This topic appears to be a mixture of two ideas:
- “A high level overview/diagram would be helpful for me to design my Discourse instance”
- “I’m trying to compare the functionaltiy of Discourse to my requirements but can’t find certain information”.
The first point regarding architecture has been discussed a bit, yet unfrotunately there is still an absence of top level diagram. Hopefully someone with a better understanding can draw something for us here with mermaid, however I can at least (hopefully) provide a bit of guidance for your original requirements.
Can Discourse meet Medical/Goverment/Automotive Information Security requirements and Standards?
You would need to be more concrete in what these requirements are exactly. However, considering the medical and automotive world are not too far apart I can share my experience in the hope that it helps. For context, I run an innersource instance for a large automotive supplier in Germany. It’s been a legal headache but it can be achievable with a naive level of persistence, idiotic levels of resilience and an incredibly helpful and patient legal team. Seriously, be extra nice to your legal team
The biggest questions you will need to answer are:
- Who is accessing the information?
- The public?
- Staff?
- A mixture of staff and public?
- What kind of information will be on the platform?
- Public only?
- Mixture of Public and Internal?
- Confidential? – note the second you plan to host this is on the platform things get a lot harder
- Where is it being hosted?
- on-site
- By Discourse or another host
In our example, we were internal only(Staff), Only internal Information(i.e. share company info that is not confidential) and originally self hosted but moved to Discourse for hosting.
In terms of hosting with Discourse, our Information Security Office saw no significant issues when we chose to migrate.
We are also distributing this information across multiple nations: China, India, Germany, Romania, USA, France etc. China was a bit of a pain but the Discourse guys did fantastic work to get us across the line with the CDN issues we faced.
Note that question number 3: “Where will it be hosted” is the one which answers most of your protection of data and security questions.
Login and Authorisation
For Login you would probably want to lean on SAML. The Discourse team help you set this up if you are an enterprise customer with them. Our IDP is only accessable when you are behind our company’s vpn, so that adds an additional layer of security for us(i.e. you can’t even load the login screen unless you are on our network)
SSH
Further a standard installation will provide ssh encryption. I’m not in the CIA so I don’t know if they need more than that. allegedly
Interfacing Discourse with other tools
Lean on the API
For interfacting, the Discourse API is your friend. You can get and set data using an API key and some python.
There is a great set of examples here: Discourse REST API comprehensive examples
Anonymising user data to be GDPR compliant
In terms of GDPR, you could extract the data from the platform and omit user at the point of source running a query in the data explorer.
This is in contrast to using the Discourse API where the JSON response typically includes the full information about the post such as:
- The post content (cooked HTML and raw Markdown)
- The post ID
- The topic ID it belongs to
- The username of the poster
- The post number within the topic
- The post’s creation and last updated timestamps
- The number of likes, replies, quotes, and so on.
How to get Rising Posts and familiar UI?
You might not have seen it, but you could combine this theme:
with something like this: