Support Types
Supporting data types and utilities - addresses, measurements, values
| Schema Name | Description | Properties | |
|---|---|---|---|
| BankAccount | Bank account information with IBAN, SWIFT/BIC, and account details - supports international banking standards and multiple account types | 17 | |
| ContactPoint | A contact point for a person or organization - phone, email, fax, etc. Based on FHIR ContactPoint and common ERP patterns | 7 | |
| Frequency | A structured frequency specification for recurring activities that defines how often something occurs within a time period. Captures count of occurrences, period duration, timing constraints, and bounds. Commonly used for medication schedules, calendar events, task reminders, and any recurring activity pattern. | 16 | |
| Identifier | A unique identifier issued by a specific system for organizations or persons - business IDs, tax numbers, social security numbers, passport numbers, etc. Supports all country-specific identification systems | 8 | |
| LanguageProficiency | Language proficiency - represents a person's ability in a specific language | 7 | |
| MonetaryAmount | Represents a monetary value with its associated currency, ensuring that amounts are always paired with their currency context to prevent errors and ambiguity. This entity implements the Money pattern from domain-driven design, treating amount and currency as an inseparable pair. It supports financial calculations, multi-currency operations, currency conversion tracking, and proper monetary value handling across invoicing, payments, pricing, subscriptions, and financial transactions. The entity prevents common financial bugs such as adding amounts in different currencies, comparing incompatible monetary values, or losing currency context. It serves as the foundation for all financial operations in e-commerce, accounting, billing, and enterprise systems. | 4 | |
| OnlinePresence | Online presence point for an organization or person - website, social media profiles, online platforms | 6 | |
| PaymentMethod | Represents a payment method that can be used for billing and payments, storing secure payment instrument details while maintaining PCI compliance through tokenization and masking. This entity is a reusable support type that can be owned by tenants, organizations, or persons. It supports multiple payment types including credit cards, debit cards, bank accounts, digital wallets, and alternative payment methods. It stores only non-sensitive tokenized data and masked details for display purposes, never storing full card numbers or sensitive banking information. The entity tracks payment method verification, expiration, primary designation, and billing address associations. It enables scenarios such as multiple payment methods per entity, backup payment methods for failed charges, payment method updates, and payment method verification workflows. The entity serves as a secure payment instrument registry for subscription billing, one-time payments, and recurring charges across B2B SaaS platforms, e-commerce systems, and financial applications. | 16 | |
| Period | A time period with a start and end date/time - used to represent validity periods, date ranges, time intervals, and temporal boundaries | 10 | |
| PostalAddress | Physical mailing address with optional geographic coordinates | 10 |
Event Management
Temporal event management - events with time periods, appointments, meetings, and scheduled activities
| Schema Name | Description | Properties | |
|---|---|---|---|
| Event | Represents a temporal occurrence or happening with defined time boundaries, status, location, and participants. Supports scheduling, calendar integration, and attendance tracking for any time-based activity. | 18 | |
| EventParticipant | Tracks a person's participation in an event including invitation delivery, RSVP response, and actual attendance. Supports role assignment, check-in/check-out times, and absence tracking. | 19 |
User Management
User account management and local authentication - users, password credentials, and two-factor authentication
| Schema Name | Description | Properties | |
|---|---|---|---|
| PasswordCredential | Represents password-based authentication credentials for a user account, managing the lifecycle of password hashes, expiration policies, and password change requirements. This entity separates authentication credentials from user identity, enabling secure password management with proper hashing, rotation policies, history tracking, and security controls. It supports password complexity requirements, expiration policies, password history to prevent reuse, and temporary password states for account recovery or forced resets. The entity serves as a secure credential store for password-based authentication across enterprise applications, customer portals, administrative systems, and multi-tenant platforms. | 13 | |
| TwoFactorConfig | Configuration for two-factor authentication (2FA) methods associated with a user account. This entity enables multi-factor authentication by supporting various verification methods including TOTP (Time-based One-Time Password), SMS, email codes, authenticator apps, and backup codes. It allows users to configure multiple 2FA methods for redundancy, tracks enrollment status, stores encrypted secrets, and manages backup recovery codes. The entity supports modern authentication standards like TOTP (RFC 6238), WebAuthn, and hardware security keys, providing flexible and secure second-factor authentication across web applications, mobile apps, and enterprise systems. | 11 | |
