coulomb/helix-forge
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bd3deec4d677a506de3bb3aa9306145255e83aab
helix-forge/wiki/CaringStandardRc2.md
tegwick 8f248c413e Add CARING standard RC2
2026-05-17 04:15:39 +02:00

3618 lines
67 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# CARING Standard
## Canonical Access Roles for Information Needs Governance
**Version:** 0.4.0-RC2
**Status:** Release Candidate 2
**Document Type:** Canonical Access Governance Standard
**Primary Use:** Analysis, design, mapping, improvement, and validation of access-control systems for information products and runtime platforms
**Scope:** Humans, services, automations, agents, organizations, tenants, communities, infrastructure platforms, information systems, lifecycle processes, and exceptional access events
---
## 1. Purpose
CARING — **Canonical Access Roles for Information Needs Governance** — provides a practical, canonical vocabulary for describing and governing access to information systems across the full lifecycle of an information product.
It is intended for systems where humans, services, automations, AI agents, organizations, customers, communities, vendors, service providers, consultants, and authorities collaborate across product creation, deployment, operation, support, use, feedback, continuous improvement, and exceptional access events.
CARING exists to prevent access-control systems from degrading into unmanaged collections of local roles, implicit exceptions, historical permissions, support backdoors, hidden operator powers, unclear tenant boundaries, uncontrolled service accounts, induced privilege paths, and poorly understood data-exposure risks.
CARING is not tied to one access-control technology. It may be mapped to IAM roles, ACLs, RBAC groups, ABAC policies, ReBAC relations, service accounts, workflow permissions, database grants, Kubernetes permissions, Git permissions, support tooling, agent execution policies, runtime controllers, CI/CD pipelines, or other access-control mechanisms.
---
## 2. Core Hypothesis
CARING is based on the following hypothesis:
> Existing access-control implementations can be analyzed as compositions of CARING dimensions. A successful CARING mapping reconstructs the implementations declared and effective access semantics while revealing bundled roles, missing scopes, hidden exposures, weak lifecycle controls, restrictive design choices, induced access paths, and governance gaps.
A CARING analysis is considered successful when an access-control implementation can be rebuilt as a set of CARING access descriptors without introducing ad-hoc concepts outside the standard.
If an implementation cannot be modeled cleanly, the mismatch is itself valuable. It may indicate:
```text
1. A genuine gap in CARING.
2. An implementation-specific constraint below CARINGs abstraction level.
3. Hidden authority.
4. Ambiguous scope.
5. Mixed responsibility.
6. Implicit exposure.
7. Missing lifecycle governance.
8. An unmanaged exception path.
9. A gap between declared access and effective access.
10. An induced access path through automation, controllers, agents, services, or workflows.
```
This makes CARING both a standard and an evolving analytical framework.
---
## 3. Descriptive and Prescriptive Use
CARING may be used in two modes.
### 3.1 Descriptive CARING
Descriptive use maps an existing access-control implementation into CARING dimensions.
The purpose is to answer:
```text
What does this system actually allow, deny, expose, obscure, delegate, induce, or fail to govern?
```
Outputs may include:
```text
Access descriptor catalog
Capability profile map
Declared access map
Effective access map
Derived capability map
Scope model
Plane classification
Exposure map
Restriction map
Lifecycle access map
Exceptional access map
Role bundling findings
Tenant-boundary findings
Privilege-escalation findings
Induced-access findings
Redesign recommendations
```
### 3.2 Prescriptive CARING
Prescriptive use designs or improves an access-control model using CARING dimensions.
The purpose is to answer:
```text
How should access be structured for clarity, safety, speed, collaboration, and governance?
```
Outputs may include:
```text
Canonical role model
Capability profiles
Scope hierarchy
Plane model
Exposure rules
Condition rules
Agent access ceilings
Service-account rules
Exception workflows
Review cycles
Governance controls
Policy linting rules
Conformance tests
```
CARING does not require an existing system to be well-designed in order to describe it.
---
## 4. Core Principle: Orthogonality
CARING separates access governance into independent dimensions.
The core dimensions are:
```text
Subject
Organization Relation
Canonical Role
Scope
Plane
Capability
Exposure Mode
Condition
Lifecycle State
Restriction
Exposure Event
```
No single dimension should be overloaded to express all others.
A role does not fully define access.
A role only becomes an effective access policy when combined with organization relation, scope, plane, capability, exposure mode, conditions, lifecycle controls, and restrictions.
---
## 5. Native Role Warning
Many systems use the word **role** for constructs that are not equivalent to a CARING Canonical Role.
A native construct named `role` may represent:
```text
A capability profile
A local title
A group
A rule bundle
A policy object
An access assignment
A workflow responsibility
An application-specific modifier
```
Therefore:
> A native construct named “role” SHOULD NOT be assumed to map to a CARING Canonical Role. It must be analyzed according to its actual semantics.
Examples:
```text
A Lotus/Domino ACL level such as Reader or Editor
→ usually a Capability Profile under Doer.
A Kubernetes Role
→ usually a Capability Profile over verbs, resources, and scope.
A business title such as Department Admin
→ usually a Local Title that must be mapped to role, scope, plane, and capabilities.
```
---
## 6. CARING Access Descriptor
Every relevant access assignment should be expressible as:
```text
Subject
has Canonical Role
from Organization Relation
within Scope
on Plane
with Capabilities
under Conditions
with Exposure Mode
for Lifecycle State
unless overridden by Restrictions
or classified as an Exposure Event.
```
Example:
```text
A Vendor Operator
may restart production services
for Tenant Alpha
on the Runtime Plane
with Operate and Restore capabilities
under ticket + MFA + audit conditions
with metadata-only exposure
for incident recovery.
```
This is different from:
```text
A Customer Operator
may restart customer-managed automations
inside Workspace Finance
on the Execution Plane
with Operate capability
under tenant policy
with no platform access.
```
Same canonical role word: **Operator**.
Different organization relation, scope, plane, exposure, and governance context.
---
## 7. Declared Access and Effective Access
CARING distinguishes declared access from effective access.
### 7.1 Declared Access
**Declared Access** is access explicitly represented by the native access-control system.
Examples:
```text
A database ACL grants Editor.
A Kubernetes Role grants create pods.
An IAM policy allows s3:GetObject.
A Git repository role grants Maintainer.
```
### 7.2 Effective Access
**Effective Access** is access that can actually be achieved through direct, delegated, mediated, derived, or induced execution paths.
Examples:
```text
A user can create a workload.
The workload can mount a service account.
The service account can read secrets.
Therefore the user may effectively gain secret exposure.
```
### 7.3 Analysis Requirement
CARING analysis MUST attempt to reconstruct effective access, not merely declared access.
A CARING map that only records declared policy may miss the actual security posture of a system.
---
## 8. Derived Capability
A **Derived Capability** is a capability that is not directly granted as a named permission, but becomes available as a consequence of another permission.
Example:
```text
Declared capability:
Create workload.
Derived capabilities:
Execute code.
Use mounted secrets.
Use mounted service account.
Access mounted volumes.
```
Derived capabilities are especially important in:
```text
Kubernetes and container platforms
CI/CD systems
Workflow engines
Agentic coding systems
Automation platforms
Plugin systems
Integration platforms
Low-code/no-code platforms
```
CARING analysis SHOULD identify derived capabilities where they materially affect exposure, scope, tenant isolation, or privilege escalation.
---
# Part I — Core Dimensions
---
## 9. Dimension: Subject
A **Subject** is the entity to which access may be assigned or attributed.
Canonical subject types:
```text
Human
Group
Organization
Service
Automation
Agent
System
Device
Process
Anonymous
Unknown
```
### 9.1 Human
A natural person acting directly.
Examples:
```text
Developer
Customer employee
Consultant
Support agent
Auditor
Trainer
```
### 9.2 Group
A collection of subjects.
Groups are assignment conveniences. They are not equivalent to canonical roles.
### 9.3 Organization
A legal, contractual, commercial, or community entity.
Examples:
```text
Vendor company
Customer company
Consultancy
Open-source foundation
Regulator
```
### 9.4 Service
A non-human technical identity that performs system functions.
