Complete IDENTITY-WP-0003 corpus backfill and model refinement

Backfill all 23 research source notes with terminology extracts, modeling
assumptions, conflicts, canonical mappings, and references. Refresh terminology
artifacts, refine the conceptual model with explicit scenario paths, reconcile
canon surfaces and open questions, and mark the workplan finished.
This commit is contained in:
2026-06-21 20:22:20 +02:00
parent 790a2f2041
commit 1c1b5c9bc6
32 changed files with 2676 additions and 623 deletions

View File

@@ -2,49 +2,113 @@
## Source Type
TODO: Identify whether this is a standard, specification, product documentation, academic concept, architecture pattern, or implementation reference.
Standard and product reference. Cedar policy language (AWS Verified Permissions)
with principal-action-resource-context evaluation model.
## Domain
TODO: Classify the source domain.
Fine-grained authorization, policy-based access control, and ABAC/RBAC
hybrid evaluation.
## Why This Source Matters
Cedar principal-action-resource-context model and policy terminology.
Cedar's principal-action-resource-context distinction preserves orthogonality
between identity, action, resource, and request context.
## Key Concepts
TODO:
- concept 1
- concept 2
- concept 3
- **Principal**: entity requesting access; typed entity reference (`User::"alice"`,
`Role::"admin"`).
- **Action**: operation being attempted (`Action::"view"`, `Action::"delete"`).
- **Resource**: entity being accessed (`Document::"report"`).
- **Context**: request-time record with additional attributes (IP, time,
delegated-by).
- **Policy**: Cedar statement allowing or forbidding `(principal, action, resource)`
under conditions.
- **Entity**: typed object in entity store with attributes and parents.
- **Schema**: defines entity types, actions, and attribute shapes.
- **Group / Role entity**: principal may be member of groups; roles as entities.
- **Authorization request**: tuple of principal, action, resource, context
evaluated against policies.
- **Conditional policies**: when-clauses over context and entity attributes.
## Relevant Terminology
TODO: Extract terms used by the source and note their source-specific meaning.
| Term | Source meaning |
| --- | --- |
| Principal | Entity requesting access in authorization decision. |
| Action | Verb/operation being authorized. |
| Resource | Target entity of the action. |
| Context | Ephemeral request attributes. |
| Entity | Typed node in entity store with UID and attributes. |
| Policy | Rule governing allow/deny. |
| Schema | Type system for entities and actions. |
| Role | Entity type principals can assume or belong to. |
| Group | Entity type with membership edges. |
| UID | Unique entity identifier string (`Type::"id"`). |
## Modeling Assumptions
TODO: Capture assumptions made by the source about users, accounts, organizations, tenants, groups, roles, identities, relationships, or credentials.
- **Authorization is a decision over four orthogonal dimensions** (PARTICIPANT,
ACTION, TARGET, CONTEXT).
- **Principals are entity references**, not full identity records.
- **Entity store is separate** from identity directory; may sync from IAM.
- **Roles and groups are entities**, not free-floating strings.
- **Context carries delegation and environmental facts** at decision time.
- **Policies are declarative** and evaluated without imperative code.
- **No social or legal relationship model** beyond entity parent/group links.
## Identity-Canon Implications
TODO: Explain what this source suggests for the canonical identity model.
- Cedar **Principal** maps to **Authorization Principal** projection.
- **Resource** maps to **Authorization Resource** projection.
- **Action** maps to **Authorization Action** projection.
- **Context** maps to request **Context** projection (may carry Delegation
evidence).
- **Entity** in store may represent Account, Group, Role, or Organization
projection — not canonical Actor directly.
- Parent/group entity links parallel **Membership** in authz layer.
- Context `delegatedBy` or custom attributes support S11 (AI agent delegation).
- Strong evidence for **P6** and **P2** (principal ≠ actor ≠ account).
## Terminology Conflicts
TODO: Record where this source uses terms differently from other sources.
- **Principal vs. Actor**: Cedar principal is decision participant; actor is
conceptual entity.
- **Principal vs. Subject**: OIDC subject is identifier; Cedar principal is
typed entity UID.
- **Role**: Cedar Role entity vs. IAM role vs. social role.
- **Group**: Cedar group entity vs. LDAP group vs. community.
- **Entity**: Cedar entity vs. canon Entity family (actor layer).
## Candidate Canonical Mappings
TODO: Map source-specific concepts to identity-canon candidate concepts.
| Cedar concept | Candidate canonical concept |
| --- | --- |
| Principal | Authorization Principal |
| Resource | Authorization Resource |
| Action | Authorization Action |
| Context | Request context projection |
| Entity (User) | Authorization Principal (Account projection) |
| Entity (Group) | Group (authz projection) |
| Entity (Role) | Role (authorization projection) |
| Policy | Authorization Policy (downstream artifact) |
| Schema | Authorization schema (downstream) |
| parent relation | Membership/inheritance (authz projection) |
| Context.delegatedBy | Delegation Relationship (context reference) |
## Open Questions
TODO:
- Question 1
- Question 2
- Should canon define a minimal Context projection schema for delegation and
assurance attributes?
- How should Cedar User entities map to Account vs. Service Account vs.
Artificial Agent?
- Are Cedar Role entities always authorization projections, or can they mirror
canonical Role relationships?
- Should entity UID format be standardized in downstream recommendations?
## References
TODO: Add canonical URLs, RFC/spec identifiers, documentation links, and citation notes.
- Cedar policy language — https://www.cedarpolicy.com/
- Cedar schema format — https://www.cedarpolicy.com/policies/syntax-schema.html
- AWS Verified Permissions — https://docs.aws.amazon.com/verifiedpermissions/