| User | Represents a recognized actor identity within a system, enabling secure access, personalized experiences, and activity tracking across different contexts and applications. A User entity separates the concept of system identity (authentication, authorization, preferences) from personal identity (Person entity). Users can represent individuals accessing business applications, administrative systems, customer portals, or API clients. The entity supports multiple authentication methods (via PasswordCredential and TwoFactorConfig), fine-grained permission-based authorization (via UserPermission), account lifecycle management, security policies, and preference management. Permissions are assigned directly to users through the UserPermission junction entity, enabling attribute-based access control (ABAC) with contextual constraints and temporal validity. The entity serves as the foundation for identity and access management across healthcare, enterprise, e-commerce, government, and SaaS platforms while maintaining separation from the underlying Person or Organization that the user represents. | 13 |
Identity & Federation
Federated identity management and OAuth 2.0/OpenID Connect - identity providers, SSO, OAuth clients, authorization grants, and authentication sessions
| Schema Name | Description | Properties | |
|---|---|---|---|
| AuthenticationMethod | Defines authentication mechanisms available for identity verification including password, MFA, passwordless, biometric, and hardware tokens. Encapsulates security policies, enrollment rules, and availability conditions for each method. Enables adaptive authentication strategies based on security requirements, risk context, and user populations. | 16 | |
| AuthenticationSession | Represents an active authentication session after successful user login, managing security tokens, session state, and device context. Supports OAuth 2.0, OpenID Connect, and SAML protocols with token refresh, expiration policies, and session revocation. Enables session management across web, mobile, and API clients with security monitoring and audit capabilities. | 26 | |
| AuthorizationGrant | Represents an OAuth 2.0 authorization grant enabling delegated access to protected resources. Manages authorization codes, client credentials, refresh tokens, and consent with granted scopes and lifecycle tracking. Supports fine-grained consent management and scope-based access control for OAuth 2.0 and OpenID Connect flows. | 24 | |
| FederatedIdentity | Links a local user account to an external identity in a federated authentication system. Captures provider subject identifier, authentication claims, linking metadata, and trust status. Supports multiple federated identities per user for enterprise SSO, B2B collaboration, and social login scenarios. | 15 | |
| IdentityProvider | Represents an external authentication provider for federated identity management and single sign-on (SSO). Supports SAML 2.0, OpenID Connect, OAuth 2.0, LDAP, and social providers with protocol-specific configuration, attribute mapping, and trust management. Enables enterprise SSO, customer identity federation, and social login across organizational boundaries. | 13 | |
| OAuthClient | Represents an OAuth 2.0 client application requesting access to protected resources. Manages client credentials, allowed grant types, redirect URIs, permitted scopes, and security policies. Supports confidential clients, public clients with PKCE, and service accounts for enterprise, mobile, and API platforms. | 36 |
API Access
API key and token management for programmatic access - API keys, tokens, scopes, and usage tracking for users, organizations, tenants, and service accounts
| Schema Name | Description | Properties | |
|---|---|---|---|
| ApiKey | Represents programmatic credentials enabling authenticated API access across users, organizations, tenants, or service accounts. Supports lifecycle management with expiration and revocation policies, fine-grained scope permissions, and network-level security controls through IP and origin restrictions. Includes usage tracking and rate limiting for comprehensive API credential management. | 25 | |
| ApiScope | Defines granular permissions and access boundaries for API authentication, specifying actions allowed on resources. Supports hierarchical scope relationships with parent-child inheritance and lifecycle management for safe permission evolution. Applicable across SaaS platforms, microservices, and API management systems requiring fine-grained access control. | 13 | |
| ApiToken | Represents an individual access token issued from an ApiKey for authenticating API requests. Supports multiple token types (Bearer, JWT, HMAC, Basic) with independent lifecycle management, expiration policies, and security monitoring including IP tracking and usage analytics. Each token inherits scope permissions from its parent ApiKey but can be further restricted for principle of least privilege. | 20 |
Permission Management
Fine-grained permission and authorization management - permissions, actions, categories, and direct user permission assignments with ABAC support
| Schema Name | Description | Properties | |
|---|---|---|---|
| AccessDecision | Represents the result of an access control evaluation, capturing the final authorization decision (allow or deny) along with the rationale, contributing voter votes, and audit trail. This entity serves as an audit log for authorization decisions, enabling security analysis, compliance reporting, debugging access control issues, and understanding why access was granted or denied. It records which voters participated, how each voted (allow, deny, abstain), which strategy was used to combine votes, the final decision, and contextual information about the request (user, entity, action, tenant, IP address, timestamp). The entity supports security monitoring by tracking authorization patterns, failed access attempts, privilege escalation detection, and anomalous access behavior. It serves as the forensic evidence layer for access control, enabling security incident investigation, compliance audits (SOC2, ISO 27001), and access review processes. | 10 | |
