, token is a compact, URL-safe means of representing claims to be transferred between two parties. It is often used to authenticate and authorize users in web applications and APIs. JWT is a JSON object that is encoded and signed by the server, and then decoded and verified by the client. A JWT token is composed of 3 parts header, payload, and signature.

An example of how JWT can be used: A user logs into a web application using their username and password. The server authenticates the user and generates a JWT that contains information about the user, such as their user ID, name, and permissions. The JWT is then sent to the client, usually in the form of an HTTP only, Secure cookie, where it is stored. The client can then use the JWT to authenticate itself to the server for subsequent requests by including the JWT in the Authorization header of the HTTP requests. The server then decodes and verifies the JWT, and check the claims inside it, if the claims are valid the server provides the requested resource to the client, otherwise it returns an error.

Session Token: authentication token, which allows a user to access C3 Agentic AI Platform for a short period of time (for example, 24 Hours). This is mapped by SessionToken in C3 Agentic AI Platform.

Copy link to this section

Configuration

Config: A hierarchical, high-performance, object that represents some form of configuration for a user, application, environment, or cluster. Configs are intended to be persisted. Refer to the Config Type for more information.

Config Store: The ConfigStore is a representation of the file system that configs reside in. The config store's directory structure supports the writing and reading of configs in a hierarchical manner.

C3 AI Vault: Representation of the file system that secrets reside in. Synonymous with the Config Store, but only for secrets.

ConfigOverride: The level the config object, ConfigOverride, can be applied to. The levels from lowest to greatest domain size are USER, APP, ENV, CLUSTER, ROOT. For example, two different configs with the same ID set at an ENV override on two different environments cannot reference the same config object.

Ann.Config: Annotations that you can place on any config subtype *.c3typ file. Annotation declare information about the config, such as setting a minimum or maximum override or declaring secret fields. See the Ann.Config Type for more information.

Copy link to this section

User management

User management enables administrators to grant access and manage user access and control user accounts.

AppIdentities: These are Users, and is the term used when discussing the User entity that represents an app on a different app that the first app has access to perform actions on.

Identity Provider (IdP): An entity which manages user(s), credentials (for example, passwords, keys) and other attributes, such as groups. The functionality of IdP is mapped to the IdentityProvider Type in the C3 AI Platform.

Role: A Role is a collection of Permissions and Data Permissions.

Roles can also reference other Roles. These referenced roles are be considered nested roles of the parent role. The parent role can inherit all permissions and data permissions of its nested roles.

Certain Roles have special privileges. Specifically, some platform roles have their own security levels that define their relative hierarchy. Platform roles with a security level may not modify roles with a numerically lower security level than it. These roles are called Security Level Roles. Roles cannot have nested Roles that are Security Level Roles. Attempting to create a role that violates this rule results in error.

Role's permissions are OR'd across each other and AND within the role.

User: A User is an entity who intends to consume services offered by the C3 AI Server. The functionality of this entity is mapped to a User Type in C3 Agentic AI Platform. Users may be part of different UserGroups, and would inherit the roles that are associated with each UserGroup. Only users with user-admin group and above can modify users. Regular security level restrictions apply.

User entries should not contain authentication information (such as passwords and public keys). If you need to store this information, it must be done on a separate Type (for instance, UserCredentials.BasicAuth, or UserCredentials.KeyAuth).

UserGroup: UserGroups are collections of Users. UserGroups are intended to reflect group assignments on the IdP. Each UserGroup must be associated with exactly one Role that shares the same ID. The UserGroup's bounded Role can have multiple roles using nested Roles. UserGroups associated with roles with security level still must follow regular security level restrictions.

Copy link to this section

Session

Session Id: A randomly generated nonce which enables a C3 AI Server to identify a user session in shared memory. The session identifier is part of session token, which is returned to user by the C3 Agentic AI Platform after authentication. For more information, see the Type SessionToken.

