Identity & Auth

FullFabric uses a layered security model to control who can access the platform and what they can do. Authentication verifies your identity (who you are), while authorization determines your permissions (what you can do).

Every request passes through these layers:

flowchart LR
    A[Request] --> B{Authenticated?}
    B -->|No| C[Login Page]
    B -->|Yes| D{Feature Enabled?}
    D -->|No| E[403 Forbidden]
    D -->|Yes| F{Authorized?}
    F -->|No| E
    F -->|Yes| G[Access Granted]

Key Concepts

Term	Definition
Module	A top-level capability group that can be enabled or disabled per institution (e.g., Applications, Academic Affairs). Features require their parent module to be enabled.
Feature	A named permission that gates access to specific actions. Features are assigned to roles.
Profile	A user account in FullFabric. Every person interacting with the platform has a profile.
Role	A role assigned to a profile. Profiles can have multiple roles.
Data Access Scope	A filter that restricts which programmes, classes, and courses a staff member can see.
Schema Permission	Field-level control over who can view or edit individual fields on forms and profiles.
API Token	A token for external integrations, with its own lifecycle (active, suspended, revoked, expired).

Authentication