Skip to content

Product Manager Guide

Welcome to CoSec. This guide explains the security framework from a product perspective — what it does, what problems it solves for users, and how its capabilities translate into product decisions. No engineering jargon required.


What This System Does

CoSec is a security framework that controls who can access what in your application. Think of it as a programmable bouncer for your software: it verifies identities (authentication) and enforces access rules (authorization).

Three things make it stand out for product teams:

  1. Multi-tenant by design. Each customer organization gets its own security rules, roles, and policies — out of the box.
  2. Policy-driven permissions. Access rules are defined as human-readable JSON policies, similar to AWS IAM. Product managers and security teams can review, version-control, and audit these without touching application code.
  3. Flexible deployment. It can run embedded inside your existing application, or as a standalone security gateway that sits in front of all your services.
Business ProblemHow CoSec Solves It
"Who can access this feature?"Role-based and policy-based authorization evaluates every request
"Each customer needs their own security rules"Built-in multi-tenancy isolates policies, roles, and permissions per organization
"We need to support social login"Social authentication via GitHub, Google, WeChat, and 30+ providers
"We need to prevent API abuse"Rate limiting built into the policy layer
"Compliance requires audit trails"Every access decision is logged with a reason (Allow, Explicit Deny, Implicit Deny)
"We want to restrict access by region or IP"Condition matchers support IP ranges, geographic regions, time windows, and custom logic

User Journey Map

The following diagram shows how different types of users interact with CoSec across their lifecycle.

mermaid
journey
    title CoSec User Journey
    section End User
      Visits application: 5: End User
      Authenticates via login or social account: 4: End User
      Receives a security token: 4: End User
      Makes requests to protected features: 4: End User
      Gets allowed or denied based on their role: 5: End User
    section Tenant Administrator
      Creates organization (tenant): 5: Tenant Admin
      Defines roles for the organization: 5: Tenant Admin
      Assigns roles to team members: 5: Tenant Admin
      Sets up organization-specific policies: 4: Tenant Admin
      Reviews access logs and audit trail: 4: Tenant Admin
    section Platform Administrator
      Configures global security policies: 5: Platform Admin
      Sets up social login providers: 4: Platform Admin
      Defines system-wide rate limits: 5: Platform Admin
      Manages IP blacklists and geo restrictions: 4: Platform Admin
      Monitors security dashboard: 5: Platform Admin
    section Product Manager
      Defines permission model for new features: 5: PM
      Reviews and approves policy changes: 4: PM
      Configures feature-specific access rules: 4: PM
      Analyzes access patterns and denial rates: 5: PM

Feature Capability Map

CoSec is organized into modular capabilities. Each module can be used independently or combined.

mermaid
graph TB
    subgraph CORE["Core Security Engine"]
        AUTHN["Identity Verification<br>(Authentication)"]
        AUTHZ["Access Decisions<br>(Authorization)"]
        POLICY["Policy Engine<br>(Rules & Statements)"]
        RBAC["Role-Based Access<br>(RBAC)"]
        MULTI["Multi-Tenancy<br>(Organization Isolation)"]
    end

    subgraph EXTENSIONS["Extended Capabilities"]
        JWT["Token Management<br>(JWT)"]
        SOCIAL["Social Login<br>(GitHub, Google, WeChat)"]
        CACHE["Distributed Caching<br>(Redis)"]
        RATE["Rate Limiting<br>(Abuse Prevention)"]
        GEO["IP & Geo Restrictions<br>(IP2Region)"]
        TRACE["Observability<br>(OpenTelemetry)"]
        SWAGGER["API Documentation<br>(OpenAPI)"]
    end

    subgraph DEPLOY["Deployment Modes"]
        EMBED["Embedded Mode<br>(Inside your app)"]
        GATEWAY["Gateway Mode<br>(Security gateway)"]
        PICK["Module Selection<br>(Mix and match)"]
    end

    AUTHN --> JWT
    AUTHN --> SOCIAL
    AUTHZ --> POLICY
    POLICY --> RATE
    POLICY --> GEO
    AUTHZ --> RBAC
    RBAC --> MULTI
    AUTHZ --> CACHE
    AUTHZ --> TRACE

    style CORE fill:#161b22,stroke:#6d5dfc,color:#e6edf3
    style EXTENSIONS fill:#161b22,stroke:#6d5dfc,color:#e6edf3
    style DEPLOY fill:#161b22,stroke:#6d5dfc,color:#e6edf3
    style AUTHN fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style AUTHZ fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style POLICY fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style RBAC fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style MULTI fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style JWT fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style SOCIAL fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style CACHE fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style RATE fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style GEO fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style TRACE fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style SWAGGER fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style EMBED fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style GATEWAY fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style PICK fill:#2d333b,stroke:#6d5dfc,color:#e6edf3

