Skip to content

Slice 003 - Access Explorer (MVP)

Goal

Provide the <5-minute moment of value visualization for discovered access.

Scope

  • Results Overview (summary cards)
  • Access Explorer
  • principal-centric
  • resource-centric
  • Drilldown to Access Path
  • Provenance panel per hop
  • Filters: system, cloud boundary, orphaned accounts

Acceptance Criteria

  • User can answer both questions:
  • Who has access to this resource?
  • What access does this principal have?
  • Drilldown shows Access Path and provenance
  • Handles empty and partial discovery states gracefully

Tenancy & Isolation Requirements

  • Explorer queries are limited to discovered data in the caller's tenant/workspace scope.
  • Cross-tenant explorer queries are out of scope for v0 product flows.
  • Cross-workspace explorer views are not supported in v0 unless explicitly added for Tenant Admin use.
  • Exports, if enabled, must preserve the same scope restrictions.

Depends on

  • 04-contracts/canonical-model.md
  • ADR 0001

Definition of Done

  • Explorer loads quickly for MVP datasets
  • Export optional (if included) is auditable