| AccessDecisionStrategy | Represents a strategy for combining multiple access control voters to make final authorization decisions in a multi-voter access control system. This entity defines how individual voter decisions (allow, deny, abstain) are aggregated into a final access decision, similar to Symfony's AccessDecisionManager or Spring Security's AccessDecisionVoter pattern. Strategies include affirmative (allow if any voter allows), consensus (allow if majority allows), unanimous (allow only if all voters allow), and custom decision logic. The entity enables sophisticated access control scenarios where multiple factors (user permissions, resource ownership, time restrictions, IP location, business rules) are evaluated independently by voters and then combined according to the strategy. It supports use cases such as requiring both role-based permission AND resource ownership, allowing access during business hours OR from whitelisted IPs, and implementing defense-in-depth security through multiple independent checks. | 8 | |
| AccessVoter | Represents an independent access control voter that evaluates authorization requests and votes allow, deny, or abstain based on specific criteria. Inspired by Symfony's Voter pattern and Spring Security's AccessDecisionVoter, this entity enables modular, composable authorization logic where different voters check different aspects of an access request (permissions, ownership, business rules, time restrictions, IP location, etc.). Each voter is responsible for one authorization concern and votes based on its evaluation. Multiple voters can be combined using an AccessDecisionStrategy to reach a final decision. Voters support different evaluation types including permission-based (checking user permissions), ownership-based (checking if user owns the resource), attribute-based (evaluating user/resource attributes), rule-based (custom business logic), and time-based (checking access windows). The entity enables separation of authorization concerns, testable access control logic, and flexible security policies across enterprise applications and multi-tenant platforms. | 10 | |
| Permission | Represents a granular authorization rule that grants the ability to perform a specific action on a specific entity or resource within the system. Permissions are the atomic units of access control, typically following patterns like 'entity.action' (e.g., 'users.read', 'invoices.write', 'reports.delete'). This entity supports both entity-level permissions (applies to all instances of an entity type) and instance-level permissions (applies to a specific entity instance via entityId). It enables fine-grained access control, supports attribute-based access control (ABAC), row-level security, and can be assigned directly to users. Permissions serve as the foundation for authorization policies across enterprise applications, APIs, multi-tenant SaaS platforms, and complex business systems. | 12 | |
| PermissionAction | Represents a standardized action (read, write, create, update, delete, execute, approve) that can be performed on resources. Provides a controlled vocabulary for authorization rules with risk levels and audit requirements. | 7 | |
| PermissionCategory | Represents a logical grouping of related permissions organized by functional area or business domain. Supports hierarchical categorization and simplified permission assignment workflows. | 6 | |
| UserPermission | Junction entity representing the direct assignment of a permission to a user, enabling fine-grained access control without role intermediation. This entity supports explicit permission grants, temporal permissions, contextual restrictions, and delegated authority tracking. It enables scenarios where users need specific permissions beyond their role assignments, temporary elevated access, or context-specific capabilities (e.g., permissions valid only for a specific organization or project). The entity includes comprehensive audit tracking of who granted permissions, when they become effective, expiration dates, and revocation details. It serves as the foundation for attribute-based access control (ABAC) and exception-based permission management across enterprise applications, multi-tenant platforms, and complex authorization scenarios. | 16 |
Multi-Tenancy
Multi-tenant workspace management - tenants, user memberships, settings, branding, password policies, subscriptions, payment methods, and complete data isolation
| Schema Name | Description | Properties | |
|---|---|---|---|
| Feature | Represents a platform capability or feature that can be enabled or disabled for tenants, serving as the central feature catalog for subscription plans and tenant customization. Features define distinct functional capabilities such as advanced reporting, API access, SSO support, custom integrations, or white-labeling. This entity enables feature-based access control, progressive feature rollout, A/B testing, plan differentiation, and feature flag management across multi-tenant platforms. Each feature can be included in subscription plans, manually enabled for specific tenants, or used for gradual feature releases. The entity supports feature categorization, lifecycle management (beta, stable, deprecated), and platform-wide feature availability tracking. It serves as the foundation for feature gating, entitlement management, and product capability management across SaaS platforms and enterprise applications. | 8 | |