Capability Details

CapabilityWhat It DoesProduct Impact
AuthenticationVerifies who a user is by checking their credentials (username/password, social login, API keys)Supports multiple login methods without custom code for each one
AuthorizationDecides what an authenticated user is allowed to do on each requestEvery feature access is checked in real time against defined rules
Policy EngineEvaluates access rules defined as JSON policies with ALLOW/DENY effectsSecurity rules can be changed by editing JSON files without redeploying the app
RBACAssigns permissions to named roles, then assigns roles to usersClassic "admin / editor / viewer" model — easy for end users to understand
Multi-TenancyIsolates security rules per customer organizationOne platform serves many customers, each with their own security boundaries
Social LoginLets users sign in with existing accounts from GitHub, Google, WeChat, and 30+ providersReduces signup friction — no new passwords to remember
JWT TokensIssues time-limited tokens (10-minute access, 7-day refresh by default)Users stay logged in without permanent sessions; tokens expire automatically
Rate LimitingLimits how many requests a user or IP can make per secondPrevents abuse and protects service stability
IP & Geo RestrictionsAllows or denies access based on IP address ranges or geographic regionCompliance with regional data access requirements
Distributed CachingCaches policy and permission lookups in Redis with local fallbackAuthorization checks remain fast even under heavy load
ObservabilityTraces every authorization decision through OpenTelemetryOperations teams can see exactly why a request was allowed or denied
API DocumentationAuto-generates Swagger/OpenAPI docs for protected endpointsReduces friction between product and engineering teams

Data Model (Product View)

The following diagram shows how the core security concepts relate to each other from a product perspective.

mermaid
erDiagram
    TENANT ||--o{ USER : "contains"
    USER ||--o{ ROLE : "assigned"
    ROLE ||--o{ PERMISSION : "grants"
    TENANT ||--o{ POLICY : "owns"
    USER ||--o{ POLICY : "has direct"
    POLICY ||--o{ STATEMENT : "contains"
    STATEMENT ||--|| EFFECT : "allows or denies"
    STATEMENT ||--|| ACTION : "matches requests to"
    STATEMENT ||--o{ CONDITION : "requires"
    POLICY ||--o{ CONDITION : "precondition for"
    APP_PERMISSION ||--o{ PERMISSION_GROUP : "organizes"
    PERMISSION_GROUP ||--o{ PERMISSION : "contains"
    ROLE ||--o{ ROLE_PERMISSION : "maps to"
    ROLE_PERMISSION }o--|| PERMISSION : "references"

    TENANT {
        string tenantId PK
        string name
        boolean isPlatformTenant
    }
    USER {
        string id PK
        string name
        map attributes
        boolean anonymous
    }
    ROLE {
        string roleId PK
        string name
    }
    POLICY {
        string id PK
        string name
        string category
        string type
        string tenantId FK
    }
    STATEMENT {
        string name
        string effect
    }
    EFFECT {
        string value "ALLOW or DENY"
    }
    ACTION {
        string pattern "URL path pattern"
    }
    CONDITION {
        string type "authenticated, inRole, inTenant, rateLimiter, etc."
        map configuration
    }
    APP_PERMISSION {
        string id PK
    }
    PERMISSION_GROUP {
        string name
        string description
    }
    PERMISSION {
        string id PK "format: app.group.permission"
        string name
        string description
    }
    ROLE_PERMISSION {
        string roleId FK
        set permissionIds
    }

Key Data Relationships Explained

RelationshipWhat It Means for Product
Tenant contains UsersEach organization has its own set of users, completely isolated from others
User is assigned RolesA user in Organization A can be "admin" while the same person in Organization B is "viewer"
Role grants PermissionsThe "editor" role might include permissions like "create document" and "edit document"
Policy contains StatementsA single policy bundles multiple rules together (e.g., "all rules for the admin section")
Statement has EffectEach rule is either ALLOW or DENY — DENY always wins when there is a conflict
Statement matches ActionsAn action is a URL pattern like /api/orders/* that the rule applies to
Statement requires ConditionsAdditional checks like "user must be authenticated" or "request must come from an allowed IP range"
Tenant owns PoliciesEach organization can define its own access rules, separate from the platform-wide rules

