Authentication and Authorization

​

Overview

CNAP provides a robust and flexible authentication and authorization system that adapts to the diverse and evolving needs of its users. Unlike traditional platforms with rigid user roles, CNAP embraces a fluid user model where capabilities and access are determined by entitlements and trust profiles.

​

Key Concepts

• Unified User Model: Every CNAP user starts with the same base capabilities, with the potential to expand their access and functionality over time.
• Entitlement-based Access: Specific features or capabilities are unlocked through entitlements.
• Trust Profiles: Users can gain additional trust and capabilities based on verified credentials or achievements within the ecosystem.
• Dynamic UI: The user interface adapts to show relevant features and shortcuts based on recent activity and pinned items, reducing clutter while maintaining full potential access.

​

Entitlements and Trust Profiles

Entitlements in CNAP are not just about granting access; they’re about building trust and enabling capabilities safely. For example, while any user can potentially become an infrastructure provider, certain high-trust actions might require additional verification.

Consider a scenario where a user wants to offer infrastructure for a specific application found on Artifacthub. CNAP might require this user to prove ownership of that Artifacthub application, granting them a specific trust badge. This badge then entitles them to provide infrastructure for that particular application, ensuring that only verified and trusted providers can offer services for sensitive or critical applications.

This entitlement system is flexible and granular. It allows CNAP to maintain high security standards while still enabling users to expand their capabilities. For instance, a provider might start with limited offerings and gradually gain more entitlements as they demonstrate reliability and security in their services.

​

Provider Capability Filters

CNAP implements a sophisticated system of filters to manage provider capabilities:

• Highly Restrictive Initial Filters: New providers start with extremely strict filters that significantly limit their capabilities. These filters initially block most potential actions, allowing providers to offer services only for a very narrow range of applications or to a highly limited user base. This approach ensures maximum security and control for new or unproven providers.

• Gradual Filter Relaxation: As providers demonstrate reliability, security, and expertise over time, CNAP carefully and incrementally relaxes these filters. This process is deliberate and measured, slowly expanding the provider’s permitted actions and service offerings.

• Manual User Addition: It’s important to note that providers always have the ability to manually add individual users to their services, regardless of their current filter status. The primary purpose of these filters is to protect users who are organically browsing and installing apps from accidentally using untrusted providers.

This dynamic filtering system prioritizes security and trust within the CNAP ecosystem while maintaining flexibility for providers. It begins with a highly cautious, restrictive approach for public visibility and gradually opens up more possibilities as providers establish their credibility and trustworthiness over time. The system ensures that expansion of provider capabilities is earned through consistent, verified performance and adherence to CNAP’s security standards, all while allowing providers the freedom to manually manage their user base as needed.

​

Security and Compliance

While CNAP offers remarkable flexibility, it never compromises on security. The platform employs a sophisticated system of checks and balances to ensure that expanded capabilities don’t lead to increased risk.

• Audit Trails: Meticulous logging of user activities and permission changes.
• Automated Compliance Checks: Initiated as users gain new entitlements or expand their trust profiles.
• Community-Driven Trust: Leveraging community feedback and reputation systems to further validate user trustworthiness.

In essence, CNAP’s approach to authentication and authorization is about empowering users while maintaining a secure and trustworthy environment. It’s a dynamic, evolving system that grows with its users, adapting to their needs and capabilities while ensuring the integrity and security of the platform as a whole.