Skip to content

ADR 0001 - Canonical Entities, Relationships, and Access Paths

Date: 2026-02-06 Status: Accepted

Context

We need a stable normalized model that allows: - multi-system discovery (AWS/Azure/CyberArk Identity in v0) - a clear access visualization - future extensibility to other connector types (rotation/session/JIT)

Decision

Adopt canonical entities: - Principal, Account, Entitlement, Resource, Cloud Account Boundary

Adopt canonical relationships: - principal_represents_account - account_assigned_entitlement - entitlement_grants_resource Optional: - account_grants_resource

Define derived Access Path as: Principal -> Account -> Entitlement -> Resource

All entities and relationships require provenance fields.

Consequences

  • Connectors must map provider-native constructs into this model.
  • Visualization can be consistent across providers.
  • Fidelity is preserved via native_id + provenance.

Alternatives considered

  • Model "Credential" as first-class in v0 (deferred to v1).
  • Use provider-native graphs only (rejected; prevents cross-system visualization).