ReefLogic User Documentation¶

Backend — hosted or self-managed

ReefLogic is built around a server backend (PostgreSQL with PostGIS, an OIDC identity provider, and the ReefLogic admin server) that can either be self-managed on your own infrastructure or run as a hosted backend operated for you. The self-hosted path is documented end-to-end in the Deployment section, including the Docker Compose appliance, host HAProxy TLS termination, and the Keycloak realm import. A managed-hosting option is on the roadmap and will be linked here once available.

Authentication and authorization

Operators sign in over OIDC PKCE against Keycloak (for platform administrators) or a per-tenant identity provider (for tenant operators). The IdP issues a JWT whose groups claim — default name urn:reeflogic:roles — lists the operator's group memberships. The admin server resolves each group to a ReefLogic role, and the role's grants (permission × CRUDX mask) are checked on every gRPC call. Group-to-role mapping is the central authorization knob. See OIDC settings, Roles, Permissions, and Grants.

Server administration — system and tenants

The admin desktop client talks to the admin server over gRPC after OIDC PKCE login. Platform administrators use it to bootstrap a fresh deployment, register tenants and their per-tenant OIDC providers, and maintain roles, permissions, and grants both at platform scope and inside each tenant namespace. Full screen-by-screen guidance lives in the Administration Manual, in particular Tenants.

End-user client and synchronization service

The end-user ReefLogic client and the synchronization service are not yet generally available. When released they will provide offline-capable data and survey workflows on Linux, Windows, and macOS, kept in sync with the backend through the sync service. The User Manual will grow to cover these workflows as they ship.