BiFrost is the core service of every Walhall application. It exposes all of the application’s microservices as a single API and acts as the main authentication layer. It also provides the basic data model of the application and handles user management and permissions.

When you create a Walhall application and choose logic modules or blueprints, they are pre-configured to communicate with BiFrost. So is the application’s frontend, Midgard.

Data model

All logic modules incorporate the BiFrost data model. These are the most important models:

  • Organization: The top-level class of a Walhall application.
  • CoreUser: A registered user of a Walhall application who belongs to an Organization.
  • CoreGroup: A model that defines a group of CoreUsers with specific permissions in the context of a given WorkflowLevel (1 or 2).
  • WorkflowLevel: WorkflowLevels are core objects that define the data hierarchy of the application. They are associated with each data model in each backend service. There are two types of WorkflowLevels: WorkflowLevel1 and WorkflowLevel2. See the permissions section for more details.

You can manage these data models in your application by making requests to the BiFrost API.

Permissions model

The BiFrost permissions model follows the role-based access control (RBAC) pattern.

In Walhall, CoreUser permissions are assigned on the basis of which CoreGroups they belong to. Each CoreGroup is associated with one WorkflowLevel1 or one WorkflowLevel2. “Permissions” are defined as the ability to execute CRUD operations on the data model with which the WorkflowLevel is associated.

WorkflowLevel1s are top-level; all WorkflowLevel2s must be associated with a WorkflowLevel1 as a child object. However, WorkflowLevel2s can also be children of other WorkflowLevel2s – a recursive permissions structure.

If a CoreGroup is given permissions to a WorkflowLevel1, then those permissions will cascade down to all child WorkflowLevel2s.

If a CoreGroup is given permissions to a WorkflowLevel2, then those permissions will cascade down to all child WorkflowLevel2s, but they will not have permissions to the WorkflowLevel1.

API gateway

When your Walhall application is deployed, BiFrost runs a discovery process to determine which services are used in the application. As the API gateway, BiFrost receives API requests, enforces throttling and security policies, passes requests to the backend services, and then passes the response back to the requester.

In order to be discovered by BiFrost, your service must follow the OpenAPI (Swagger) specification and expose a swagger.json file on the /docs endpoint.

SwaggerUI for your application

As part of the discovery process, BiFrost will combine the Swagger files from all the services and serve the combined API documentation at the /docs endpoint of the application via SwaggerUI.