Examples:
```text
Service account
Database replication identity
CI/CD runner identity
Monitoring service
Operator controller
Kubernetes ServiceAccount
```
### 9.5 Automation
A deterministic or semi-deterministic mechanism executing defined tasks.
Examples:
```text
Scheduled job
Workflow automation
Deployment pipeline
Import job
Backup job
```
### 9.6 Agent
A goal-seeking or semi-autonomous subject, often AI-supported, that acts through tools, workflows, or APIs.
Examples:
```text
Coding agent
Support agent
Ops remediation agent
Research agent
Policy review agent
```
### 9.7 System
A larger technical system treated as an acting subject.
Examples:
```text
Identity provider
Cluster controller
Replication system
Managed service
```
### 9.8 Device
A hardware or virtual device acting as or constraining a subject.
Examples:
```text
Trusted workstation
Mobile device
Hardware security module
IoT device
```
### 9.9 Process
An executing runtime process with attributable behavior.
Examples:
```text
Application process
Worker process
Container process
Agent runtime process
```
### 9.10 Anonymous
A subject without authenticated identity.
### 9.11 Unknown
A subject that cannot be classified or identified.
This includes adversarial, accidental, misconfigured, or not-yet-classified access attempts.
---
## 10. Dimension: Organization Relation
The **Organization Relation** describes the structural relationship of the subject to the information product, tenant, operating environment, or governance context.
It is not a role.
Canonical organization relations:
```text
Vendor
ServiceProvider
Distributor
Consultant
Customer
Community
Authority
Unknown
```
### 10.1 Vendor
The entity that creates, owns, licenses, or governs the product or core platform.
Examples:
```text
Vendor Builder
Vendor Maintainer
Vendor Operator
Vendor Coach
Vendor Integrator
```
### 10.2 ServiceProvider
An entity that operates the system or parts of it on behalf of another party.
The ServiceProvider may be the same legal entity as the Vendor, but should still be conceptually separable.
Examples:
```text
ServiceProvider Operator
ServiceProvider Integrator
ServiceProvider Manager
```
### 10.3 Distributor
An entity that brings the product to market, resells it, bundles it, or introduces it to customers.
Examples:
```text
Distributor Coach
Distributor Integrator
Distributor Manager
```
### 10.4 Consultant
An entity that helps configure, customize, adopt, extend, or optimize the system.
Examples:
```text
Consultant Integrator
Consultant Coach
Consultant Builder
Consultant Manager
```
### 10.5 Customer
The tenant, buyer, subscriber, internal department, business unit, or end organization using the information product.
Examples:
```text
Customer Manager
Customer Doer
Customer Operator
Customer Coach
```
### 10.6 Community
A participant who contributes feedback, code, documentation, extensions, issue reports, tests, examples, training material, governance input, or public knowledge without necessarily belonging to the vendor or customer organization.
Examples:
```text
Community Builder
Community Maintainer
Community Coach
Community Verifier
```
### 10.7 Authority
A legal, regulatory, or institutional entity with exceptional access claims.
Authority access should normally be modeled as an exposure event, not as ordinary standing access.
Examples:
```text
Authority LegalDemand
Authority AuditDemand
Authority DisclosureDemand
```
### 10.8 Unknown
An organization relation that is unidentified, untrusted, adversarial, anonymous, or not yet classified.
---
## 11. Dimension: Canonical Role
A **Canonical Role** describes the lifecycle responsibility posture of a subject toward an information product, system, tenant, resource, or process.
A canonical role is not a permission level.
CARING defines nine primary canonical roles:
```text
Creator
Builder
Verifier
Maintainer
Integrator
Operator
Manager
Coach
Doer
```
These are deliberately limited.
Local systems may define additional titles, groups, application-specific roles, or native policy objects, but they should be mapped to these canonical roles where possible.
---
## 12. Role: Creator
The **Creator** provides original intent, concept, purpose, direction, or authority of meaning.
The Creator may define why the system exists, what problem it solves, what values shape it, and what boundaries should be respected.
Typical access needs:
```text
Intent
Scope
Roadmap
Concept
Requirements
Product direction
Vision documents
```
Not automatically granted:
```text
Production data
Runtime operation
Tenant administration
Customer plaintext
Policy override
```
Examples:
```text
Vendor Creator
Community Creator
Customer Creator
```
---
## 13. Role: Builder
The **Builder** creates or modifies system artifacts.
This includes code, configuration templates, schemas, UI components, workflows, automations, agent prompts, tests, deployment definitions, documentation, integration adapters, and models.
Typical access needs:
```text
Source repositories
Development environments
Test data
Build systems
Design documents
Issue context
Generated artifacts
```
Not automatically granted:
```text
Production operation
Customer plaintext
Policy management
Tenant-wide data access
Secret access
```
Examples:
```text
Vendor Builder
Community Builder
Consultant Builder
Customer Builder
AI Coding Agent as Builder
CI/CD Service as Builder
```
---
## 14. Role: Verifier
The **Verifier** checks correctness, safety, quality, compliance, security, and fit to intent.
Verifier deserves canonical status because fast agentic innovation cycles require continuous independent checking.
Typical access needs:
```text
Test systems
Logs
Evidence
Requirements
Security findings
Quality reports
Acceptance criteria
Audit records
```
Common verifier modes:
```text
Quality Verifier
Security Verifier
Compliance Verifier
Acceptance Verifier
Policy Verifier
```
Not automatically granted:
```text
Unbounded production write access
Customer plaintext
Policy override
Destructive access
```
Examples:
```text
Vendor Verifier
Customer Verifier
Community Verifier
Authority Verifier
AI Test Agent as Verifier
Monitoring Service as Verifier
```
---
## 15. Role: Maintainer
The **Maintainer** keeps a product, component, information space, or artifact coherent over time.
Maintainers coordinate feedback, bugs, releases, patches, compatibility, deprecation, community interaction, and lifecycle continuity.
Typical access needs:
```text
Issue tracker
Release planning
Change approval
Merge coordination
Documentation
Version history
Support escalation context
Community discussions
```
Not automatically granted:
```text
Runtime operation
Tenant content
Production secrets
Customer data
Unbounded policy authority
```
Examples:
```text
Vendor Maintainer
Community Maintainer
Customer Maintainer
Repository Maintainer
```
---
## 16. Role: Integrator
The **Integrator** connects, installs, configures, migrates, adapts, or ramps up a system for a specific environment.
Integrator is not a generic administrator. Integrator is a lifecycle role around bringing a system into a working context.
Typical access needs:
```text
Setup
Initial configuration
Environment connection
Identity federation
Data migration
API integration
Tenant onboarding
System handover
Acceptance preparation
```
Critical characteristic:
```text
Integrator access should usually be temporary.
```
Default lifecycle:
```text
Pre-production
Onboarding
Migration
Handover
Post-go-live support window
Expiry
```
Examples:
```text
Vendor Integrator
ServiceProvider Integrator
Distributor Integrator
Consultant Integrator
Customer Integrator
Automation Integrator
```
---
## 17. Role: Operator
The **Operator** keeps the system running.
This role covers monitoring, incident response, backup, restore, updates, scaling, technical health, runtime intervention, and service continuity.
Typical access needs:
```text
Runtime status
Deployment state
Logs
Metrics
Alerts
Backup and restore
Job control
Infrastructure control
Incident tooling
Operational dashboards
```
Not automatically granted:
```text
Business content
Tenant plaintext
Policy grant authority
Customer impersonation
Bulk export
Product modification
```
Principle:
```text
Operator access is runtime continuity access, not automatic information access.
```
Examples:
```text
Vendor Operator
ServiceProvider Operator
Customer Operator
Automation Operator
Ops Agent as Operator
Kubernetes Controller as Operator
```
---
## 18. Role: Manager
The **Manager** governs a bounded information, application, tenant, process, or policy scope.
Manager captures framework-bound administration, customization, configuration, and data governance.
Manager is not a generic super-admin.
Manager means:
```text
Can shape the system within a defined governance boundary.