Authorization Decision Flow

When a user tries to do something, here is how the system decides whether to allow it. This is the most important flow to understand for product decisions.

mermaid
flowchart TD
    START["User makes a request"] --> ROOT{"Is the user a<br>root (super-admin)?"}
    ROOT -->|Yes| ALLOW["Allow the request"]
    ROOT -->|No| BLACKLIST{"Is the user<br>blacklisted?"}
    BLACKLIST -->|Yes| DENY_EXPLICIT["Deny: Explicit Deny"]
    BLACKLIST -->|No| GLOBAL_DENY{"Any global DENY<br>policies match?"}
    GLOBAL_DENY -->|Yes| DENY_EXPLICIT
    GLOBAL_DENY -->|No| GLOBAL_ALLOW{"Any global ALLOW<br>policies match?"}
    GLOBAL_ALLOW -->|Yes| ALLOW
    GLOBAL_ALLOW -->|No| USER_DENY{"Any user-specific<br>DENY policies match?"}
    USER_DENY -->|Yes| DENY_EXPLICIT
    USER_DENY -->|No| USER_ALLOW{"Any user-specific<br>ALLOW policies match?"}
    USER_ALLOW -->|Yes| ALLOW
    USER_ALLOW -->|No| ROLE_CHECK{"Any role-based<br>permissions match?"}
    ROLE_CHECK -->|Yes| ALLOW
    ROLE_CHECK -->|No| DENY_IMPLICIT["Deny: Implicit Deny<br>(no matching rule found)"]

    style START fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style ROOT fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style BLACKLIST fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style GLOBAL_DENY fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style GLOBAL_ALLOW fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style USER_DENY fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style USER_ALLOW fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style ROLE_CHECK fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style ALLOW fill:#238636,stroke:#6d5dfc,color:#e6edf3
    style DENY_EXPLICIT fill:#da3633,stroke:#6d5dfc,color:#e6edf3
    style DENY_IMPLICIT fill:#6e4020,stroke:#6d5dfc,color:#e6edf3

Decision Outcomes

OutcomeMeaningWhen It Happens
AllowThe user can proceedA matching ALLOW rule was found
Explicit DenyThe user is blocked by a specific ruleA matching DENY rule was found (takes priority over any ALLOW)
Implicit DenyThe user is blocked because no rule covers this actionNo matching rule exists at all — this is the default for everything
Token ExpiredThe user's login session has timed outThe JWT access token has passed its expiry time
Too Many RequestsRate limit exceededThe user or IP has made more requests than allowed per second

Configuration & Feature Flags

CoSec uses a single configuration prefix (cosec.*) with feature flags that can be toggled independently. These are set in your application's configuration file (e.g., application.yml).

Feature Flags

FlagDefaultWhat It Controls
cosec.enabledtrueMaster switch — turns the entire security framework on or off
cosec.authentication.enabledtrueWhether identity verification is active
cosec.authorization.enabledtrueWhether access control checks are active
cosec.authorization.local-policy.enabledfalseLoad security policies from local JSON files instead of a remote store
cosec.authorization.local-policy.force-refreshfalseForce re-reading policy files on every startup
cosec.authorization.gateway.enabledtrueWhether the Spring Cloud Gateway integration is active
cosec.jwt.enabledtrueWhether JWT token support is active
cosec.authorization.cache.enabledtrueWhether policy and permission caching is enabled
cosec.opentelemetry.enabledtrueWhether security decision tracing is active

Token Configuration

SettingDefaultDescription
cosec.jwt.algorithmHMAC256Token signing method (HMAC256, HMAC384, or HMAC512)
cosec.jwt.secret(required)Secret key used to sign and verify tokens
cosec.jwt.token-validity.access10 minutesHow long an access token is valid before requiring a refresh
cosec.jwt.token-validity.refresh7 daysHow long a refresh token is valid before requiring re-login

Cache Configuration

SettingDefaultDescription
cosec.authorization.cache.enabledtrueEnable caching for policy lookups
cosec.authorization.cache.policy.maximum-sizeunlimitedMaximum number of cached policies
cosec.authorization.cache.policy.expire-after-writeunlimitedTime before cached policy is refreshed
cosec.authorization.cache.role.maximum-sizeunlimitedMaximum number of cached role permissions
cosec.authorization.cache.role.expire-after-writeunlimitedTime before cached role permissions are refreshed

Policy Types

TypeWho Manages ItWho Can Edit ItUse Case
GLOBALPlatform administratorsPlatform administrators onlyRules that apply to everyone, like "allow anonymous access to the login page"
SYSTEMPlatform administratorsPlatform administrators only (users cannot delete)Built-in rules that form the security baseline
CUSTOMTenant administratorsTenant administrators within their organizationCustomer-specific rules, like "our editors can access the reporting dashboard"

API Capabilities

CoSec exposes its functionality through well-defined interfaces that application developers integrate with. From a product perspective, here is what the system can do.

