Notes:

A Realm is a security domain. Tasks execute within the context of a single realm. The authenticated user plays a role in the context of the realm. The (realm, user) tuple identifies the RealmUser model instance which contains the role. Each role has a set of permissions, such as DATA_READ and ADMIN_WRITE. The permission set is identified by the (realm, role) tuple.

A Task (a code-space object) defines an expected permission set. The permission set for the current (realm, user) tuple must contain at least that set. That is, the task's permissions are ANDed with the RealmRole's permissions to determine if the authenticated user can execute the current task in the current realm.

Every realm has a realm_id that is used to identify all data owned by the realm in the database. For example, Model.Email in the diagram has a realm_id entry which identifies the email address for the realm. The object-relational mapping layer will automatically insert the current authorized realm into db queries. While there are ways of circumventing this security feature, it serves to avoid mistakes (e.g., returning the wrong realm's data) for the vast majority of code.