i-refactory OAuth2

As mentioned in Solution Overview the i-refactory server requires that each request contains an OAuth2 compliant token.

In this document we will explain the OAuth2 token and the i-refactory OAuth2 server.

OAuth2 token

When a request to our i-refactory server is created you need to include an OAuth2 compliant token.

The access token issued is a JWT token which content follows the OAuth 2.0 Token Introspection specification. It includes the following properties:

iss: the url of the authorization server that issued the token.
iat: the time the token was issued.
exp: the time the token will expire.
aud: the recipients the token is intended for. Currently this is the client that requested the token.
sub: the machine readable identifier of the user (or client) who granted access.
username: the human readable identifier of the user (or client) who granted access.
client_id: the client that requested the token.

We have added two additional properties:

roles: the roles of the user (or client) who granted access.
email: the email address of the user.

The roles property is included because our i-refactory server will check if a client has the required role assigned to execute the API request. The email property is included for backwards compatibility because in prior releases the email property might have been used as the modifier.

When you create an HTTP request you should add the JWT token to an authorization header. The content of the authorization header should start with the literal string Bearer followed by a space followed by the JWT token.

This is an example of a call to our i-refactory server:

/**
 * Create a tenant.
 *
 * @param {string} accessToken - the accessToken
 * @param {Array} tenant - the tenant(s) to create
 * @returns {Promise} - A promise.
 */
async function createTenant(accessToken, tenants) {
    const url = `${IREFACTORY_SERVER}/v1/acmDatadel/tenant`,
        headers = {
            Authorization: `Bearer ${accessToken}`
        },
        data = tenants.map(tenant => {
            return {
                code: tenant.code,
                name: tenant.name,
                description: tenant.description
            };
        }),
        options = {
            method: 'post',
            url: url,
            headers: headers,
            body: data,
            json: true
        };

    return httpRequest.post(options);
}

When the i-refactory server handles the request we will validate if the token is not tampered with and is not expired.

If the token is valid we will proceed with the request and check if the required role for the given API call is available in the token. If the required role is missing you are not authorized and you will receive an error.

We currently have the following roles which you can grant to a user or client application: DataViewer,SystemManager,DataManager,DataOperator,Developer.

In our Swagger Specifications you can check which role is required for a given API call.

i-refactory OAuth2 server

The i-refactory OAuth2 server implements the OAuth 2.0 framework. For the most part the protocol is followed as described in RFC 6749.

To learn more about OAuth2 this video does a good job explaining OAuth2:

Our i-refactory OAuth2 server supports the following OAuth2 flows. We will explain how these different types of flows work with an example.

Authorization code

In an authorization code flow a client application will ask the OAuth2 server to serve a login page with which a user—by entering his credentials—can be authenticated and authorized.
```
sequenceDiagram
  autonumber
  participant A AS i-refactory Web App
  participant B AS OAuth2 Server
  participant C AS OAuth2 Login
  A->>B: authorize request
  Note right of A: "code"
  B->>C: enter user credentials
  C->>B: user credentials
  B->>A: Authorization code
  A->>B: token request
  Note right of A: "authorization_code"
  B->>A: access token(refresh token)
```
The sequence diagram example illustrates the steps and flow of a web application for which a user should be authorized. The flow of events (happy flow) is given. We will explain what happens in each step hereafter.
- Step 1: Authorize request
  
  The i-refactory web app discovers that a user has not yet been authorized. It sends an authorization request to the OAuth2 server. In this request the applications send its clientId, a random string and the redirect URI.
  
  The OAuth2 server checks in the list of known clients if the clientId exists. It checks as well if the redirect URI in the request matches the list of registered redirect URI's for the clientId.
  
  The random string is explained in step 5.
  
  {note} An application should be registered in OAuth2 as a client which is allowed to make requests. The clientId is a unique identifier for each client. For clients which are allowed to make an authorization request the redirect URI's should be registered as well. The latter because the OAuth2 server needs to know to whom the response should be sent and as an additional check.
- Step 2: Serve a user credentials page in the browser.
  