| SubscriptionPlan | Represents a subscription tier or pricing plan that defines the features, limits, and pricing for tenant subscriptions in a multi-tenant SaaS platform. This entity serves as the product catalog for subscription offerings, specifying what capabilities and resources are included in each plan tier (free, starter, professional, enterprise). It defines usage quotas (max users, storage, API calls), enabled features, pricing models (per-user, flat-rate, usage-based), and billing configurations. Plans can be hierarchical, allowing upgrade/downgrade paths, and support multiple pricing variants for different billing cycles or regions. The entity enables flexible monetization strategies, A/B testing of pricing, plan versioning, and grandfathering of legacy plans. It serves as the reference for subscription entitlements and the foundation for plan-based feature gating across B2B SaaS platforms and enterprise applications. | 14 | |
| SubscriptionPlanFeature | Junction entity representing which features are included in a subscription plan by default, defining the feature entitlements for each plan tier. This entity enables flexible plan composition where plan managers can configure which features are available in each subscription tier (free, starter, professional, enterprise) without hardcoding feature lists. It supports plan differentiation, feature-based pricing, plan upgrades/downgrades, and A/B testing of plan compositions. The entity allows features to be added or removed from plans over time, supports grandfathering (legacy plan feature configurations), and enables feature-specific configuration per plan (e.g., API rate limits varying by plan tier). It serves as the plan entitlement definition layer, working with TenantFeature to determine final feature access: features included in the plan + manually enabled features for specific tenants. | 5 | |
| Tenant | Represents an isolated organizational workspace in a multi-tenant system, providing complete data segregation and independent configuration for each customer or client organization. A Tenant is the foundational unit for multi-tenancy, ensuring that users, data, permissions, and settings for one tenant are completely isolated from others. Tenants enable SaaS platforms to serve multiple customers from a single application instance while maintaining security boundaries, customization capabilities, and billing independence. Each tenant can have its own branding, authentication rules, feature configurations, subscription plans, and user management. The entity supports hierarchical tenants (parent-child relationships), tenant lifecycle management (trial, active, suspended), and serves as the anchor point for all tenant-scoped data across B2B SaaS platforms, enterprise applications, and multi-organization systems. | 10 | |
| TenantAuthenticationConfig | Authentication configuration and requirements for a tenant workspace, defining which authentication methods are allowed, whether multi-factor authentication is required, session management policies, and login restrictions. This entity enables tenant-specific authentication policies where different organizations can enforce different security standards based on their risk profile and compliance requirements. It supports multiple authentication methods (password, SSO, SAML, OIDC, magic links), mandatory 2FA enforcement, session timeout policies, and authentication method restrictions. The entity works in conjunction with TenantSSOProvider for SSO configurations and TenantPasswordPolicy for password requirements. It serves as the authentication policy layer for multi-tenant platforms, enabling flexible authentication strategies across healthcare (HIPAA), finance (PCI-DSS), government, and enterprise applications. | 11 | |
| TenantBranding | Branding and visual identity configuration for a tenant workspace, enabling white-labeling and custom branding in multi-tenant SaaS platforms. This entity defines the visual appearance of the tenant's workspace including logos, color schemes, custom domains, favicons, and theme settings. It supports complete brand customization where each tenant can have their own visual identity, creating a seamless branded experience for their users. The entity enables use cases such as white-label SaaS products, partner portals with custom branding, client-facing applications with customer logos, and multi-brand platforms. It serves as the visual identity layer for tenant customization, working in conjunction with TenantSettings for complete workspace personalization. | 11 | |
| TenantFeature | Junction entity representing the enablement of a specific feature for a tenant workspace, tracking when features were enabled, by whom, with what configuration, and with optional expiration for trial features. This entity enables feature-based access control where tenants can have features enabled beyond their subscription plan (for trials, promotions, or custom agreements) or features disabled despite being in their plan (for gradual rollout or support issues). It supports feature lifecycle management, A/B testing, progressive feature rollout, temporary feature trials, and feature-specific configuration. The entity tracks the complete audit trail of feature enablement including who enabled the feature, when it was enabled, expiration dates for trial features, and custom configuration parameters for each feature. It serves as the foundation for feature gating, entitlement management, and flexible feature access control across multi-tenant SaaS platforms. | 12 | |
| TenantIPWhitelistEntry | IP address or CIDR block that is allowed to access a tenant workspace, enabling network-based access control and security restrictions. This entity supports IP-based security policies where tenants can restrict access to specific networks, offices, VPNs, or cloud infrastructure. It enables scenarios such as office-only access, VPN-required access, contractor temporary access, and geographic restrictions. Each entry can have labels for identification, expiration dates for temporary access, and enable/disable toggles for quick access control without deletion. The entity supports both individual IP addresses and CIDR notation for network ranges, enabling flexible network security policies. It serves as the network access control layer for multi-tenant platforms, supporting zero-trust architectures, compliance requirements (PCI-DSS network segmentation), and enterprise security policies. | 11 | |