Authentication Capabilities

CapabilityDescriptionUser Experience
Credential-based loginUsername/password verificationStandard login form
Social loginOAuth-based login via third-party providers"Sign in with GitHub / Google / WeChat" buttons
Token issuanceGenerates access and refresh tokens after successful loginUser stays logged in across sessions
Token refreshExtends a session without re-entering credentialsSeamless — user does not notice the refresh
Anonymous accessAllows unauthenticated users to reach public endpointsLogin wall only appears for protected features

Authorization Capabilities

CapabilityDescriptionProduct Use Case
Path-based matchingRules that match URL patterns like /api/orders/*Protect entire feature areas with a single rule
Method-based matchingRules that match HTTP methods (GET, POST, PUT, DELETE)"Readers can view but not edit"
Wildcard matchingA single rule covers all endpointsGlobal deny for blacklisted users
Role-based permissionsPermissions assigned to named roles"Admin", "Editor", "Viewer" access levels
User-specific policiesDirect policy assignment to individual usersGrant a specific user temporary elevated access
Composite conditionsCombine multiple conditions with AND/OR logic"Allow if authenticated AND (is admin OR request is from office IP)"

Condition Matchers Available

MatcherWhat It ChecksExample
AuthenticatedIs the user logged in?"Only logged-in users can access this"
In RoleDoes the user have a specific role?"Only admins can do this"
In TenantIs the user in a specific organization?"Only Acme Corp users can see this"
Rate LimiterHas the user exceeded the request limit?"Max 10 requests per second"
Grouped Rate LimiterPer-group rate limiting (e.g., per IP)"Max 10 requests per second per IP address"
Path MatchDoes a request value match a path pattern?"Only requests from IPs starting with 192.168"
EqualsDoes a value equal an expected string?"Only requests with this exact tenant ID"
ContainsDoes a value contain a substring?"Only requests from regions containing 'Shanghai'"
Starts WithDoes a value start with a prefix?"Only requests from China"
Ends WithDoes a value end with a suffix?"Only requests ending with specific IP"
In ListIs a value in a set of allowed values?"Only these specific user IDs"
Regular ExpressionDoes a value match a pattern?"Only requests from github.com origins"
Boolean (AND/OR)Combine multiple conditionsComplex logic gates
OGNL ExpressionEvaluate custom expressionsAdvanced custom logic
SpEL ExpressionEvaluate Spring Expression LanguageAdvanced custom logic

Performance & SLAs

Authorization Decision Speed

ScenarioWhat HappensPerformance Note
Root user requestImmediate allow, no policy evaluationFastest path — single identity check
Cache hitPolicy and permission data served from Redis or local cacheSub-millisecond lookups
Cache missPolicy data loaded from storage, then cachedFirst request per user may be slower; subsequent requests are fast
Rate limit exceededImmediate deny before any policy evaluationFast path — prevents wasted processing

Caching Architecture

The system uses a two-level cache for policy and permission data:

  • Level 1 (Local): In-memory cache within each application instance using Guava. Configurable size, expiration, and concurrency settings.
  • Level 2 (Distributed): Redis-based shared cache across all application instances. Ensures policy changes propagate to all instances.

This two-level approach means most authorization checks never leave the application instance, while still ensuring consistency when policies change.