  If all is well the OAuth2 server serves a login page in the browser. The user should enter its username and password. The login page receives a session id that is generated and stored in the OAuth2 server with a time to live of 60 minutes. The entered user credentials and the sessionId are sent to the OAuth2 server.
- Step 3: Validate the user credentials
  
  The OAuth2 server checks if the sessionId still exists (expires in 60 minutes) and if the user credentials are known in the list of users.
- Step 4: Authorization code
  
  The OAuth2 server sends an authorization code and the random string to the client application. This authorization code has a time to live of 30 seconds.
- Step 5: Token request
  
  The client application checks if the received authorization code was intended for it. The random string is used for this purpose. It should match with the request from step 1. The client application now sends a token request. In this request the clientId, clientSecret and accessToken are sent to the OAuth2 server with a grant type authorization_code.
- Step 6: Access Token
  
  The authorization server checks if the authorization code still exists. It will then check the clientId and clientSecret. Finally, it will send a JWT token with the id of the user and the roles assigned to the user. The time to live of the access token is by default set to 3600 seconds. This is reflected in the exp property of the token. The expiration lifetime can be configured. When the token has expired the token is no longer valid and the complete flow from step 1 should be restarted to get a new token.
  
  If the client application has been granted the refresh token privilege a refresh token is sent to the client application as well. A refresh token has a time to live of 14 days. A client application can request a new access token with the refresh token. This request is a refresh token request.
The web application now has a valid token. The token contains the roles assigned to the user. The roles are used to enable or disable behaviour for which the user has access rights. The token also enables the web application to send requests to the i-refactory server.

{note} The i-refactory web application uses the authorization code flow to get a valid token. If an OAuth2 service other then the i-refactory OAuth2 server is used, then it should support at least the authorization code flow.
Client credentials

In a client credentials flow a client requests a token by passing the clientId and clientSecret directly. The OAuth2 server does not serve a login page to enter credentials.
```
sequenceDiagram
  autonumber
  participant A AS Client
  participant B AS OAuth2 Server
  A->>B: token request
  Note right of A: "client_credentials"
  B->>A: access token
```
1. Step 1: token request
  
  A client who has been granted client credentials sends a token request to the OAuth2 server. In this request the client sends his clientId and clientSecret with a grant type client credentials.
2. Step 2: access token
  
  The OAuth2 server checks if the clientId and clientSecret are valid. It sends an access token to the client with the client id and the roles assigned to the client.
The client now has a valid token with which he can send requests to the i-refactory server. If the token has expired the client should send a new token request to the OAuth2 server.

{info} A client credentials flow never sends a refresh token.
Password

In a password flow a client requests a token by passing the clientId, clientSecret, userId and user password directly. The OAuth2 server does not serve a login page to enter credentials.
```
sequenceDiagram
  autonumber
  participant A AS Client
  participant B AS OAuth2 Server
  A->>B: token request
  Note right of A: "password"
  B->>A: access token
```
1. Step 1: token request
  
  A client who has been granted passwords sends a token request to the OAuth2 server. In this request the client sends his clientId, clientSecret, user id and user password with a grant type password.
2. Step 2: access token
  
  The OAuth2 server checks if the clientId, clientSecret, user id and user password are valid. It sends an access token to the client with the user as identifier and the roles granted to the user.
  
