LMSOne
Security by design

Security controls grounded in the product.

LMSOne combines identity controls, scoped authorization, protected application tokens, and guarded file workflows for higher-education learning operations.

01

Identity and passwords

ASP.NET Core Identity provides account and password handling. LMSOne enforces passwords with uppercase, lowercase, numeric, and symbol characters, protects state-changing forms against cross-site request forgery, and refreshes security state after password changes.

02

RBAC and IAM boundaries

Authenticated routes, business-administrator status, organization memberships, academic-scope assignments, and roles including organization administrator, manager, instructor, and student are checked before protected operations and file access.

03

Protected transport and tokens

Production database connections created from the deployment URL require TLS by default. ASP.NET Core Data Protection secures application tokens and persists its key ring in the LMSOne database. Final encryption-at-rest characteristics depend on the selected hosting and storage configuration.

04

Upload safeguards

Stored learning resources and submissions use authorization checks before access. The application includes asynchronous upload scanning through VirusTotal when that integration is configured.

Tenant isolation and regulated deployments

The current application applies logical tenant boundaries through organization identifiers, memberships, scoped queries, role checks, and file-access authorization. Dedicated or physically isolated tenant infrastructure—including proposed RIC-style deployments for government requirements—is an optional deployment architecture, not a capability verified in this repository. Its controls, responsibilities, and regulatory fit must be specified and validated for each deployment.

MFA status

The identity framework used by LMSOne supports multi-factor authentication patterns, but an end-user MFA enrollment and challenge flow is not currently implemented in this codebase. MFA should therefore be treated as planned or separately configured—not as a generally available LMSOne feature—until it is implemented and tested.

No blanket compliance claim

These safeguards can support an institution's security program, but they do not by themselves establish compliance with a law, standard, procurement rule, or certification. Controls also depend on deployment configuration and institutional administration. LMSOne is intended and supported for higher education; it makes no security or compliance warranty for K–12 use.