Scalability Considerations

DimensionBehavior
Number of tenantsNo hard limit — tenant isolation is logical (tenant ID on each request), not physical
Number of policies per tenantPolicies are indexed by ID; evaluation is linear through statements within a policy
Number of usersEach user carries their own roles and policies; no per-user blocking scalability issue
Concurrent requestsAuthorization checks are stateless and independent — scales horizontally with application instances

Known Limitations & Constraints

LimitationImpactMitigation
Policy changes require propagation timeA policy update takes time to reach all cached instancesCache expiration can be tuned; force-refresh is available
Default token validity is shortAccess tokens expire in 10 minutes by defaultRefresh tokens (7-day default) handle session continuity automatically
DENY always takes priorityA single DENY rule overrides any number of ALLOW rulesThis is by design (security-first), but requires careful policy authoring
No built-in admin UIPolicies are authored as JSON files or stored externallyUse the provided JSON schema for IDE validation; build a management UI on top of the APIs
Social login depends on third-party providersIf GitHub / Google / WeChat is down, those login methods failUsers can fall back to credential-based login if configured
Rate limiting is per-process for local matchersA rate limiter within a single instance does not aggregate across instancesUse grouped rate limiter with shared storage for distributed rate limiting
Root user bypasses all checksThe root user has unrestricted accessLimit root user credentials to a small number of platform administrators
No built-in user managementCoSec does not manage user accounts, passwords, or profilesThis is handled by your application or a separate identity provider

Data & Privacy

What Data CoSec Handles

Data CategoryDescriptionSensitivity
User IdentityUser ID, roles, policies, custom attributesHigh — contains identity information
Tenant InformationOrganization ID, tenant typeMedium — business structure data
Security TokensJWT access tokens and refresh tokensHigh — grants access to the system
Authorization DecisionsLogs of who accessed what and whether they were allowedMedium — audit trail data
Request MetadataIP addresses, geographic regions, request pathsMedium — can be considered personal data

Privacy Considerations

ConcernHow CoSec Addresses It
Data isolation between tenantsEvery policy, role, and permission is scoped to a tenant ID. One organization cannot see another's security rules.
Token securityTokens are signed with HMAC (256/384/512 bit). The signing secret is never transmitted — only the token is sent over the wire.
IP handlingIP addresses are used for geo-restriction and rate limiting but are not stored by CoSec itself. Your application controls retention.
Audit trailEvery authorization decision includes a reason string. You control where these logs are stored and how long they are retained.
Anonymous accessCoSec distinguishes between anonymous and authenticated users. Public endpoints can be explicitly configured without exposing protected data.
Root userThe root user ID is configured via system property, not stored in user databases. It is a special-case bypass, not a regular user account.

Compliance Readiness

CoSec's policy-based design supports common compliance requirements:

  • Principle of least privilege: Implicit deny means users only get access when explicitly granted.
  • Separation of duties: Different roles can be assigned to enforce that no single user has unchecked power.
  • Audit logging: Every authorization decision is traceable with a reason.
  • Data residency: IP and geo-based conditions can restrict access to specific regions.
  • Access reviews: Policies are defined as JSON — they can be version-controlled, reviewed, and audited like any other configuration.

Glossary

TermPlain Language Definition
AuthenticationThe process of figuring out who the user is (like showing your ID at the door)
AuthorizationThe process of deciding what the user is allowed to do (like checking if your badge opens a specific door)
PolicyA collection of access rules that define what someone can or cannot do
StatementA single rule inside a policy (e.g., "allow editing documents")
EffectWhether a statement allows or denies access (only two options: ALLOW and DENY)
PrincipalA user or automated system that is making a request
TenantAn organization or workspace that has its own isolated set of users, roles, and security rules
RoleA named group of permissions (e.g., "admin" can do everything, "viewer" can only read)
PermissionA specific action that can be granted to a role or user (e.g., "create order", "delete user")
Action MatcherA rule that decides which requests a policy statement applies to, based on the URL path
Condition MatcherAn extra requirement that must be true for a rule to apply (e.g., "user must be logged in")
Rate LimitingA cap on how many requests a user or IP address can make in a given time period
JWTA security token that proves the user has logged in. Contains encoded identity information and an expiry time.
Access TokenA short-lived JWT (10 minutes default) that proves the user is currently authenticated
Refresh TokenA longer-lived token (7 days default) used to get a new access token without re-entering credentials
RBACRole-Based Access Control — assigning permissions to roles, then roles to users
Implicit DenyThe default outcome when no rule matches a request — access is denied unless explicitly allowed
Explicit DenyA specific rule that says "deny this action" — always overrides any allow rules
SPIService Provider Interface — a mechanism that lets developers add custom rule types without modifying the framework
GatewayA standalone security layer that sits in front of your services and checks every incoming request
OpenTelemetryAn observability standard that lets you trace what happened during each request
CoCacheA caching library used by CoSec to store policy lookups in Redis and local memory for fast access
IP2RegionA library that maps IP addresses to geographic regions (country, province, city)
OGNL / SpELExpression languages that allow advanced custom conditions in policies (e.g., "check if the user's department is 'engineering'")

FAQ

1. What happens when a user tries to access something they are not allowed to see?

The system returns an "Explicit Deny" result. In practice, this means the application receives a signal that the request should be rejected, typically resulting in a 403 Forbidden response to the user. The decision includes a reason string for logging and debugging.