  If the client application has been granted the refresh token privilege a refresh token is sent to the client application as well. A refresh token has a time to live of 14 days. A client application can request a new access token with the refresh token. This request is a refresh token request.
The client now has a valid token with which he can send requests to the i-refactory server. If the token has expired the client should send a new token request to the OAuth2 server. If the client has received a refresh token it could use a refresh token request to get a new access token.
Refresh token

In a refresh token flow a client has received a refresh token as part of the authorization code flow. With this refresh token a client can renew the access token without asking the user to enter his user credentials.
```
sequenceDiagram
  autonumber
  participant A AS i-refactory Web App
  participant B AS OAuth2 Server
  A->>B: token request
  Note right of A: "refresh_token"
  B->>A: access token
```
- Step 1: Token request
  
  The client application sends a token request to the OAuth2 server. In this request the clientId, clientSecret and refreshToken are sent to the OAuth2 server with a grant type refresh_token.
- Step 2: Access Token
  
  The authorization server checks the clientId, clientSecret and refresh token. A new access token is created together with a new refresh token. The id of the user and the roles of the users are returned in the access token. Both the access token and refresh token are sent to the client.
The client application now has a new access token and a new refresh token. As long as the OAuth2 server is not shutdown and as long as the refresh token has not expired a client application can indefinitely renew the access token.

Configuring clients and users

The i-refactory OAuth2 server needs to be configured. Clients and users should be registered otherwise no one has access to the i-refactory server. In the i-refactory configuration file, an optional authorizationServer section is added where you should configure the i-refactory OAuth2 server. You can read more here.

In this section we will explain the OAuth2 configuration in detail.

General parameters

These are the general configuration parameters for the i-refactory OAuth2 server.

{
    privateKey: {
        doc: 'Location and name of the private key to use for encrypting access and OpenID tokens',
        format: 'String',
        default: 'missing configuration option: privateKey',
    },
    publicKey: {
        doc: 'Location and name of the public key to use for decrypting access and OpenID tokens',
        format: 'String',
        default: 'missing configuration option: publicKey',
    },
    tokenExpiryTime: {
        doc: 'The default lifetime in seconds of access and OpenID tokens. Used when no lifetime is configured for the client to which a token is issued.',
        format: 'int',
        default: 3600,
    },
    https: {
        host: {
            doc: 'The hostname for the server',
            format: 'String',
            default: 'localhost',
        },
        port: {
            doc: 'The port number to which the server should listen',
            format: 'int',
            default: 3003,
        },
        key: {
            doc: 'The private key to decrypt incoming messages',
            format: 'String',
            default: 'missing configuration option: https.key',
        },
        cert: {
            doc: 'The certificate file which is used to establish the SSL connection',
            format: 'String',
            default: 'missing configuration option: https.cert',
        },
    }
}

Clients

The clients section in the configuration contains a list of clients. A client is an application that is granted access. For example the i-refactory web application or your own .Net or Java application. Each client should be identified with a unique clientId and should have a clientSecret (an empty string is considered a valid clientSecret). A client can have grants which are the typical OAuth2 flows. A client can be granted roles which allows the client to make calls to the i-refactory server. For each client you have the option to overrule the expire time of the access token.

{info} If a client has been granted authorization_code you should register a redirectUri as well. The OAuth2 server needs to know to which URI to redirect when the user credentials are valid.

{
    clients: {
        doc: 'The third-party applications that may request access to the resources owned by the users',
        format: 'irOauthArray',
        default: [],
        values: {
            clientId: {
                doc: 'The id of the third-party application',
                format: 'String',
                default: null,
            },
            clientSecret: {
                doc: 'The password for the client. If the client is granted for client credential authentication, then a password is required.',
                format: '*',
                default: undefined,
            },
            redirectUri: {
                doc: 'The redirection endpoints used by the authorization server to return responses containing authorization credentials to the client',
                format: 'Array',
                default: [],
            },
            grants: {
                doc: 'The grant types the client is authorized for',
                format: 'irOauthRestrictedArray',
                allowedValues: ['authorization_code', 'client_credentials', 'password', 'refresh_token'],
                default: [],
            },
            roles: {
                doc: 'The roles the client is authorized for. Used when the client is granted access using it\'s credentials',
                format: 'Array',
                default: [],
            },
            tokenExpiryTime: {
                doc: 'The lifetime in seconds of access and OpenID tokens issued to the client. Overrules the default lifetime for the server.',
                format: 'int',
                default: undefined,
            },
        },
    }
}

Users

The users section in the configuration contains a list of users who are granted access. Users should be specified when clients have been granted authorization_code or password. In these flows it is the user who is granted access and not the client application.