```
Typical access needs:
```text
Application configuration
Tenant settings
Workspace settings
User and group assignment
Business rules
Workflow configuration
Data lifecycle settings
Template management
Controlled access delegation
Policy administration within scope
```
Manager can exist at many scopes:
```text
Tenant Manager
Workspace Manager
Project Manager
Dataset Manager
Workflow Manager
Policy Manager
Namespace Manager
```
But CARING does not create separate canonical roles for each. The role remains **Manager**; the scope defines the boundary.
Distinction from Operator:
```text
Operator keeps the system running.
Manager shapes how the system is used.
```
Distinction from Builder:
```text
Builder changes the product or artifact.
Manager changes allowed configuration within the product.
```
---
## 19. Role: Coach
The **Coach** helps others understand, adopt, use, sell, teach, support, or improve their practical use of the system.
Coach unifies promoter, consultant, trainer, supporter, success guide, and similar roles under one canonical role.
Typical access needs:
```text
Demo spaces
Training material
Support cases
Usage analytics
Configuration advice
Customer context
Documentation
Best practices
```
Common coach modes:
```text
Promoter
Trainer
Supporter
Consultant
Success Guide
Community Guide
```
The canonical role remains Coach.
Examples:
```text
Vendor Coach
Distributor Coach
Consultant Coach
Customer Coach
Community Coach
AI Support Agent as Coach
```
Coach access should often be:
```text
Case-scoped
Delegated
Time-limited
Masked by default
Audited
Purpose-bound
```
---
## 20. Role: Doer
The **Doer** uses the system to perform actual work.
This is the business-use role.
Typical access needs:
```text
Read
Create
Edit
Comment
Submit
Approve
Execute
Publish
Collaborate
Consume information
Produce information
```
Doer is not a single permission level.
Capability profiles such as Reader, Author, Editor, Depositor, Approver, Publisher, or Executor may be modeled under Doer.
Examples:
```text
Customer Doer
Community Doer
Vendor Doer
External Doer
```
---
## 21. Dimension: Scope
Scope defines where the role applies.
Scope prevents canonical roles from exploding into countless local variants.
Canonical scope ladder:
```text
Ecosystem
Product
Platform
Cluster
Environment
Tenant
Namespace
Domain
Workspace
Project
Process
Dataset
Resource
Subresource
Record
Field
Action
```
### 21.1 Ecosystem
The whole collaboration environment: vendor, community, distributors, customers, services, extensions, agents, governance processes, and shared artifacts.
### 21.2 Product
The information product or software product as a governed artifact.
### 21.3 Platform
Shared infrastructure, shared services, runtime substrate, or common technical foundation.
### 21.4 Cluster
A bounded infrastructure or runtime control domain.
Example:
```text
Kubernetes cluster
Database cluster
Search cluster
Compute cluster
```
Cluster is not automatically equivalent to tenant or environment.
### 21.5 Environment
Development, test, staging, production, sandbox, demo, customer-managed instance, etc.
### 21.6 Tenant
A customer or isolated organizational unit.
Tenant should be treated as a structural isolation boundary, not merely as a group.
### 21.7 Namespace
A technical partition inside a platform, cluster, product, tenant, or environment.
Examples:
```text
Kubernetes namespace
Object-store namespace
Package namespace
Application namespace
```
Namespace may be used for tenant separation, but it is not automatically a tenant boundary.
### 21.8 Domain
A tenant-internal domain such as finance, HR, legal, operations, procurement, support, engineering, or sales.
### 21.9 Workspace
A collaborative space, team space, department, case room, project area, or knowledge area.
### 21.10 Project
A bounded effort or initiative.
### 21.11 Process
A workflow or business process.
### 21.12 Dataset
A collection of information objects.
### 21.13 Resource
A specific document, entity, file, ticket, record collection, dashboard, agent, automation, repository, model, API, workload, deployment, secret, service account, or system component.
### 21.14 Subresource
A subordinate access surface of a resource.
Examples:
```text
pods/log
pods/exec
deployments/scale
nodes/proxy
object/metadata
object/content
```
### 21.15 Record
An individual business object.
### 21.16 Field
A specific attribute or field.
Example:
```text
Customer Doer may read Employee Record
but not Salary Field.
```
### 21.17 Action
A specific operation.
Example:
```text
May approve payment
but may not edit payment recipient.
```
---
## 22. Dimension: Plane
Plane defines what kind of system layer or access surface is being accessed.
Canonical planes:
```text
Intent Plane
Build Plane
Runtime Plane
Execution Plane
Configuration Plane
Data Plane
Identity Plane
Policy Plane
Secret Plane
Audit Plane
Commercial Plane
Community Plane
```
### 22.1 Intent Plane
Purpose, scope, requirements, values, roadmap, product direction, governance intent.
Typical roles:
```text
Creator
Manager
Maintainer
Verifier
```
### 22.2 Build Plane
Source code, artifacts, schemas, tests, pipelines, documentation, models, prompts, agent recipes.
Typical roles:
```text
Builder
Verifier
Maintainer
```
### 22.3 Runtime Plane
Deployments, jobs, services, health, incidents, monitoring, scaling, backups, runtime objects.
Typical roles:
```text
Operator
Integrator
Verifier
```
### 22.4 Execution Plane
The ability to cause code, jobs, commands, workflows, agents, scripts, or workloads to run.
Typical roles:
```text
Operator
Builder
Doer
Automation
Agent
```
Execution Plane is separated from Runtime Plane because the ability to run something may create derived or induced access beyond ordinary runtime visibility.
### 22.5 Configuration Plane
Application settings, tenant settings, workflows, templates, business rules, integrations, config maps, feature flags.
Typical roles:
```text
Manager
Integrator
Coach
```
### 22.6 Data Plane
Business content, documents, records, messages, files, knowledge, operational data.
Typical roles:
```text
Doer
Manager
Coach
Verifier
```
### 22.7 Identity Plane
Users, groups, service accounts, agents, federation, authentication, lifecycle, certificates.
Typical roles:
```text
Manager
Integrator
Operator
Verifier
```
### 22.8 Policy Plane
Authorization rules, ACLs, approval flows, restrictions, delegation boundaries, role bindings, policy objects.
Typical roles:
```text
Manager
Verifier
Maintainer
```
### 22.9 Secret Plane
Keys, credentials, certificates, tokens, encryption material, signing keys, recovery keys.
Typical roles:
```text
Operator
Integrator
Verifier
```
Secret Plane access should usually be heavily restricted, separated, and audited.
### 22.10 Audit Plane
Logs, access records, evidence, compliance reports, security findings, traceability.
Typical roles:
```text
Verifier
Operator
Manager
Authority
```
### 22.11 Commercial Plane
Contracts, subscriptions, billing, license entitlements, quotas, purchased modules, commercial terms.
Typical roles:
```text
Manager
Coach
Distributor
Vendor
```
### 22.12 Community Plane
Issues, pull requests, discussions, public docs, contribution records, extension catalogs, reputation, public roadmap.
Typical roles:
```text
Community Builder
Community Maintainer
Community Coach
Community Verifier
```
---
## 23. Dimension: Capability
Capabilities describe what can be done.
Roles must not be confused with capabilities.
Canonical capability verbs:
```text
View
ViewCollection
Observe
Create
EditOwn
EditAssigned
EditAny
DeleteOwn
DeleteAny
BulkDelete
Submit
Comment
Review
Approve
Reject
Publish
Archive
Restore
Execute
Configure
Operate
Deploy
Integrate
Grant
Revoke
Delegate
Impersonate
Export
Import
Replicate
Encrypt
Decrypt
Mask
Inspect
Audit
Override
Escalate
Bind
Use
```
### 23.1 Capability Profiles
A **Capability Profile** is a named bundle of capabilities.
Capability profiles are useful for human understanding and compatibility with existing systems.
Examples:
```text
Reader
Author
Contributor
Editor
Depositor
Approver
Publisher
Designer
RuntimeOperator
TenantManager
DatabaseManager
NamespaceAdmin
ClusterAdmin
```
Capability profiles are not canonical roles. They should be mapped to canonical roles, scopes, planes, and capabilities.