| TenantLocalization | Localization and regional settings configuration for a tenant workspace, defining default timezone, language, currency, and date/time formatting preferences. This entity enables tenant-specific localization where each organization can configure their preferred regional settings that apply to all users by default (users can override in their personal preferences). It supports international multi-tenant platforms where tenants operate in different countries, use different languages, and transact in different currencies. The entity defines display formats for dates and times, default currency for financial operations, timezone for scheduling and timestamps, and language/locale for UI translations. It serves as the internationalization (i18n) and localization (l10n) layer for multi-tenant platforms, ensuring that each tenant sees data formatted according to their regional conventions and business requirements. | 8 | |
| TenantNotificationPreference | Notification preference configuration for a tenant workspace, defining which notification types are enabled, through which channels they should be delivered, to which recipients, and with what frequency. This entity enables granular notification management where tenants can customize their notification experience for different event types (security alerts, usage warnings, billing notifications, maintenance updates). It supports multi-channel delivery (email, SMS, Slack, webhooks), per-type configuration, notification scheduling (immediate, digest, quiet hours), and multiple recipients per notification type. The entity enables scenarios such as sending security alerts to the security team via Slack and email, billing notifications to finance via email only, or usage warnings as daily digests. It serves as the notification routing and preference layer for multi-tenant platforms, ensuring critical information reaches the right people through the right channels at the right time. | 9 | |
| TenantPasswordPolicy | Password security policy and complexity requirements for a tenant workspace, defining rules that govern password creation, validation, expiration, and lockout behavior. This entity enables tenant-specific password security standards, allowing different organizations to enforce their own security requirements ranging from basic (8 characters) to stringent (16+ characters with complexity). It supports password complexity rules (uppercase, lowercase, numbers, special characters), password history to prevent reuse, expiration policies for forced rotation, account lockout rules after failed attempts, and password strength validation. The entity serves as the enforcement layer for password security compliance across industries with different regulatory requirements (HIPAA, PCI-DSS, SOC2) and enables tenants to balance security with user experience based on their risk profile. | 15 | |
| TenantSSOProvider | Single Sign-On provider configuration for a tenant workspace, enabling SSO authentication through SAML, OIDC, OAuth, or other identity federation protocols. This entity stores the technical configuration required to integrate with external identity providers such as Azure AD, Google Workspace, Okta, Auth0, or custom SAML providers. It supports multiple SSO providers per tenant (for different user groups or migration scenarios), priority-based provider selection, and provider-specific metadata. The entity enables enterprise authentication where users authenticate through their corporate identity provider, eliminating password management and enabling centralized access control. It serves as the SSO integration layer for multi-tenant B2B SaaS platforms, supporting various authentication protocols and identity federation standards while maintaining tenant isolation. | 14 | |
| TenantSecurityPolicy | Security policy and compliance configuration for a tenant workspace, defining security controls, access restrictions, verification requirements, and audit policies. This entity enables tenant-specific security postures where different organizations can enforce different security standards based on their compliance requirements, risk tolerance, and regulatory obligations. It supports country-based access restrictions, audit log retention policies, verification requirements, and security monitoring preferences. The entity works in conjunction with TenantIPWhitelistEntry for network access control and TenantPasswordPolicy for credential security. It serves as the security governance layer for multi-tenant platforms, enabling compliance with industry regulations (HIPAA, PCI-DSS, SOC2, GDPR, ISO 27001) and supporting zero-trust security architectures across enterprise applications and B2B SaaS platforms. | 9 | |
| TenantSubscription | Represents a subscription plan and billing arrangement for a tenant workspace in a multi-tenant SaaS platform. This entity manages the commercial relationship between the platform and tenant, tracking subscription tiers, billing cycles, payment status, usage quotas, and plan changes. It enables subscription lifecycle management including trials, upgrades, downgrades, cancellations, and renewals. The entity supports multiple pricing models (per-user, per-feature, usage-based, flat-rate), billing frequencies (monthly, annual, custom), and payment methods. It tracks subscription status, billing period boundaries, upcoming renewals, payment method details, and discount codes while enforcing plan-based feature access and usage limits defined in TenantSettings. The entity serves as the foundation for monetization, revenue recognition, and commercial operations in B2B SaaS platforms, enabling flexible pricing strategies and subscription management. | 25 | |