User Session: A shared memory object by all nodes running an application in an environment, and consists of user attributes that allow continuous access to a C3 AI Server. Note, this is an ephemeral object which is valid for a short period of time (for instance, 24 hours) and must be created only after the user is authenticated. This object is mapped by the User.Session Type in the C3 Agentic AI Platform.

Copy link to this section

Cache

Cache: The data structure used to temporarily persist data in memory for low latency access. Refer to the Cache Type for more information.

Cached: A Type whose objects are stored in a Type-specific Cache and are invalidated when needed. See the Cached Type for more information.

Cache.Invalidator: The CacheMessage dispatcher and receiver, Cache.Invalidator.

Copy link to this section

Access control list (ACL)

An ACL is a list of permissions or access rights that are associated with a particular resource, such as a file, folder, or network share. ACLs are used to control access to resources by determining which users or groups are granted permission to perform specific actions, such as read, write, execute, or delete.

AclEnabled: A Type, AclEnabled, whose objects have their own defined ACL (access control list) which specify access permissions of a specific AccessControlEntity.

AclPrivilege: Privileges, AclPrivilege, that control system generated ACLs for a Type. These privileges determine what ACL entries are created.

EnableAclPrivilege: Used to enable enforcement of @{link AclEnabled} Types, EnableAclPrivilege.

ConfigAclEnabled: A Config Type, ConfigAclEnabled, whose access to data is authorized by AclEnabled.

AclEntry: An instance of an ACL Entry, AclEntry, which has knowledge of its permissions.

Copy link to this section

Encryption

Crypto Key Pair: A crypto key pair is a set of two cryptographic keys, a private key and a public key, that are used for encrypting and decrypting data and for creating and verifying digital signatures. The private key is used for decrypting data and for creating digital signatures, and must be kept secret. The public key is used for encrypting data and for verifying digital signatures, and can be made public.

An example of how a crypto key pair can be used: A user wants to send an email to another user in a secure way. The user generates a crypto key pair and sends the public key to the other user. The user then uses the private key to encrypt the email and sends it to the other user. The other user receives the email and uses the public key to decrypt it. The other user can also use the public key to verify the digital signature of the email to ensure that it was indeed sent by the user and not by someone else. Another example is an SSL/TLS certificate, in this case the certifying authority can provide the public key and the website owner can keep the private key securely. When a user visit the website, the browser can use the public key to encrypt a message, the server can then use the private key to decrypt the message, this ensures the authenticity of the website, and the communication between the browser and the server can be secured using the public key for encryption.

Crypto Private Key: A crypto private key is a secret value that is used for decrypting data and for creating digital signatures. It is an integral part of a crypto key pair, along with the public key. The private key is used to decrypt data that has been encrypted with the corresponding public key and to create digital signatures that can be verified using the corresponding public key. It must be kept secret and protected, as anyone with access to the private key can decrypt the data and create digital signatures that appear to be from the owner of the key.

A private key is typically generated and stored securely on the client device, or in a hardware security module (HSM) or key management service (KMS) and should be protected with a password or a pin. It can also be stored in an encrypted format to add an additional layer of security.

In summary, a private key is used to provide authenticity and confidentiality to the communication and digital signature, it should be kept secret and protected to avoid unauthorized access or misuse.

Crypto Public Key: A crypto public key is a value that is used for encrypting data and for verifying digital signatures. It is an integral part of a crypto key pair, along with the private key. The public key is used to encrypt data that can only be decrypted by the holder of the corresponding private key and to verify digital signatures that have been created using the corresponding private key. Public keys can be shared freely and are often published in a public directory or distributed in the form of a certificate.

A public key is typically generated along with the private key and is used to encrypt data or messages that are sent to the holder of the corresponding private key. It is also used to verify digital signatures created by the holder of the corresponding private key.

In summary, a public key is used to provide confidentiality to the communication and authenticity to digital signature, it can be shared publicly without any risk, as anyone can use it to encrypt messages or verify digital signature, but it cannot be used to decrypt messages or create digital signature.