---
## 24. Common Capability Profiles
### 24.1 Reader
```text
Canonical Role:
Doer
Capabilities:
View
Plane:
Data
Exposure:
Plaintext or masked, depending on data policy
```
### 24.2 Contributor / Author
```text
Canonical Role:
Doer
Capabilities:
View
Create
EditOwn or EditAssigned
Plane:
Data
```
### 24.3 Editor
```text
Canonical Role:
Doer
Capabilities:
View
Create
EditOwn
EditAny
Plane:
Data
```
### 24.4 Depositor / Submitter
```text
Canonical Role:
Doer
Capabilities:
Submit
Create
Not granted:
View
Plane:
Data
Exposure:
None or minimal confirmation after submission
```
### 24.5 Designer
```text
Canonical Role:
Builder
Capabilities:
Create
EditAny
Configure
Review
Plane:
Build / Configuration
```
### 24.6 Runtime Operator
```text
Canonical Role:
Operator
Capabilities:
Operate
Restore
Inspect
Deploy, if authorized
Plane:
Runtime
```
### 24.7 Tenant Manager
```text
Canonical Role:
Manager
Capabilities:
Configure
Grant
Revoke
Delegate
Archive
Restore
Scope:
Tenant
```
### 24.8 Namespace Manager
```text
Canonical Role:
Manager
Capabilities:
Configure
Grant
Revoke
Bind
Create
EditAny
DeleteAny
Scope:
Namespace
Planes:
Runtime
Configuration
Policy
```
### 24.9 Full Manager / Database Manager
```text
Canonical Role:
Manager
Capabilities:
Configure
Grant
Revoke
Delegate
View
Create
EditAny
DeleteAny
Archive
Restore
Replicate, if authorized
Planes:
Policy
Configuration
Data
```
This is a compound profile and should be treated as high authority.
### 24.10 Cluster Superuser / Cluster Admin
```text
Canonical Roles:
Operator
Manager
sometimes Integrator
Capabilities:
Operate
Configure
Grant
Revoke
Bind
Escalate
Override
Impersonate, if included
View
Create
EditAny
DeleteAny
Restore
Scope:
Cluster
Planes:
Runtime
Execution
Configuration
Policy
Identity
Secret
Audit
```
This is a compound maximum-authority profile and should be treated as exceptional or highly controlled.
---
## 25. Dimension: Exposure Mode
Exposure Mode describes how much information the subject may perceive, derive, retain, extract, or transfer.
Canonical exposure modes:
```text
None
Metadata
Masked
Aggregated
Synthetic
Pseudonymous
Encrypted
Plaintext
SecretMaterial
Exportable
CrossTenantAggregate
```
### 25.1 None
No information is exposed.
### 25.2 Metadata
Only metadata is exposed.
Examples:
```text
Resource name
Timestamp
Status
Size
Owner identifier
Record count
Runtime status
```
### 25.3 Masked
Sensitive values are hidden or redacted.
### 25.4 Aggregated
Information is shown only in aggregated form.
### 25.5 Synthetic
Non-real information is used.
Typical for development, testing, demos, and training.
### 25.6 Pseudonymous
Direct identifiers are replaced with pseudonyms.
### 25.7 Encrypted
Information is stored or transmitted but not intelligible to the subject.
### 25.8 Plaintext
The subject can perceive the real content.
### 25.9 SecretMaterial
The subject can perceive, copy, use, or derive secret material.
Examples:
```text
Passwords
API keys
Private keys
Tokens
Certificates
Session secrets
Recovery material
```
SecretMaterial is separated from ordinary Plaintext because it can create further access beyond the immediate system.
### 25.10 Exportable
The subject can extract, copy, replicate, download, forward, or otherwise remove information from its controlled context.
Exportable is not implied by Plaintext.
### 25.11 CrossTenantAggregate
The subject can see aggregated information across tenants.
This should be separately governed.
Important rules:
```text
Plaintext is not implied by role.
Exportable is not implied by plaintext.
SecretMaterial is not ordinary plaintext.
CrossTenantAggregate is not implied by platform access.
Secret visibility is not implied by runtime visibility.
```
---
## 26. Dimension: Condition
Conditions define when and under what obligations access is valid.
Canonical conditions:
```text
MFARequired
DeviceTrusted
NetworkTrusted
TicketRequired
TenantConsentRequired
CustomerApprovalRequired
DualApprovalRequired
TimeLimited
BusinessHoursOnly
EmergencyOnly
TrainingRequired
ContractRequired
NDARequired
PurposeBound
CaseBound
EnvironmentBound
NamespaceBound
PipelineBound
ChangeWindowBound
Logged
Recorded
NotificationRequired
PostReviewRequired
HumanReviewRequired
PolicyReviewRequired
WorkloadIdentityRequired
```
Example:
```text
Vendor Coach may access Tenant Alpha support case data
only when:
TicketRequired
TenantConsentRequired
TimeLimited
Logged
PurposeBound
```
Conditions are part of effective access.
If required conditions are not satisfied, access is denied.
---
## 27. Dimension: Lifecycle State
Lifecycle State describes why access exists now.
Canonical lifecycle states:
```text
Design
Build
Test
Review
Release
Onboard
Integrate
Migrate
Operate
Support
Improve
Deprecate
Archive
Incident
Legal
Terminate
```
Lifecycle matters because access that is legitimate in one state may become illegitimate in another.
Example:
```text
Consultant Integrator access is valid during Onboard and Integrate.
It does not remain valid during Operate unless explicitly extended.
```
Agentic development compresses lifecycle loops:
```text
Customer feedback
→ issue
→ generated patch
→ test
→ review
→ deployment
→ runtime observation
→ further improvement
```
CARING therefore requires lifecycle-aware access governance.
---
## 28. Dimension: Restriction
Restrictions are overriding policy effects.
They are not normal roles.
Canonical restrictions:
```text
NoAccess
Suspended
Terminated
Quarantined
ScopeExcluded
DataClassRestricted
LegalHold
ExportBlocked
ImpersonationBlocked
CrossTenantBlocked
SecretAccessBlocked
PolicyFrozen
EmergencyLocked
RiskDenied
ExecutionBlocked
WorkloadCreationBlocked
PrivilegeEscalationBlocked
```
### 28.1 Restriction Precedence
Recommended precedence:
```text
1. Tenant boundary
2. Legal hold / quarantine / suspension / termination
3. Explicit deny
4. Data classification restriction
5. Secret restriction
6. Execution restriction
7. Conditional requirements
8. Scoped allow
9. Default deny
```
### 28.2 NoAccess
NoAccess is an explicit deny effect.
It should not be treated as an ordinary role.
### 28.3 Suspended
Subject exists but cannot access until reinstated.
### 28.4 Terminated
Subject is no longer eligible for access.
### 28.5 Quarantined
Access blocked due to risk, incident, malware, abuse, or investigation.
### 28.6 ScopeExcluded
Subject is member of a broader group but explicitly excluded from this scope.
### 28.7 DataClassRestricted
Sensitive class, field, or tag overrides otherwise broad access.
### 28.8 LegalHold
Resource cannot be deleted or altered because of legal or compliance hold.
### 28.9 ExportBlocked
Subject may view but may not export.
### 28.10 SecretAccessBlocked
Subject may operate or configure without access to secret material.
### 28.11 CrossTenantBlocked
Subject may not cross tenant boundaries.
This should generally be structural and non-bypassable.
### 28.12 ExecutionBlocked
Subject may inspect or configure but may not cause execution.
### 28.13 WorkloadCreationBlocked
Subject may not create workloads that could induce broader access.
### 28.14 PrivilegeEscalationBlocked
Subject may not bind, escalate, impersonate, or otherwise expand effective authority.
---
## 29. Dimension: Exposure Event
Exposure Events are controlled exceptions or observed irregularities.
They are not ordinary roles.
