6. Groups
BayunSDK provides public APIs for secure group-based data-access and basic group-management. Every group has its own secret-key that is unique for the group, and is accessible only to the members of that group. This shared group-key is used to encrypt the messages that are locked with encryption-policy of group, and also authenticate members, and control access to group resources. Since nobody other than group-members have access to the group's secret-key, only those belonging to the group will be able to access data encrypted with group-policy tied to that specific groupId.
Note that the main purpose of Groups functionality in Bayun framework is to enable enforcement of arbitrary data-access policies that are cryptographically tied to the data, and without burdening the developer with the headaches of key-management for the same. The framework provides only basic group-management functions for creating, modifying, and deleting a group in such a way that the developer can optionally create stricter access-control mechanisms for group-management if so desired, depending on the use-case at hand. For example, the Bayun framework treats every existing member of the group equally for group-management privileges, including the ability to add/remove other members, or delete the group. The developer can always build, or enforce, finer-grained group-management functionality on top of this, e.g. by introducing the notion of group-owner or group-admins with privileged access-rights etc.
Group Types
Group type is defined when creating a new group. GroupType is an enum type and has following values:
GroupType_Public
: The group is public to the organization. Any employee of the organization can join this group, and hence get access to the shared group-key. The group's secret-key is kept encrypted in every member's own lockbox as well as kept encrypted with company's own secret-key, so that nobody outside the company can get access to it. An existing member, who already has access to the group-key, can add any other members to the group (even those outside the company).
GroupType_Private
: The group is private and accessible only to the existing members of the group. The group's secret-key is kept encrypted in every member's own lockbox only. An existing member can add anyone else to the member-list of the group, irrespective of whether they belong to the same company or not.
Group APIs
Here is the list of Group APIs :
6.1 Create Group
6.2 Get My Groups
6.4 Get Unjoined Public Groups
6.5 Get Group By Id
6.6 Add Group Member
6.8 Leave Group
6.9 Delete Group
Where to go from here?
The sample implementation for Group APIs can be found in the test.py, on Github.
Last updated