Users, Groups and Applications

The following diagram describes the domain handled by Agate. Each entity of this domain can be edited individually in the Agate Web Application administration interface.



A user is described by some properties. Among these properties, the user name and email must be unique in the system: when signing in, a user can provide its name or email. The authentication is done by providing a password, which is stored in the Agate database in a digested form.

A user can belong to some groups.

A user can have access to some applications. If no application is provided, the user can only access to Agate. Otherwise, listed applications will have the user authenticated by Agate.


A group is uniquely identified by its name. A group can be associated to one or applications.

Members of a group can have access to the applications associated to it.


An application has a name and a key. Each time an external application wants to use the services of Agate, it must provide in the request its name and key. This allows Agate to check the validity of the actions to be performed and the information to be returned.

Its redirect URI is used when authenticating through the OpenID Connect Flow to validate the source application.

Authentication Flow

When a user tries to sign-in an application X, this application delegates the user authentication to Agate. If successful, a ticket is created in Agate (to track user activity) and user session local to the application X is created. This local user session allows the application to not query Agate each time user authorization check is requested.


Architecture, Servers and Clients

The architecture of Mica is split in several servers:

  • Mica server: holds the domain and controls what is to be published, provides the web portal front-end and uses Agate as its user directory.
  • Opal server: holds the data with their dictionary and provide statistics services,
  • Agate server: user directory for data access requests management.

Mica, Opal and Agate are applications developed by OBiba. Each of these OBiBa servers expose web services to allow easy interconnection. The Mica web portal is the final application which leverages each server specific domain and functionalities in one.

The following diagram shows how these servers are linked together:


Agate Server

Agate application is used for:

  • having a user directory shared between OBiBa’s applications,
  • having centralized services such as profile management and email notifications.

Mica Server

Mica application is used for:

  • defining and publishing network, study and dataset catalogues,
  • search for variables.

Installation and configuration guides can be found in the section Mica Server Administrator Guide.

Editors and reviewers of the Mica web portal content can access to the web interface of this server as described in the Mica Web Application User Guide.

Mica server is a client of Opal and Agate servers.

Opal Server

Opal application is used for:

  • defining data dictionaries (variables),
  • storing data,
  • providing data summary statistics.

Opal offers well established security controls, allowing to NOT expose individual-level data. Note also that the Opal server is only accessed by the Mica server, reducing the risk of data compromisation from a malicious end user.

Installation and configuration guides can be found in the Opal Server Administrator Guide.

Mica expects at least one Opal server when some datasets are defined. Additional Opal servers can also be identified to access to distributed datasets.