Canonical exposure event classes:
```text
X-Support
X-BreakGlass
X-SecurityTest
X-Incident
X-LegalDemand
X-ComplianceAudit
X-Migration
X-Recovery
X-Adversarial
X-Misconfiguration
X-InducedAccess
X-PrivilegeEscalation
```
### 29.1 X-Support
Support case required access to tenant data or environment.
### 29.2 X-BreakGlass
Emergency privileged access to prevent or repair serious harm.
### 29.3 X-SecurityTest
Authorized penetration test, red-team activity, white-hat test, or vulnerability validation.
### 29.4 X-Incident
Security or reliability incident investigation.
### 29.5 X-LegalDemand
Court order, regulator demand, police request, subpoena, statutory duty, or similar legal access demand.
### 29.6 X-ComplianceAudit
Compliance investigation or audit.
### 29.7 X-Migration
Data migration, tenant move, onboarding, export/import, or restructuring.
### 29.8 X-Recovery
Backup restore, disaster recovery, corruption repair, or data reconstruction.
### 29.9 X-Adversarial
Unauthorized or hostile access attempt or confirmed compromise.
### 29.10 X-Misconfiguration
Unexpected exposure caused by configuration error, policy error, implementation error, or misunderstood inheritance.
### 29.11 X-InducedAccess
Unexpected or high-risk access caused indirectly through automation, controllers, workloads, workflows, agents, service accounts, or other mediated execution paths.
### 29.12 X-PrivilegeEscalation
Access expansion caused by policy manipulation, impersonation, binding, escalation, secret exposure, induced workload authority, or other privilege growth.
Each exposure event should record:
```text
event_id
actor
subject
organization_relation
canonical_role
scope
plane
capabilities_used
derived_capabilities
exposure_mode
reason
authority_source
approval
start_time
end_time
resources_accessed
evidence
notification_status
post_review
```
---
# Part II — Structural Rules
---
## 30. Tenant Isolation
Tenant isolation is a structural boundary.
It must not be treated merely as a role, group, namespace, label, or naming convention.
CARING tenant isolation principles:
```text
1. Every protected resource should have a tenant context
or be explicitly classified as platform-global.
2. Every authorization decision involving tenant resources
should include tenant context.
3. A subjects role in Tenant A does not imply the same role in Tenant B.
4. Platform access does not imply tenant data access.
5. Cross-tenant access requires explicit purpose, scope, exposure mode,
authority source, and audit trail.
6. Internal tenant groupings may overlap, but overlap must be resolved
by scope, relationship, attributes, capabilities, and restrictions.
7. Tenant boundary violations should be classified as incidents
or exposure events.8. Technical namespaces may support tenant isolation,
but they are not automatically sufficient tenant boundaries.
```
Example:
```text
A Customer Manager in Tenant Alpha
has no access in Tenant Beta
unless separately assigned.
```
---
## 31. Namespace and Tenant Separation
A namespace is a technical scope. A tenant is a governance and isolation scope.
The two may correspond, but they are not equivalent by default.
CARING analysis SHOULD ask:
```text
Is the namespace intended to represent a tenant?
Can subjects in one namespace affect another namespace?
Can controllers or operators cross namespaces?
Can workloads mount service accounts or secrets that expand authority?
Are network, storage, secrets, identity, and policy boundaries aligned?
Are cluster-scoped resources shared across namespaces?
```
If a namespace is used as a tenant boundary, the analysis must verify whether the effective access model supports that claim.
---
## 32. Agents, Automations, and Services
CARING treats agents, automations, and services as first-class subjects.
For non-human subjects, access must distinguish:
```text
Principal
Effective actor
Delegator
Tool or agent
Policy ceiling
Execution context
Audit identity
```
### 32.1 Agent Access Formula
```text
Effective Agent Access =
Delegated Human/System Authority
∩ Agent Capability Ceiling
∩ Scope Boundary
∩ Exposure Policy
∩ Runtime Conditions
```
Example:
```text
Human Alice is Customer Doer.Editor in Project A.
Agent DraftBot may create drafts but cannot publish or export.
Therefore DraftBot acting for Alice can create drafts in Project A,
but cannot publish, export, or access Project B.
```
### 32.2 Agent Principles
```text
1. No agent receives access merely because it participates in a workflow.
2. Every agent should have an organization relation,
canonical role, scope, plane, capability ceiling,
exposure limit, delegation source, and audit trail.
3. Agent access should be purpose-bound.
4. Agent access should be inspectable.
5. Agent access should not silently inherit all human capabilities.
6. Agent access should not silently cross tenant boundaries.
7. Agent output that changes system state should be attributable.
```
---
## 33. Direct, Delegated, Mediated, and Induced Access
CARING distinguishes access by execution path.
### 33.1 Direct Access
The subject acts directly.
Example:
```text
A user opens a document.
```
### 33.2 Delegated Access
The subject delegates authority to another subject.
Example:
```text
A user authorizes an agent to draft a reply.
```
### 33.3 Mediated Access
The subjects action is mediated by a system component that performs work on the subjects behalf.
Example:
```text
A workflow engine creates a task after a user submits a form.
```
### 33.4 Induced Access
The subject triggers a privileged component whose actual authority exceeds the subjects direct authority.
Example:
```text
A user creates a custom resource.
A privileged controller reacts and modifies infrastructure elsewhere.
```
Another example:
```text
A user can create a workload.
The workload runs under a service account.
The service account can read secrets.
The user may thereby induce secret access.
```
Induced access is especially important for agentic systems, workflow engines, Kubernetes operators, integration platforms, CI/CD systems, and automation frameworks.
### 33.5 Analysis Requirement
CARING analysis MUST consider whether a granted capability induces additional effective capabilities through controllers, agents, workflows, service accounts, admission hooks, pipelines, plugins, runtime execution, or other mediated mechanisms.
---
## 34. Local Roles, Capability Profiles, and Titles
CARING distinguishes:
```text
Canonical Role
Capability Profile
Local Role
Local Title
Group
Native Policy Object
```
### 34.1 Canonical Role
Lifecycle responsibility posture.
Example:
```text
Builder
Operator
Manager
Doer
```
### 34.2 Capability Profile
A named bundle of capabilities.
Example:
```text
Reader
Editor
RuntimeOperator
DatabaseManager
ClusterAdmin
```
### 34.3 Local Role
An application-specific or system-specific role.
Example:
```text
[Approver]
FinanceReviewer
ProjectLead
NamespaceAdmin
```
### 34.4 Local Title
Human-readable organizational title.
Example:
```text
Senior Developer
Department Admin
Support Engineer Level 2
Regional Sales Analyst
```
### 34.5 Group
A collection of subjects.
Groups may be used for assignment, but group membership should not be confused with canonical role semantics.
### 34.6 Native Policy Object
A system-native object that expresses permissions.
Examples:
```text
Kubernetes Role
AWS IAM policy
Azure role assignment
Database grant
Unix sudo rule
```
Native policy objects should be mapped to CARING dimensions according to their actual semantics.
---
# Part III — Normative Requirements
---
## 35. Normative Statements
### CRS-001: Orthogonality
CARING-compliant access models MUST distinguish organization relation, canonical role, scope, plane, capability, exposure mode, condition, lifecycle state, restriction, and exposure event.
### CRS-002: Role limitation
CARING implementations SHOULD map local roles to the canonical roles:
```text
Creator
Builder
Verifier
Maintainer
Integrator
Operator
Manager
Coach
Doer
```
### CRS-003: Native role analysis
A native construct named `role` MUST NOT be assumed to map directly to a CARING Canonical Role. It may represent a capability profile, local title, group, policy object, rule bundle, or access assignment.
### CRS-004: Scope binding
No role assignment is complete without an explicit scope.
### CRS-005: Plane binding
No role assignment is complete without identifying the plane or planes on which it applies.
### CRS-006: Capability binding
Roles MUST NOT imply unlimited capabilities. Effective permissions MUST be expressed as capabilities within scope.
### CRS-007: Tenant isolation
Tenant isolation MUST be enforced as a structural boundary and MUST NOT depend solely on role naming, group membership, namespace naming, labels, or convention.