{
    users: {
        doc: 'An array with users which should have an id, username, password, email and their roles',
        format: 'irOauthArray',
        default: [],
        values: {
            id: {
                doc: 'The machine readable identifier of the user',
                format: 'String',
                default: null,
            },
            username: {
                doc: 'The human readable identifier of the user',
                format: 'String',
                default: null,
            },
            password: {
                doc: 'The username of the user',
                format: 'String',
                default: null,
            },
            email: {
                doc: 'The email address of the user',
                format: 'String',
                default: undefined,
            },
            roles: {
                doc: 'The roles the user is authorized for',
                format: 'Array',
                default: [],
            },
        },
    }
}

Exceptions and implementation decisions

We have made the following exceptions and implementation decisions in our i-refactory OAuth2 server:

Implicit flow

The implicit flow is not supported.
Scopes

According to the RFC a client can specify the scope of the access requested using the "scope" request parameter. If the issued access token scope is different from the one requested by the client, the authorization server must include the "scope" response parameter to inform the client of the actual scope granted.

This implementation ignores scopes. It will always issue an access token with the client who requested an access token, the user who granted access and the roles of the user who granted access.
Audience

The audience in the token could be used to identify the resource server for which the access token is intended.

This is not implemented: the i-refactory server does not check if the access token is intended for the server.
Authorize request handling

In an authorize request the client secret is not required. In the handling of an authorization request only the clientId and the redirect uri are validated. When valid a login screen is presented to the user where he enters a username and password. The username/password are sent to the authorization server. If the username and password are correct (the user is a valid user) the authorization server sends an authorization code to the client application. The client application is then able to request an access token. The authorization code's time to live is 30 seconds.
Token request handling For the token endpoint a client should authenticate using its client id and client secret. This can be done by Basic authentication or by passing the id and secret in the body of the request.
Redirect uri

A redirect uri is required when starting an authorization code flow. The redirect uri will not be defaulted by the authorization server. But when the authorization code is traded for an access token we ignore any redirect uri, although according to OAuth 2.0 a redirect uri is required when a redirect uri is passed on in the authorization request (see section 4.1.3. Access Token Request)
Token invalidation

Tokens expire. It is not possible to invalidate a token. The i-refactory server only checks if a token has not expired and does not check the authorization server if the token is still valid or not.

If an authorization code is used more than once or is used by another client then the tokens issued based on that authorization code are NOT revoked as recommended in section 4.1.2. Authorization Response
Request parameters

If a request includes an invalid parameter or includes a parameter more than once, the request should fail with an invalid request error (see section 4.1.2.1. Error Response).

We do not check for invalid parameters or parameters included more than once.

Constraint violation actions are applicable to certain constraint categories. Not all combinations of constraint categories and violation actions are allowed.

An attribute must have a value, whatever that value may be. It must not be NULL.

A data type of an attribute defines what value an attribute can hold. The data type specifies what type of mathematical, relational, or logical operations can be applied to it without causing an error.

An attribute datatype constraint is the most basic constraint type. It checks for the datatypes we support and have implemented.

For example, we check for string, length of string, integer, date, etc. In the following figure you can see the supported data types by PowerDesigner.

Image is omitted: Supported data types

Constraints can be violated and there are some actions that can be performed when a violation occurs. The possible actions are: EMPTY COLUMN, NO ACTION and SKIP ROW.

An attribute value constraint is an expression that is evaluated. The person who writes the expression is responsible for the correctness of it. The expression should be formulated in a positive way and lead to a Boolean answer. If the expression validates to True, than the value is correct.

