Elyse – INTEGRITY BY DESIGN

After being stored in an Elyse database, files are immutable for Elyse application users, ensuring their integrity. Files can also be assigned an immutable retention date, which cannot be changed once set, and the file cannot be deleted before that date has passed. Under normal configuration, files can only be deleted via the database and are not accessible outside of database-managed operations.

The relationship between files and associated file metadata is managed with strong transactional integrity. Relational data and file data are stored and backed up within the same SQL Server–managed system. The database provides transactional consistency between relational data and file data, including during backup and restore, preventing orphaned data under normal SQL Server–managed operations.

A single Elyse database instance maintains one register of user-facing document identifiers within a single namespace. Identifier values are database-constrained for uniqueness while remaining format-agnostic. Identifiers are editable but can be locked against unauthorised change.

By design, duplicate identifiers cannot be created, including through misconfiguration by use of multiple registers for similar entities. No parallel or proxy identifier register is used, regardless of how identifiers are constructed. Document IDs are abstract entities which relate to files through a parent-child relationship.

Elyse relies on Windows Integrated Security, leveraging operating-system-level controls for authentication and access management rather than application-layer security.

Once a user has logged into a Windows account the Elyse SQL database is the sole arbiter of user authentication. The database maintains a zero trust relationship with the application layer. It uses ORIGINAL_LOGIN() to resolve and authenticate users against SID-based ACLs stored within the database. No token passing occurs. The application layer is only responsible for ensuring that the configuration preserves the integrity of ORIGINAL_LOGIN() responses.

User authentication is verified within the database every time a call is made that requires privileges. No token passing occurs. No security state is stored beyond the scope of a single call or single stored procedure.

All application access to data is enforced through stored procedures. Access by stored procedures to underlying tables is via internal ownership chaining. All stored procedures are fully parameterised and contain no data definition language (DDL), no data control language (DCL), and no dynamic SQL capable of structural SQL injection.

The application requires zero privileges and only needs credentials for one or more application roles. Application role credentials allow the execution of stored procedures within role-based schemas. Access to data is further restricted by ACLs checked against ORIGINAL_LOGIN() in each stored procedure that performs a privileged task. The application layer can be segmented by configuring an application with credentials for a single application role, preventing it from executing stored procedures for other roles. Application service accounts are not required to, and must not be, registered within database ACLs.

All code is publicly available and fully transparent. No database code is obfuscated. Application layer code is released under Apache License 2.0.

Built-in audit logging is provided for essential requirements such as creation of key records, file access and file deletion. Additional fine-grained auditing can be enabled by configuring Microsoft SQL Server Audit.

Access to privileged data can be controlled at both the data-level and user-level, with independent permissions for viewing and data editing.

Data at rest can be encrypted using Transparent Data Encryption (TDE) on supported Microsoft SQL Server editions.