### CRS-008: Exposure separation
Plaintext visibility, secret-material visibility, export ability, impersonation, and cross-tenant aggregation MUST be separately controlled capabilities or exposure modes.
### CRS-009: Operator separation
Operator access MUST NOT imply ordinary business data access.
### CRS-010: Builder separation
Builder access MUST NOT imply production data access unless explicitly granted through a governed exposure event.
### CRS-011: Integrator expiry
Integrator access SHOULD be time-limited and SHOULD expire after onboarding, migration, or handover unless explicitly extended.
### CRS-012: Coach delegation
Coach access to tenant data SHOULD be case-bound, purpose-bound, delegated, time-limited, and auditable.
### CRS-013: Manager boundary
Manager access MUST be bounded by scope and MUST distinguish configuration authority from runtime operation and product modification.
### CRS-014: Agent ceiling
Automated and agentic subjects MUST have explicit capability ceilings independent of the delegating user.
### CRS-015: Exposure events
Exceptional access MUST be recorded as an exposure event with actor, reason, authority source, scope, plane, exposure mode, derived capabilities where relevant, and post-event review.
### CRS-016: Default deny
Access not explicitly granted within the relevant scope, plane, capability, condition, and lifecycle context MUST be denied by default.
### CRS-017: Restriction precedence
Restrictions MUST be evaluated before scoped allow grants.
### CRS-018: NoAccess semantics
NoAccess MUST be treated as a restriction or deny effect, not as an ordinary role.
### CRS-019: Export separation
Export, replicate, copy, bulk download, and external sharing capabilities MUST be distinguished from ordinary view access.
### CRS-020: Secret separation
Secret Plane access MUST be explicitly modeled and MUST NOT be inferred from Runtime Plane, Configuration Plane, or workload access.
### CRS-021: Policy-plane sensitivity
Capabilities that grant, revoke, bind, escalate, impersonate, or override permissions MUST be modeled as Policy Plane access.
### CRS-022: Execution-plane sensitivity
Capabilities that execute code, run workflows, launch jobs, create workloads, or invoke agents MUST be modeled as Execution Plane access where relevant.
### CRS-023: Lifecycle review
Access SHOULD be reviewed when lifecycle state changes.
Examples:
```text
Onboard → Operate
Support → Closed
Build → Release
Incident → PostReview
Employee Active → Terminated
```
### CRS-024: Descriptive completeness
A CARING analysis SHOULD attempt to reconstruct effective access, not merely declared access.
### CRS-025: Derived capability analysis
CARING analysis SHOULD identify derived capabilities where direct grants produce additional effective authority.
### CRS-026: Induced access analysis
CARING analysis SHOULD identify mediated and induced access effects caused by agents, controllers, workflows, automations, integrations, service accounts, plugins, or privileged services.
### CRS-027: Namespace caution
A namespace SHOULD NOT be assumed to be a tenant boundary unless the wider effective access model supports that interpretation.
---
# Part IV — Analysis Process
---
## 36. CARING Analysis Fitness Test
Given an access-control implementation, CARING passes the analysis test if:
```text
1. Every declared access grant can be represented
as a CARING access descriptor.
2. Every effective access grant can be represented
as a CARING access descriptor.
3. Every effective deny or restriction can be represented
as a CARING restriction or condition.
4. Every exceptional or irregular access path can be represented
as an exposure event.
5. The mapping preserves effective access semantics sufficiently
for governance analysis.
6. Any semantic loss is explicitly identifiable as either:
a) implementation-specific detail below CARING abstraction level, or
b) a genuine gap in CARING.
7. The mapping reveals bundled, ambiguous, risky,
underspecified, induced, or restrictive access decisions.
```
---
## 37. CARING Analysis Procedure
### Step 1: Identify Subjects
Questions:
```text
Who or what can act?
Are subjects human, service, automation, agent, group, anonymous, or unknown?
Are service accounts and agents visible as first-class subjects?
```
### Step 2: Identify Organization Relations
Questions:
```text
Under whose authority does the subject act?
Vendor?
ServiceProvider?
Distributor?
Consultant?
Customer?
Community?
Authority?
Unknown?
```
### Step 3: Map Native Roles and Policy Objects
Questions:
```text
Is the native role a canonical role, capability profile,
local title, group, policy object, or access assignment?
```
### Step 4: Map to Canonical Roles
Questions:
```text
Is this subject creating, building, verifying, maintaining,
integrating, operating, managing, coaching, or doing?
```
### Step 5: Identify Scope
Questions:
```text
Where does the access apply?
Platform?
Cluster?
Environment?
Tenant?
Namespace?
Workspace?
Project?
Process?
Dataset?
Resource?
Subresource?
Record?
Field?
Action?
```
### Step 6: Identify Plane
Questions:
```text
What kind of thing is accessed?
Intent?
Build?
Runtime?
Execution?
Configuration?
Data?
Identity?
Policy?
Secret?
Audit?
Commercial?
Community?
```
### Step 7: Extract Declared Capabilities
Questions:
```text
What does the native policy explicitly allow?
View?
Create?
Edit?
Delete?
Execute?
Configure?
Grant?
Export?
Impersonate?
Deploy?
Restore?
Override?
```
### Step 8: Extract Derived Capabilities
Questions:
```text
What does the declared capability make possible indirectly?
Can execution expose data?
Can workload creation expose secrets?
Can policy editing create privilege escalation?
Can configuration trigger privileged automation?
```
### Step 9: Determine Exposure Mode
Questions:
```text
What information becomes visible?
None?
Metadata?
Masked?
Aggregated?
Synthetic?
Pseudonymous?
Encrypted?
Plaintext?
SecretMaterial?
Exportable?
Cross-tenant aggregate?
```
### Step 10: Identify Conditions
Questions:
```text
When is access valid?
MFA?
Ticket?
Consent?
Time limit?
Dual approval?
Case binding?
Purpose binding?
Logging?
Post-review?
Pipeline binding?
Workload identity?
```
### Step 11: Identify Lifecycle State
Questions:
```text
Why does this access exist now?
Design?
Build?
Test?
Onboard?
Operate?
Support?
Incident?
Legal?
Terminate?
```
### Step 12: Identify Restrictions
Questions:
```text
What overrides access?
NoAccess?
Suspension?
Quarantine?
Legal hold?
Data classification?
Export block?
Secret access block?
Execution block?
Cross-tenant block?
Privilege-escalation block?
```
### Step 13: Identify Execution Paths
Questions:
```text
Is access direct?
Delegated?
Mediated?
Induced?
Can a subject cause another subject to act?
Can a low-privilege subject trigger a high-privilege component?
```
### Step 14: Identify Exposure Events
Questions:
```text
Are there break-glass paths?
Support access?
Legal access?
Migration access?
Security testing?
Incidents?
Misconfiguration?
Adversarial access?
Induced access?
Privilege escalation?
```
### Step 15: Identify Bundling and Gaps
Questions:
```text
Which local roles bundle multiple CARING dimensions?
Where does runtime access imply data access?
Where does view imply export?
Where does configuration imply policy?
Where does execution imply secret access?
Where does tenant access leak across boundaries?
Where does lifecycle access fail to expire?
Where do declared and effective access differ?