2. Can different customers (tenants) have completely different security rules?

Yes. Each tenant has its own policies, roles, and permissions. Tenant A's "admin" role can have different permissions than Tenant B's "admin" role. The system isolates these completely — one tenant can never see or affect another tenant's security configuration.

3. What happens if we add a new feature and forget to create a security rule for it?

Access is denied by default (implicit deny). If no policy explicitly allows access to the new feature, users will be blocked from it. This is a security-first design — it is safer to accidentally block a feature than to accidentally expose it.

4. How do we handle a user who should be temporarily promoted to admin?

Assign a user-specific policy that grants the additional permissions. User-specific policies are evaluated alongside role-based permissions. When the promotion period ends, remove the user-specific policy.

5. What social login providers are supported?

Through the JustAuth integration, CoSec supports 30+ social login providers including GitHub, Google, WeChat, Facebook, Twitter, LinkedIn, Apple, Microsoft, and many more. Each provider requires its own OAuth credentials (client ID and secret) to be configured.

6. How quickly do policy changes take effect?

Policy changes are cached for performance. The propagation delay depends on cache expiration settings. For immediate effect, you can force a cache refresh. With default settings, changes typically propagate within the cache expiration window.

7. Can we restrict access to certain features based on geographic location?

Yes. CoSec includes IP-to-region mapping (via IP2Region). Policies can use condition matchers to check the user's geographic location (country, province, city) and allow or deny access accordingly. For example: "Only allow access from Shanghai and Guangdong province."

8. How does rate limiting work?

Rate limiting is configured as a condition within a policy. You set how many requests per second are allowed. When a user exceeds the limit, the system returns "Too Many Requests" before even evaluating other rules. Rate limits can be per-user or per-group (e.g., per IP address).

9. What is the difference between a global policy and a custom policy?

A global policy applies to everyone across all organizations and is managed by platform administrators. A custom policy applies only to a specific tenant (organization) and is managed by that tenant's administrators. Global policies are evaluated first.

10. Can we use CoSec with our existing user database?

Yes. CoSec handles authentication and authorization but does not manage user accounts. Your application provides the user data (ID, roles, attributes), and CoSec uses that information to make security decisions. You integrate CoSec with your existing user store.

11. What happens if the Redis cache goes down?

CoSec uses a two-level cache. If Redis is unavailable, the local in-memory cache still serves requests. Cache misses will fall back to loading policies from the source. The system degrades gracefully rather than failing.

12. How do we audit who accessed what?

Every authorization decision is made through a single code path that produces an AuthorizeResult with a reason (Allow, Explicit Deny, Implicit Deny, Token Expired, Too Many Requests). Combined with OpenTelemetry tracing, you can see the full decision chain for any request — who requested it, what rules were evaluated, and why the decision was made.

13. Can a user belong to multiple organizations?

Yes. A user can be a member of multiple tenants, each with different roles. The system determines which tenant context applies based on the request. A user might be an "admin" in Organization A and a "viewer" in Organization B simultaneously.

14. Is CoSec only for web applications?

CoSec is designed for any application that processes HTTP requests. It integrates with reactive web frameworks (WebFlux), traditional servlet-based frameworks (WebMVC), and API gateways (Spring Cloud Gateway). It can also serve as a standalone gateway protecting any HTTP-based service.

15. What is the "root" user and why does it bypass all checks?

The root user is a special administrative identity configured at the platform level. It bypasses all policy checks as a safety mechanism — ensuring platform administrators can always access the system. The root user ID is configured via a system property, not through the regular user management flow. It should be restricted to a very small number of trusted administrators.


Next Steps

If You Want To...Start Here
Understand the technical architectureReview the Staff Engineer Guide
See how the project is organizedRead the Contributor Guide
Evaluate CoSec for your organizationReview the Executive Guide
Start integrating CoSecVisit the Integration Guide
Understand the policy formatReview the Policy Schema
See example policiesCheck the policy demos in the README

This guide is part of the CoSec onboarding documentation. For the source code and full documentation, visit github.com/Ahoo-Wang/CoSec.

Licensed under the Apache License, Version 2.0.