Examples

The values in attribute X has to be bigger than 10: X > 10
The email address has to be in a certain pattern: email address LIKE '%_@_%.__%'

A Concept Integration Model is also a central facts model on which you place integration patterns. It is not required to create a concept integration model, but it can be very useful.

Every constraint is assigned to a constraint classification.

The main purposes of the Generic Data Access Layer (GDAL) are to provide logical perspectives for data consumption and to manage CRUD actions.

A generic data access model is a virtual data model that acts as an interface bridge between consumer applications and the central fact storage.

Every attribute is assigned to an attribute classification.

An entity record constraint checks whether an attribute meets the requirements set by another attribute belonging to the same entity.

The main purpose of the Logical Validation Layer (LVL) is to transform the data received from external data sources to fit into the logical data model structure. It is also responsible for validating deliveries. The Logical Validation Layer is also known as the Historical Staging In (HSTGIN) Layer.

The logical validation model is the representation of a single external data source in a logical format. It represent how data delivered by a specific tenant should be transformed, temporalized and validated in the {popup}logical validation layer. The logical validation model is also known as Historical Staging model (HSTGIN).

Multi-active attributes are attributes that contain a business key to provide multiple context records at the same time. For example: a customer has multiple types of phone numbers. “Home”, “Work” and “Mobile”. In that case we add a dependent entity on customer with key “Phone Nbr Type”. This is to prepare for the CFPL multi-active key on customer.

The main purpose of the Technical Staging Layer (TSL) is to create a common starting point for further data processing. It receives data delivered from external data sources and temporally stores them in a database. The input data should be in a tabular format (rows and columns).

Bi-temporal attribute is an attribute that changes over time: they follow a valid timeline. For example, a Part may have a price valid for December and a price valid for January.

Every entity is assigned to an entity classification and to a parent entity classification. The possible values for entity classification are: ALTERNATE KEY CONTEXT, ATTRIBUTE CONTEXT, GENERALIZATION,HELPER, REFERENCE CONTEXT, STABLE, STABLE DEPENDENT and STABLE INDEPENDENT

Entity Set Constraint An entity set constraint can be used to perform a check concerning values of two or more attributes that belong to different entities or to perform a check concerning the value of an attribute with respect to a set of values.

A Set Constraint Helper is a helper in the logical validation model. It is the implementation of a set constraint. The helper returns the records of an entity for a given set constraint, where the instances of this entity do not meet the definition of this set constraint.

The business requirements describe how data should be delivered for the data consumers (end users or applications) in terms of concepts, relationships between concepts and constraints to validate the data. These requirements can be described in a logical data model, for example.

A Business Rule Helper is a helper in the central facts model. It is a set-based calculation of derived facts. You need to use a Business Rule Helper if you want to make a calculation and want to keep a transaction history of the results of this calculation. You use the existing entities from the central facts model as input. The results of the helper must be materialized in 'regular' fact entities, such as Anchors and Contexts, to make them accessible in the Generic Data Access Layer.

Closed Open means that the timeline is valid from (vanaf in Dutch) the supplied valid start date until - but not including - (tot in Dutch) the supplied valid end date. In practice, this means that the start date of a valid time record is equal to the end date of the previous valid time record.

You need to create context-based entities when a set of data may be delivered within the boundaries of a parent context. A context-based entity applies when:

At least 2 entities are delivered.
A context relationship exists between these 2 entities. One entity is the parent context of the other entity.
The parent context entity is delivered as a delta and the child entity is delivered as a full set.

You need to create context-based entities when a set of data may be delivered within the boundaries of a parent context. A context-based entity applies when:

At least 2 entities are delivered.
A context relationship exists between these 2 entities. One entity is the parent context of the other entity.
The parent context entity is delivered as a delta and the child entity is delivered as a full set.

The Management Model contains the PowerDesigner objects for the Unified Anchor Modelling (UAM). When a UAM object is created, a so-called PowerDesigner replica of the corresponding Management Model object is created. This means that certain properties such as metadata columns and column stereotypes are configured in the Management Model and cannot be changed. The replication settings specify which elements of an object can be changed after creating a replica from the template object. It is possible to override the replication settings of an UAM object and change a specific property.

The temporal atomic type describes the datatype of the temporal attributes|

The main purposes of the Central Facts Layer (CFL) is to store data historically. It can also integrate data from different sources. The Central Facts Layer is also known as Central Facts Persistency Layer (CFPL)

The central facts persistence implementation model is the representation of facts in an anchorized data model with the ability to integrate multiple logical models.

In the context of i-refactory, data transformation refers to operations involved in turning raw data readily useful and closer to the business requirements.

Integration patterns are used to integrate entities from different data models. If two or more entities from different data models share the same business key, you can use the Integration Pattern named Key Root. It is a good practice to capture integration patterns in a separate model, named Concept Integration Model.

An attribute is mandatory when its value can not be empty (NULL).

A Physical Data Model (PDM) represents how data will be implemented in a specific database.

{note} The i-refactory uses four PDMs: technical staging model, logical validation model, central facts model and generic access model. Each one of these models is implemented as an additional database, which is used to store data from external and internal data sources.

Reverse engineering is the process of reconstructing a physical and/or Entity Relationship (ER) model from an existing data source. The purpose of reverse engineering is to avoid manual work as much as possible.

Architecture layer

The core of the i-refactory architecture has four layers: TSTGIN, LVL, CFL and GDAL. There are also two auxiliary layers: UCLVL and EXT.

If an entity has one or more attributes that changes over time and you want to keep track of when a attribute is valid at a certain transaction time, then you have a special case of a regular dependent entity, called bi-temporal entity. The bi-temporal entity stores historical data with two timelines. The primary key of the bi-temporal entity is composed by the primary key of the parent entity and the valid start date attribute. The attribute that changes over the valid time is called a bi-temporal attribute.

A delivery agreement is a contract between a Tenant and a Logical Implementation Model or Generic Data Access model. An agreement has a duration. The delivery agreement set the architecture layer (interface) where the data should be ingested as well as the default settings to be applied to the deliveries.

A dependency mapping is a mapping between a helper (or BR helper) and a source entity used in the query of the helper. The helper and the source entity must belong to the same model.

Default dependency is set on entity level (source entity to helper entity)
To allow lineage on attribute level, via the Mapping editor, you could manually add the dependency on attribute level.

An Independent Entity is an entity that implements an Anchor for a Business Key that ‘stands alone’ e.g. that does not contain a reference to another Entity.

A Logical Data Model (LDM) matches the language, structure and quality of the business, regardless of the physical data implementation. The Logical Data Model reflects the business requirements.

A delivery may be considered as "untrusted" if deletes of data in the Logical Validation Layer have taken place and the processing of new deliveries cannot 100% rely (trust) on having enough statistics and data available to detect logical deletes, to determine the exact delta and to execute set based validations.

A Dependent Entity is an entity that implements an Anchor for a Business Key that ‘depends’ in its existence on another Entity. A Dependent Entity contains Business Key fields of which at least one is a foreign key (FK).

The transaction time in i-refactory is different from what is commonly understood by transaction time. Transaction time is usually seen as the moment when a fact was stored in the database. In the i-refactory, the transaction time is the time, as dictated by the source system, not by the i-refactory database.

The Attribute type links the attribute to one of the existing interfaces.

Computed columns are columns whose content is computed from values in other columns in the table.

Functional date A functional date or time is a point in time and is defined by a user. An example is an order date or date of birth.

The technical model (also known as Technical Staging In model: TSTGIN) is a representation of how exactly one delivery from a specific data source will be processed in the technical staging layer.

Generalization is the process of extracting shared characteristics from two or more classes (hyponyms), and combining them into a generalized superclass (hypernym). For example: an 'employee' and a 'customer' are both 'persons'.