```
---
## 38. CARING Redesign Procedure
When redesigning an access-control model:
```text
1. Preserve legitimate practical intent.
2. Decompose bundled roles into CARING dimensions.
3. Separate canonical role from capability profile.
4. Make scope explicit.
5. Make plane explicit.
6. Make exposure mode explicit.
7. Separate operator access from data access.
8. Separate builder access from production data access.
9. Separate manager access from runtime operation.
10. Separate view from export.
11. Separate plaintext from secret material.
12. Separate declared access from effective access.
13. Add lifecycle expiry where needed.
14. Add exposure-event workflows for exceptions.
15. Add agent and service-account capability ceilings.
16. Add tenant-boundary enforcement.
17. Add induced-access analysis.
18. Review resulting model for usability.
```
---
# Part V — Reference Matrices
---
## 39. Canonical Role Matrix
| Role | Core question | Lifecycle center | Default plane |
|---|---|---|---|
| **Creator** | Why should this exist? | Intent | Intent |
| **Builder** | How is it made or changed? | Build | Build |
| **Verifier** | Is it correct, safe, and fit? | Review | Audit / Build / Data |
| **Maintainer** | How does it remain coherent over time? | Improve / Release | Build / Community / Intent |
| **Integrator** | How is it brought into this environment? | Onboard / Migrate | Configuration / Identity / Runtime |
| **Operator** | How is it kept running? | Operate / Incident | Runtime |
| **Manager** | How is this bounded scope governed and configured? | Configure / Govern | Configuration / Policy / Data |
| **Coach** | How are others helped to use it well? | Support / Adoption | Data / Community / Commercial |
| **Doer** | What work is performed with it? | Use | Data / Execution |
---
## 40. Organization Relation × Role Examples
| Organization Relation | Example role combinations |
|---|---|
| Vendor | Vendor Creator, Vendor Builder, Vendor Maintainer, Vendor Operator, Vendor Coach |
| ServiceProvider | ServiceProvider Operator, ServiceProvider Integrator, ServiceProvider Manager |
| Distributor | Distributor Coach, Distributor Integrator, Distributor Manager |
| Consultant | Consultant Integrator, Consultant Builder, Consultant Coach, Consultant Manager |
| Customer | Customer Manager, Customer Doer, Customer Operator, Customer Verifier |
| Community | Community Builder, Community Maintainer, Community Coach, Community Verifier |
| Authority | Authority Verifier, Authority LegalDemand |
| Unknown | Unknown Actor, Unknown Adversarial Subject |
---
## 41. Capability Profile Mapping Examples
| Capability Profile | Canonical Role | Main Capabilities | Main Plane |
|---|---|---|---|
| Reader | Doer | View | Data |
| Contributor / Author | Doer | View, Create, EditOwn/EditAssigned | Data |
| Editor | Doer | View, Create, EditAny | Data |
| Depositor / Submitter | Doer | Submit/Create without View | Data |
| Designer | Builder | Create/Edit design, Configure | Build / Configuration |
| RuntimeOperator | Operator | Operate, Inspect, Restore | Runtime |
| TenantManager | Manager | Configure, Grant, Revoke, Delegate | Configuration / Policy |
| NamespaceManager | Manager | Configure, Create, EditAny, Grant/Bind | Runtime / Configuration / Policy |
| SupportAgent | Coach | View/Comment/Guide under case conditions | Data / Configuration |
| QAReviewer | Verifier | Review, Inspect, Audit | Build / Audit |
| ReleaseMaintainer | Maintainer | Review, Approve, Publish | Build / Community |
| ClusterAdmin | Operator + Manager | Operate, Configure, Grant, Override | Runtime / Policy / Secret |
---
## 42. Native System Mapping Summary
| Native system concept | CARING interpretation |
|---|---|
| Lotus/Domino Manager | Compound Manager capability profile |
| Lotus/Domino Designer | Builder capability profile |
| Lotus/Domino Reader/Author/Editor | Doer capability profiles |
| Lotus/Domino NoAccess | Restriction |
| Lotus/Domino Readers/Authors fields | Record-level scope and relationship condition |
| Kubernetes Role | Capability profile / native policy object |
| Kubernetes ClusterRole | Cluster-scoped or reusable capability profile |
| Kubernetes RoleBinding | Access assignment |
| Kubernetes ClusterRoleBinding | Cluster-scoped access assignment |
| Kubernetes ServiceAccount | Service / automation subject |
| Kubernetes verb | Capability |
| Kubernetes resource | Scope + Plane |
| Kubernetes namespace | Namespace scope; possible but not automatic tenant boundary |
| Kubernetes secret access | Secret Plane + SecretMaterial exposure |
| Kubernetes workload creation | Execution Plane + possible derived capabilities |
---
# Part VI — Examples
---
## 43. Vendor Builder
```text
Subject:
Human or Agent
Organization Relation:
Vendor
Canonical Role:
Builder
Scope:
Product / Module / Repository / Branch / Issue
Plane:
Build
Capabilities:
Create
EditOwn
EditAny
Submit
Review
Exposure Mode:
Source context
Issue context
Synthetic or masked data
Conditions:
Code review
CI checks
Signed commits
No production secrets
Lifecycle State:
Build / Improve
```
---
## 44. Community Maintainer
```text
Subject:
Human
Organization Relation:
Community
Canonical Role:
Maintainer
Scope:
Open-source module
Plane:
Build / Community
Capabilities:
Review
Approve
Publish
Exposure Mode:
Public
Metadata
Conditions:
Maintainer policy
Contribution rules
Review process
Lifecycle State:
Improve / Release
```
---
## 45. Consultant Integrator
```text
Subject:
Human or Service
Organization Relation:
Consultant
Canonical Role:
Integrator
Scope:
Customer Tenant / Integration Project
Plane:
Configuration / Identity / Runtime
Capabilities:
Configure
Integrate
Import
Test
Exposure Mode:
Masked by default
Plaintext only by approval
Conditions:
Tenant consent
Ticket
Time limit
Audit
Lifecycle State:
Onboard / Integrate / Migrate
```
---
## 46. ServiceProvider Operator
```text
Subject:
Human, Service, Automation, or Agent
Organization Relation:
ServiceProvider
Canonical Role:
Operator
Scope:
Production Environment
Plane:
Runtime
Capabilities:
Operate
Deploy
Restore
Inspect
Exposure Mode:
Metadata
Masked logs
Conditions:
MFA
Ticket
Privileged access control
Logging
Lifecycle State:
Operate / Incident
```
---
## 47. Customer Manager
```text
Subject:
Human
Organization Relation:
Customer
Canonical Role:
Manager
Scope:
Tenant / Workspace
Plane:
Configuration / Policy / Data
Capabilities:
Configure
Grant
Revoke
Delegate
Archive
Exposure Mode:
Plaintext within tenant policy
Conditions:
Tenant governance rules
Lifecycle State:
Configure / Operate / Improve
```
---
## 48. Customer Doer as Depositor
```text
Subject:
Human, Anonymous, or External Actor
Organization Relation:
Customer / Community / Unknown
Canonical Role:
Doer
Capability Profile:
Depositor / Submitter
Scope:
Submission Process
Plane:
Data
Capabilities:
Submit
Exposure Mode:
None after submission
Conditions:
Purpose-bound
Form validation
Lifecycle State:
Use
```
---
## 49. Vendor Coach
```text
Subject:
Human or Agent
Organization Relation:
Vendor
Canonical Role:
Coach
Scope:
Customer Support Case
Plane:
Data / Configuration
Capabilities:
View
Comment
Guide
Configure, if delegated
Exposure Mode:
Masked or tenant-approved Plaintext
Conditions:
Ticket
Tenant consent
Time limit
Audit
Lifecycle State:
Support
```
---
## 50. AI Coding Agent
```text
Subject:
Agent
Organization Relation:
Vendor / Community / Customer
Canonical Role:
Builder
Scope:
Repository / Branch / Issue
Plane:
Build
Capabilities:
Create
EditOwn
Submit
Exposure Mode:
Source context
Issue context
Test output
Conditions:
No secret access
No production deploy
Human or policy review
Lifecycle State:
Build / Improve
```
---
## 51. AI Support Agent
```text
Subject:
Agent
Organization Relation:
Vendor
Canonical Role:
Coach
Scope:
Support Case
Plane:
Data / Configuration
Capabilities:
View
Comment
Recommend
Exposure Mode:
Masked by default
Conditions:
Case-bound
Tenant policy
Logged
No autonomous export
Lifecycle State:
Support
```
---
## 52. Break-Glass Operator Access
```text
Subject:
Human
Organization Relation:
ServiceProvider
Canonical Role:
Operator
Exposure Event:
X-BreakGlass
Scope:
Tenant Alpha / Affected Runtime Resource Set
Plane:
Runtime / Data if unavoidable / Secret if unavoidable
Capabilities:
Operate
Restore
Inspect
Limited View if required
Exposure Mode:
Metadata by default
Plaintext only if necessary and recorded
SecretMaterial only if necessary and recorded
Conditions:
EmergencyOnly
TicketRequired
DualApprovalRequired where feasible
TimeLimited
Logged
Recorded
PostReviewRequired
NotificationRequired unless prohibited
Lifecycle State:
Incident
```
---
## 53. Kubernetes Namespace Pod Reader
```text
Subject:
User or ServiceAccount bound by RoleBinding
Organization Relation:
Customer / ServiceProvider / Vendor depending on identity source
Canonical Role:
Verifier or Operator
Capability Profile:
PodReader
Scope:
Namespace
Resource: pods
Plane:
Runtime
Capabilities:
View
ViewCollection
Observe
Exposure Mode:
Metadata + runtime object details
Conditions:
Kubernetes authentication
RoleBinding active
Lifecycle State:
Operate / Verify
```
---
## 54. Kubernetes CI/CD Deployer
```text
Subject:
ServiceAccount ci/deployer
Subject Type:
Service / Automation
Organization Relation:
Vendor or Customer
Canonical Role:
Builder or Operator
Capability Profile:
DeploymentDeployer
Scope:
Environment: staging
Namespace: staging
Resource: deployments
Plane:
Runtime / Build / Execution
Capabilities:
Deploy
Create
EditAny
Exposure Mode:
Runtime metadata
Possibly configuration plaintext
Conditions:
PipelineBound
EnvironmentBound
Logged
No production scope unless separately assigned
Lifecycle State:
Release / Build / Test
```
---
## 55. Kubernetes Workload Creator with Induced Access
```text
Subject:
Human or ServiceAccount
Organization Relation:
Customer / ServiceProvider / Vendor
Canonical Role:
Builder / Operator / Doer depending on purpose
Scope:
Namespace app-a
Plane:
Runtime / Execution
Declared Capability:
Create workload
Derived Capabilities:
Execute code
Use mounted ServiceAccount
Potentially access Secrets, ConfigMaps, volumes
Exposure Mode:
Potentially SecretMaterial / Plaintext / Runtime metadata
Access Path:
Induced Access
Finding:
Declared namespace-scoped runtime permission may result in
broader effective authority than expected.