| TenantUser | Junction entity representing the membership relationship between a user and a tenant workspace, enabling users to access and switch between multiple isolated tenant environments. This entity is the cornerstone of multi-tenant user management, tracking user membership status, invitation workflow, tenant-specific user attributes, and access periods. It enables scenarios where users work across multiple client tenants (consultants, agencies), collaborate with partner organizations, or manage multiple workspaces. The entity supports invitation-based onboarding, role designations per tenant (owner, member, guest), tenant switching in the UI, and complete membership lifecycle from invitation through active membership to removal. It serves as the authorization boundary for tenant-scoped data access and the foundation for tenant isolation in B2B SaaS platforms, enterprise systems, and collaborative applications. | 18 |
Communication
External communication management - emails, SMS, letters, WhatsApp, push notifications, and multi-channel messaging with templates, delivery tracking, and recipient management
| Schema Name | Description | Properties | |
|---|---|---|---|
| CommunicationChannel | Represents a configured communication provider for message delivery (SendGrid, Twilio, Firebase, postal services). Encapsulates provider-specific configuration including credentials, sender identity, rate limits, and retry policies. Enables multi-provider strategies with delivery monitoring and default channel routing. | 16 | |
| Message | Represents a single communication sent through any channel (email, SMS, WhatsApp, push, letter). Tracks the complete message lifecycle from draft to delivery with status transitions, scheduling, and provider integration. Supports templates, attachments, and detailed delivery metrics. | 26 | |
| MessageTemplate | Represents a reusable template for generating messages across channels (email, SMS, push, WhatsApp). Supports variable substitution with {{placeholder}} syntax, multi-language content, versioning, and status lifecycle management. Enables consistent messaging with dynamic personalization for transactional, marketing, and notification use cases. | 17 |
Document Management
Document Management System (GED) - documents, folders, versions, metadata, permissions, workflows, and digital asset management across all industries
| Schema Name | Description | Properties | |
|---|---|---|---|
| Document | Represents a digital document or file that can be attached to any entity in the system. Document provides a universal attachment mechanism through polymorphic references (entity + entityId), enabling documents to be linked to any record type - contracts attached to Organizations, invoices to Orders, medical records to Patients, maintenance logs to Vehicles, or certificates to Employees. This entity supports comprehensive document management including file metadata (MIME type, size), storage backend configuration, classification via categories and tags, and integrity verification via checksum. Documents track ownership and reference their storage location through DocumentStorage. Access control is handled by the permission domain. The entity is designed for enterprise content management, compliance documentation, digital asset management, and any scenario requiring file attachments across all industries and domains. | 24 | |
| DocumentCategory | A universal classification entity for organizing documents by business purpose, type, or function. DocumentCategory provides a flexible hierarchical taxonomy system that enables systematic organization of documents across any domain. Categories can be defined globally for system-wide use or scoped to specific organizations for customized classification schemes. The hierarchical structure through self-referencing allows unlimited nesting depth to model complex classification taxonomies, from broad categories like 'Legal' or 'Financial' down to specific subtypes like 'Employment Contracts' or 'Tax Returns'. Each category includes visual properties (icon and color) to enhance user interface presentation and improve document discovery. The status field enables lifecycle management of categories without deletion, preserving historical classifications. Categories are designed to be stable, reusable classification points that remain consistent even as documents are added, modified, or archived. This entity is intentionally lean, focusing solely on classification structure while delegating concerns like retention policies to metadata systems and access control to dedicated permission domains. DocumentCategory serves as a foundational taxonomy layer applicable to document management systems, content repositories, knowledge bases, digital asset managers, and any system requiring structured document organization. | 8 | |
| DocumentStorage | Represents a storage backend configuration for managing document persistence across various storage providers and protocols. DocumentStorage defines the connection parameters and configuration for storage systems including cloud object storage (Amazon S3, Azure Blob Storage, Google Cloud Storage), network file protocols (FTP, SFTP, WebDAV), and local filesystem storage. This entity serves as a centralized configuration registry for document storage backends, enabling multi-storage architectures where different document types or organizations can be routed to different storage locations. It includes essential connection parameters (endpoints, buckets/containers, regions, base paths) while maintaining security through external credential management. Organizations can designate default storage backends and maintain multiple storage configurations for redundancy, geographic distribution, or compliance requirements. The entity supports storage lifecycle management through status tracking (active, inactive, maintenance) and provides the foundation for implementing storage policies, automatic failover, and cost optimization strategies across any industry requiring document persistence. | 17 |