The Mapping Editor provides a graphical interface for creating and viewing mappings between models. It provides a global view of all the mappings related to the entities of a given model, allowing you to quickly identify those which are mapped and not mapped.

When a certain fact can change over time and you need to capture when that fact is valid in the real world, you can add a valid start date and a valid end date to the entity.

A valid time tells us in which period a record is valid. While a functional date represents just one point in time, the valid time has a begin and an end date, for example:

For Order item 123, a Retail price of 10.00 was valid from 2019-01-01 to 2019-06-01.
For Order item 123, a Retail price of 12.00 was valid from 2019-06-01 to 2020-01-01.

Alternate key is an attribute or a group of attributes whose values uniquely identify every record in an entity, but which is not the primary key

Candidate key

A candidate key consists of one or more attributes and meets the following requirements:

Unique: The value of the key defines uniquely one instance of a concepts. There are no double values.
Non-volatile: (Almost) doesn't change.
Minimal: Contains only the elements needed.

There are two kinds of candidate keys:

primary key
alternative key

A Key Root Link is an integration concept that must be used when the exact same business concept or dependent business key occurs in different models. The Links for this dependent business key in the different UAM models are all subtypes of the Keyroot Link.

Normalization is the process of decomposing tables in a database in order to reduce data redundancy and improve data integrity.

A strongly typed model is a model in which each all attributes have a predefined data type, for example: integers, doubles, date.

Surrogate Key A surrogate key is a system generated unique identifier that does not have any contextual or business meaning.

Business Key

A business key is an unique identifier that has business meaning and exists in the real world outside of the database. It consists of a column or a set of columns that already exists in a table. A business key is also known as a natural key

A Key Root Hub is an integration concept that must be used when the exact same business concept or independent business key occurs in different models. The Hubs for this independent business key in the different UAM models are all subtypes of the Keyroot Hub.

A relationship shows how two entities are related to one another. For example, a customer can place an order, and a order can have a customer.

Every Attribute has an atomic type (data type) which is linked to the attribute type of that attribute.

The cardinality shows how many instances of an entity can take place in a relationship.

An enumeration consists of the list of values that a given attribute should adhere to.

{example} An order can have different statuses, such as shipped,packing,created anddone. Other statuses are not allowed.

Foreign Key

A foreign key is an attribute or a set of attributes that refers to the primary key of another entity. The original entity containing the primary key is called the 'parent' entity and the entity containing the foreign key is called the 'child' entity.

A natural key is an unique identifier that has business meaning and exists in the real world outside of the database. It consists of an column or a set of columns that already exists in a table. A natural key is also known as a business key

The primary key is an assigned key that consists of a minimal set of attributes to uniquely specify an instance of a record. The attribute or a combination of attributes should meet the following characteristics:

Unique: The attribute values of the key uniquely identify one instance of a concept. There are no duplicate instances.
Non-volatile: The key does not change.
Mandatory: All values are filled; there are no NULL values.

It is good practice to choose a primary key that also meet the following characteristic:

Safe: Doesn't contain private or sensitive information, such as a social security number.

Constraints are related to the other elements depending of the type of the constraint. Certain constraints are associated to attributes, entities, helper entities, unique keys or relationships between entities.

An attribute may be assigned to one or more entities (ex: acm_exists_ind) and an entity may have several attributes

Each layer may have one or more interfaces. The amount of interfaces depend on how many tenants and delivery agreements have been configured.

Namespace is what in the terminology of SQL Server is called database schema.|

A Delivery is a container that holds the specification of what is actually pushed to the i-refactory platform. This specification consists of a list of entities.

Key Root A Key Root is a central repository for Business Keys. A Key Root ensures that similar records out of different data sources are identified by both the same Business Key as the Surrogated Key.

