Data Model Diagram

flowchart LR
  principal["Principal"]
  account["Account"]
  entitlement["Entitlement"]
  action["Action"]
  target["Target"]
  resource["Resource (Target subtype)"]
  boundary["Cloud Account Boundary"]

  principal -- "principal_represents_account" --> account
  account -- "account_assigned_entitlement" --> entitlement
  entitlement -- "entitlement_grants_target" --> target
  entitlement -. "enables_action_on_target" .-> action
  action -. "applies_to" .-> target
  account -. "account_grants_target (optional)" .-> target

  resource -. "is_a" .-> target

  account --> boundary
  entitlement --> boundary
  target --> boundary

  provenance["Provenance\n(source_system, source_object_id, observed_at, run_id, confidence, evidence_ref)"]

  principal --> provenance
  account --> provenance
  entitlement --> provenance
  action --> provenance
  target --> provenance
  boundary --> provenance

  configured["Configured Access"]
  reachable["Reachable Access"]
  observed["Observed Access"]

  configured --> target
  reachable --> target
  observed --> target