Survey
Transverse survey and feedback collection system - surveys, questions, and responses that can be attached to any entity via KernelModel references
| Schema Name | Description | Properties | |
|---|---|---|---|
| Survey | Represents a survey or questionnaire that can be attached to any entity via polymorphic reference (entity + entityId). Supports structured data collection through questions, responses, and answers with configurable time boundaries and anonymity settings. | 16 | |
| SurveyAnswer | Represents a single answer to a survey question within a response. Stores the value provided by the respondent (text, number, selections, boolean) and links it to both the question and the response. | 4 | |
| SurveyQuestion | Represents a single question within a survey with support for multiple input types (text, choice, rating, scale, boolean). Includes validation rules, display ordering, and conditional logic for dynamic survey flows. | 12 | |
| SurveyResponse | Represents a complete response submission to a survey by a person or organization. Tracks submission timing, completion status, and links all individual answers together. Supports both anonymous and identified responses. | 10 |
Kernel
Core system primitives and base abstractions - fundamental building blocks that all other domains depend on
| Schema Name | Description | Properties | |
|---|---|---|---|
| KernelModel | Represents an entity definition registered in the solution, serving as a metadata registry for all available entity schemas. Each KernelModel tracks its name, module membership, namespace, and whether it is abstract, enabling runtime introspection and schema-driven development. | 6 | |
| KernelModule | Represents a functional module within the solution, grouping related entities and features into cohesive units. Each module can define dependencies on other modules, ensuring proper initialization order and enabling plugin-based architectures. | 9 |
Foundation & Shared Domains
Reference Data
Standardized reference data - countries, languages, currencies, genders, etc.
| Schema Name | Description | Properties | |
|---|---|---|---|
| Country | Country reference data with ISO codes | 8 | |
| Currency | Currency reference data with ISO codes and country association | 6 | |
| DocumentType | Type of document with business rules and properties. | 8 | |
| Gender | Gender identity reference data | 3 | |
| Language | Language reference data with ISO codes | 4 | |
| Locale | Represents a BCP 47 locale combining language and country for internationalization. Defines regional formatting conventions for dates, numbers, text direction, and calendar preferences. | 11 | |
| MaritalStatus | Marital status reference data | 3 | |
| PaymentTerm | Payment terms and conditions reference data | 4 | |
| Timezone | Represents an IANA timezone with identifier, UTC offset, and DST information. Enables consistent time handling across scheduling, calendars, and internationalized displays. | 6 | |
| UnitOfMeasure | Unit of measure reference data - supports UN/CEFACT codes and common business units | 5 |
Core
Fundamental business entities - people and organizations
| Schema Name | Description | Properties | |
|---|---|---|---|
| BusinessActivity | A business activity, industry sector, or line of business for an organization. Represents what the organization does commercially | 6 | |
| Compliance | Represents administrative deadlines and regulatory compliance tracking for documents, certificates, or authorizations that have expiration dates and require renewal or verification. Compliance is a reusable entity that can be referenced by any document type (identity documents, driving licenses, professional certifications, permits, contracts) to centralize expiration tracking and audit trails. This design enables unified compliance dashboards across all types of administrative obligations without requiring inheritance. Each compliance record tracks validity periods, issuing authority, and lifecycle status independently. | 11 | |
| Department | Represents an organizational unit, division, or subdivision within an organization. Department serves as the foundational entity for organizational structure management across all industries - from corporate divisions (Sales, Marketing, IT) to hospital departments (Emergency, Radiology), government agencies (Parks, Public Works), fleet management divisions (Maintenance, Operations, Dispatch), and any structured organization. The entity supports hierarchical structures enabling nested departments, allowing organizations to model their complete org chart at any granularity. Each department can track its leadership, location, and operational status. Departments serve as organizing units for employees, resources, permissions, and workflows. The entity integrates with Organization for ownership, Person for leadership, and Location for workspace allocation. This universal department model enables comprehensive organizational management across corporate enterprises, healthcare systems, government bodies, logistics companies, and any structured organization. | 20 | |
