Skip to main content

SDF Identifier-based License Common Model

AuthorDateChange log
Joseonwoo2026-02-02First Draft

1. Purpose

SDF (Sensitive Docs Flow) is an integrated document security processing service that is called to encrypt and decrypt documents in business systems.

In the existing operational structure, the following issues existed.

  • Due to server (App) unit operation, it is difficult to trace the caller in a container environment.
  • The policy/log/billing criteria are inconsistent and server-centric.
  • The scope of the license and the API call authentication elements are mixed, causing operational confusion.

Therefore, this document outlines the SDF operational standards.IdentifierDefines a structure that transitions to a center.

It is the common operational standard of the SDF license and the overarching standard for the Container/App/Hybrid documents.

2. Transition of Operational Standards

SDF shifts the operational standard unit from a server-centric model to a business unit identifier-centric model.

divisionExisting (Server-Centric)After Change (Identifier-Centric)
Operating StandardsServer/App UnitWork Unit Identifier
Policy ApplicationDocument Property CenterIdentifier-based policies
Log TrackingResult-OrientedIdentifier-based Tracking
Billing CriteriaServer Unit EstimationClarification of Work Units

In other words, the identifier becomes the central axis of SDF operations.

3. Definition of Key Concepts

The SDF operating model clearly separates the following three elements.

3.1 License Key

The license key is a key that activates the scope of customer use.

  • Activates the tenant's permissions.
  • Determines the number of allowed identifiers.
  • In the app environment, it determines the number of allowed servers.

3.2 Identifier

Identifiers are the criteria for the actual operation of business units.

  • It is divided by business purpose. (e.g., electronic approval, approval withdrawal)
  • It will serve as the criteria for policy application.
  • It serves as a log tracking criterion.
  • It will serve as the basis for gratitude and billing.

※ An identifier is a value used to distinguish business units and is not used to differentiate Container/App execution environments.

3.3 Access Key (Access Key, AK)

The access key (AK) is the authentication key (Secret) for SDF API calls.

  • Prove who called.
  • It is used as an authentication method for external business systems.
  • Managed separately from the license.

The access key is an element of "caller subject authentication."

[Appendix 1] Comparison of Key Concepts: Identifier / Document ID / Document Grade

In SDF operations, in addition to the "identifier," there are concepts such as document ID for document-level tracking and document classification for security control.

The three concepts have different purposes and application criteria, so they should not be confused.

divisionIdentifierDocument IDDocument Grade
Management PurposeClassification of Business System PurposesIndividual Document TrackingGrade-Based Document Control
Usage CriteriaLicense, Policy, Conditional Policy, Log ManagementDocument History and Security TrackingDocument History and Security Tracking
Creation TimeWhen requesting SDF conversionWhen creating a documentWhen creating a document
Maintenance ScopeEntire Document Lifecycle (Metadata-Based)Entire Document LifecycleEntire Document Lifecycle
Document Inclusion 여부X (Operational Metadata)OO
Role SummaryOperational Management StandardsTracking CriteriaSecurity Level Criteria

In other words, SDF isDistinguish work units based on identifiers and, license, conditional policies, and log management are applied consistently.

4. API Request Structure Standards

When calling the SDF API, the following two values must be passed together. Calls without an Identifier are not allowed as they do not establish policies/logs/billing criteria.

Access Key (AK) : 호출 주체 인증
Identifier      : 업무 구분

※ The API header field names follow system standards, so they are kept in English.

5. SDF Internal Processing Flow (Identifier-Based)

SDF processes requests in the following order.

  1. It verifies the access key (AK) to determine whether the call is allowed.
  2. Validates the identifier to check if it is within the license scope.
  3. Apply identifier-based conditional policies.
  4. Performs document encryption and decryption processing.
  5. Records identifiers in logs and document headers.

As a result,

  • Policy Operation
  • Audit Trail
  • Billing Criteria

Everything is integrated around identifiers.

6. Identifier Operation Policy

6.1 Creation Criteria

It is recommended to generate identifiers based on business unit criteria.

Example:

  • Electronic Approval
  • Approval Export
  • External Collaboration Document

We provide guidance to prevent the excessive generation of identifiers.

6.2 Creation Permission

Identifier creation and management is restricted to Org Admin and higher permissions.

6.3 Identifier Structure

Identifiers have the following structure for user-friendliness and system stability.

  • Display Name: This is the task name entered by the user.
  • Identifier Code: A unique code (GUID) automatically generated by the system.

Users only need to recognize the Display Name, while the Identifier Code is managed by the system.

7. Access Control System (RBAC)

Each administrator's operational authority is classified as follows according to their area of responsibility.

rolePermission Scope
Master AdministratorLicense key registration/change, user/permission management, access key (AK) original text inquiry/reissuance
Operations ManagerIdentifier creation/management, business system registration, access key (AK) status management
Query ManagerPolicy Management, Log Viewing

[Appendix 2] Detailed Table of Operational Structure by Permission Type

divisionMaster AdministratorOperations ManagerQuery ManagerMaintenance Manager
Role ScopeOverall Operation of SDF ServiceResponsibilities for System OperationView Operating Status (Read-Only)Performing Maintenance
Management TargetOverall Work SystemResponsibilities SystemNoneAll
Identifier ManagementO (Full Create/Delete)XX△ (Query)
Policy SettingsO (Overall Policy)O (Responsibilities System)X△ (Query)
Log InquiryO (All)O (Responsibilities System)O (Scope of Responsibility)O (All)
DashboardO (All)O (Responsibilities System)O (Scope of Responsibility)O (All)
Log/Dashboard ExportOOXO
Integration System ManagementOO (Responsibilities System)XX
License ManagementOXXX
Server Management (App Environment)O (All)O (Scope of Responsibility)X△ (Query)
Admin Permission ManagementOXXX

※ Only in the app environment “Server Management"Features will be added. In a container environment, the concept of a server does not exist."

8. Basic Direction of Migration

The following policy applies when upgrading existing customers.

  • Automatically generates 1 basic identifier. For example:Legacy-Default
  • Existing logs and operational data are attributed to the primary identifier.
  • Customers can create additional identifiers by task to gradually separate them.

Examples of transition guidance phrases are as follows.

"Transitioned to identifier-based operation. The primary identifier has been automatically generated. Please add additional identifiers for each task."

9. Summary

The identifier-based operational model is a key transformation to integrate the policy/log/tracking/billing system of SDF by business unit.

This document defines the operational standards, and the subsequent document implements them in the UI.

This document is the top-level document defining the SDF operational standards, and subsequent documents will be expanded as follows according to the operational methods by environment.

[Appendix 3] Differences in License Application by Environment

SDF's licensing criteria vary depending on the execution environment.

divisionContainer EnvironmentApp(On-Prem) Environment
Server ConceptNoneexists
Limit CriteriaLimit only the number of identifiersIdentifier count + server count limit
Server RegistrationunnecessaryRequired (Key-based verification method recommended)
Operating StandardsIdentifier-Centric OperationsIdentifier-centric + Server reference
Reason for ApplicationPod AutoscalingInstallation Scale and Cost Control
  • SDF Hybrid Operating Model:link
  • SDF Container Operating Model:link
  • SDF APP Operating Model:link