Context

A Context is a temporal table with a transaction start and end date. The Context tracks all changes of the context attributes related to a business key in the transaction time. This means that every change of an attribute value in a source system leads to a new record in the Context. The old record is end dated with the load date and the new record is start dated with the load date.

Hyponym is a term that denotes a subcategory of a more general class. For example: 'cat' and 'dog' are a hyponyms of 'animal'.

A mapping establishes relationships between concepts of separate data models. It creates a link between entities and attributes from a source model to related entities and attributes in the target model. A source model should precede the target model in the i-refactory architecture.

oasi_bk is an abbreviation for One Attribute Set Interface (OASI) with business keys. A normal view in the generic data access layer (GDAL) consists of the surrogate key, foreign key and attributes. The oasi_bk-view in the GDAL is a view where the business key(s) are also shown.

A subtype is a subgroup of an entity. You can create a subtype if a group of instances share some attributes and relationships that only exist for that group. For example, entity Customer can have a subtype Company and a subtype Person. They share the common attribute customer number, and can have some attributes of their own. Such as birth date for a Person. The entity Customer is called a supertype.

A subtype:

inherits all attributes of the supertype
inherits all relationships of the supertype
usually has one or more own attributes
can have subtypes of its own

Anchor: Independent Entity

An Independent Entity is an entity that implements an Anchor for a Business Key that ‘stands alone’ e.g. that does not contain a reference to another Entity.

Anchor: Dependent Entity

A Dependent Entity is an entity that implements an Anchor for a Business Key that ‘depends’ in its existence on another Entity.

A domain will help you to identify the types of information in your model. It defines the set of values for which a column is valid. A domain can specify a data type, length, precision, mandatoriness, check parameters, and business rules. It can be applied to multiple columns, which makes it easier to standardize data characteristics for columns in different tables.

Each interface may have one or more entities and one entity belongs to only one interface. An entity belongs to an i-refactory data model.

A helper entity creates a derived entity and can be used when you need to transform, filter, or calculate data. The purpose of a helper differs per model:

Technical model: a helper is used to transform data.
Logical validation model: a helper is an implementation of a set constraint (Set Constraint Helper).
Central facts model: a helper is used for a set-based calculation of derived facts (Business Rule Helper).

HSTGIN is the abbreviation of Historical STaging IN. It is an older term to indicate the Logical Validation Model or Logical Validation Layer.

A schema is a set of database objects, such as tables, views, triggers, stored procedures, etc. In some databases a schema is called a namespace. A schema always belongs to one database. However, a database may have one or multiple schema's. A database administrator (DBA) can set different user permissions for each schema.

Each database represents tables internally as <schema_name>.<table_name>, for example tpc_h.customer. A schema helps to distinguish between tables belonging to different data sources. For example, two tables in two schema's can share the same name: tpc_h.customer and complaints.customer.

A Tenant is a delivering party for a dataset or datarecord as agreed in the Delivery Agreement.

TSTGIN is the abbreviation of Technical STaging IN. It is an older term to indicate the Technical Model or Technical Staging Layer.

An index organizes data in a way that improves the speed of data retrieval from a database. To maintain the index data structure, there is a cost of additional writes and storage space.

The acronym CRUD stands for create, read, update, and delete. These are the four basic functions of persistent storage.

OLAP is a acronym for Online Analytical Processing. OLAP is category of software tools which provide analysis of data for business decisions. It uses complex queries to analyze aggregated historical data from OLTP systems.The primary objective is data analysis and not data processing.

OLTP is a acronym for Online transaction processing. OLTP captures, stores, and processes data from transactions in real time. Its primary objective is data processing and not data analysis.

A hub or independent entity is an entity that implements an Anchor for a business key that ‘stands alone’ e.g. that does not contain a reference to another entity. An independent entity contains business key fields, that show up as alternate key (AK), and the primary key (PK) is its surrogate key (ID).

A key is a combination of one or more attributes of an entity that uniquely defines one instance of that entity.

Index