| Employee | Represents the employment relationship between a Person and an Organization. Employee is not the person themselves - it is the formal employment record that links an individual to their employer, capturing essential job details, organizational placement, and reporting structure. This entity serves as the universal model for workforce management across all industries - from corporate enterprises (software engineers, accountants, executives) to healthcare facilities (nurses, physicians, administrators), government agencies (civil servants, officials), logistics operations (drivers, dispatchers, warehouse staff), retail businesses (associates, managers), and educational institutions (teachers, administrators). The Employee entity references Person for biographical data, Organization for employer identity, Department for organizational assignment, and Location for work site. It tracks core employment attributes including unique employee identifiers, job titles and classifications, employment type (full-time, part-time, contract, temporary), employment status (active, on-leave, terminated), hire and departure dates, supervisor relationships, and work location assignments. This separation between Person and Employee enables individuals to have multiple employment relationships (past and present) with different organizations while maintaining a single authoritative person record. The entity supports organizational reporting hierarchies, departmental assignments, location-based workforce analytics, and comprehensive employee lifecycle management from onboarding through offboarding across any industry or employment context. | 25 | |
| JobPosition | Represents the definition of a job role, function, or position within an organization - not the person holding it, but the formal position specification itself. JobPosition serves as the universal template that defines what a job is across all industries and organizational contexts. From corporate environments (Software Engineer, Marketing Director, Chief Financial Officer) to healthcare facilities (Registered Nurse, Emergency Physician, Medical Technologist), government agencies (Program Analyst, Public Works Supervisor, City Manager), logistics operations (Fleet Dispatcher, Warehouse Manager, Delivery Driver), retail businesses (Store Associate, Department Manager, Regional Director), educational institutions (Teacher, Principal, Counselor), and manufacturing plants (Production Supervisor, Quality Control Inspector, Plant Engineer). Each JobPosition defines the core attributes that make a position recognizable and consistent: its official title, unique position code, hierarchical level within the organization, department assignment, employment type compatibility, and current status. This entity enables organizations to standardize job definitions, manage organizational hierarchies, support workforce planning, ensure consistent job classifications, facilitate career progression mapping, and maintain position lifecycles from creation through deprecation. JobPosition integrates with Employee (who holds the position), Organization (who defines it), and Department (where it exists). The entity supports positions at any organizational level from entry-level individual contributors through C-suite executives, accommodates both departmental and organization-wide roles, and handles various employment arrangements. This separation between position definition and position holder enables multiple employees to share the same position specification while maintaining individual employment records, supports historical tracking of organizational structure evolution, and provides a foundation for competency frameworks, compensation structures, and talent management systems across any industry or organizational model. | 22 | |
| Location | Represents a place where activities, events, or operations occur, encompassing both physical locations (buildings, rooms, warehouses, offices, venues) and virtual locations (video conferencing links, online platforms, virtual meeting rooms). Location serves as the universal spatial reference point for any business entity or event across all domains. Physical locations include detailed address information, building and room identifiers, accessibility features, and geographic coordinates for mapping and proximity analysis. Virtual locations capture meeting URLs, platform identifiers, and access credentials. The entity supports capacity management for space planning, operating hours for scheduling, and contact information for location-specific inquiries. Location can represent spaces at any granularity level - from entire campuses and buildings down to specific rooms and desks, or from virtual platforms down to specific meeting room URLs. This enables comprehensive facility management, resource allocation, event scheduling, delivery logistics, and location-based analytics across all industries and domains. | 33 | |
| Organization | An organization such as a company, business, institution, healthcare facility, or any formal business entity | 22 | |
| OrganizationContact | A professional contact within an organization (sales rep, manager, support agent, etc.) - extends Person with organizational role and context | 6 | |
| Person | An individual person - the base entity for representing human beings in any business context | 18 |
Transverse Entities
Universal entities that apply across all domains - audit trails, external references, consents, and cross-cutting concerns
| Schema Name | Description | Properties | |
|---|---|---|---|
| ChangeHistory | Universal audit trail tracking all field-level modifications with before/after values for any entity type. Supports regulatory compliance (GDPR Article 30, SOX, HIPAA) across all business entities. | 10 | |
| Consent | Universal consent tracking entity for all types of consent (marketing, GDPR, cookies, medical, data processing, etc.) with full audit trail. Base entity that can be extended for specific consent types. | 16 | |
| ExternalReference | Universal reference to records in external systems (Salesforce, SAP, Shopify, Stripe, QuickBooks, etc.) for integration purposes across all entity types | 11 | |
| Tag | Universal tag base entity with properties common to all tag types (CustomerTag, ProductTag, DocumentTag, etc.). Contains tag metadata like name, color, icon, category. | 8 |