```
---
# Part VII — Maturity and Evolution
---
## 56. Standard Maturity Levels
CARING may evolve through maturity levels.
### Level 0 — Draft Vocabulary
Initial terms, examples, and conceptual distinctions.
### Level 1 — Release Candidate
Stable enough to analyze real systems and collect feedback.
### Level 2 — Mapping Standard
Includes tested mappings to major control implementations.
Examples:
```text
Lotus/Domino ACL
Kubernetes RBAC
Git hosting permissions
Cloud IAM
Database grants
Enterprise IAM systems
Document management systems
```
### Level 3 — Design Standard
Includes prescriptive design profiles, templates, and governance patterns.
### Level 4 — Verification Standard
Includes test cases, conformance checks, policy linting, and machine-readable schemas.
### Level 5 — Operational Standard
Includes lifecycle review automation, exposure-event workflows, agent policy ceilings, service-account governance, induced-access analysis, and continuous access governance.
---
## 57. Standard Refinement Process
CARING should evolve through concrete analysis challenges.
For each analyzed system:
```text
1. Select access-control implementation.
2. Describe system-native access model.
3. Map native constructs to CARING dimensions.
4. Identify successful mappings.
5. Identify ambiguous mappings.
6. Identify missing CARING concepts, if any.
7. Identify implementation shortcomings exposed by CARING.
8. Identify CARING terminology refinements.
9. Update standard or mapping guide.
10. Add findings to benchmark corpus.
```
A proposed refinement should be accepted only if:
```text
1. It cannot be modeled cleanly with existing dimensions.
2. It appears in more than one access-control context,
or is fundamental enough to justify inclusion.
3. It improves analytical clarity without causing role explosion.
4. It preserves orthogonality.
5. It avoids overfitting to one implementation.
```
---
## 58. Candidate Analysis Benchmarks
Initial benchmark candidates:
```text
1. Lotus/Domino ACL
2. Kubernetes RBAC
3. GitHub / GitLab repository access
4. AWS IAM
5. Azure RBAC / Entra ID
6. PostgreSQL roles and grants
7. SharePoint / Microsoft 365 permissions
8. Jira / Confluence permissions
9. Salesforce profiles, permission sets, and sharing rules
10. Keycloak realm/client/resource permissions
11. Linux users/groups/sudo
12. CI/CD platform permissions
13. Support desk access models
14. Data warehouse access models
15. Agentic workflow platform permissions
```
Each benchmark should test different stresses:
```text
Document-level access
Infrastructure access
Tenant isolation
Field-level access
Secrets
Service accounts
Agentic delegation
Community contribution
Legal exposure
Runtime operation
Commercial entitlement
Cross-tenant analytics
Induced access
Policy-plane escalation
```
---
# Part VIII — Glossary
---
## 59. Access Assignment
A declared or effective grant of access to a subject.
## 60. Access Descriptor
A CARING representation of access using core dimensions.
## 61. Capability
An action the subject may perform.
## 62. Capability Profile
A named bundle of capabilities.
## 63. Canonical Role
A lifecycle responsibility posture defined by CARING.
## 64. Condition
A requirement that must be satisfied for access to be valid.
## 65. Declared Access
Access explicitly represented by the native access-control system.
## 66. Derived Capability
A capability that is not directly granted as a named permission, but becomes available as a consequence of another permission.
## 67. Direct Access
Access where the subject acts directly.
## 68. Delegated Access
Access where one subject delegates authority to another subject.
## 69. Effective Access
Access that can actually be achieved through direct, delegated, mediated, derived, or induced execution paths.
## 70. Exposure Event
A controlled exception or observed irregularity involving information access.
## 71. Exposure Mode
The degree and form in which information becomes visible, extractable, or usable.
## 72. Induced Access
Access caused when a subject triggers a component whose actual authority exceeds the subjects direct authority.
## 73. Lifecycle State
The current reason or phase for which access exists.
## 74. Local Role
An application-specific role name not necessarily identical to a CARING canonical role.
## 75. Mediated Access
Access where a system component acts on behalf of or in response to a subject.
## 76. Native Policy Object
A system-native construct that expresses permissions, such as a Kubernetes Role, IAM policy, database grant, or ACL entry.
## 77. Organization Relation
The structural relationship of a subject to the product, platform, tenant, or governance context.
## 78. Plane
The kind of system layer or access surface being accessed.
## 79. Restriction
An overriding deny, block, quarantine, or limiting policy effect.
## 80. Scope
The boundary within which access applies.
## 81. SecretMaterial
Credentials, keys, tokens, certificates, or other secret values that can enable further access.
## 82. Subject
The entity to which access is assigned or attributed.
## 83. Tenant
A structurally isolated customer, organization, business unit, or operating context.
---
# 84. Compact Definition
> **CARING is a canonical access-control vocabulary for information products and runtime platforms. It defines a small set of lifecycle roles and combines them orthogonally with subject type, organization relation, scope, plane, capability, exposure mode, conditions, lifecycle state, restrictions, and exposure events. It distinguishes declared access from effective access and requires analysis of derived and induced capabilities. This allows vendors, service providers, consultants, customers, communities, humans, services, automations, and agents to collaborate safely across the full product lifecycle without collapsing access governance into unmanageable local role sprawl.**
---
# 85. Core Mental Model
```text
Role describes lifecycle responsibility.
Organization Relation says under whose authority the subject acts.
Scope says where the access applies.
Plane says what layer is accessed.
Capability says what action is possible.
Exposure says what information becomes visible or extractable.
Condition says when access is valid.
Lifecycle State says why access exists now.
Restriction says what overrides access.
Exposure Event says when access becomes exceptional or irregular.
Declared Access says what the native policy states.
Effective Access says what can actually be achieved.
Derived Capability says what becomes possible as a consequence.
Induced Access says what privileged behavior can be triggered indirectly.
```
This is the core of CARING 0.4.0-RC2.
Reference in New Issue View Git Blame Copy Permalink