Files
identity-canon/research/authorization-relationships/cedar-principal-action-resource-context.md
tegwick 1c1b5c9bc6 Complete IDENTITY-WP-0003 corpus backfill and model refinement
Backfill all 23 research source notes with terminology extracts, modeling
assumptions, conflicts, canonical mappings, and references. Refresh terminology
artifacts, refine the conceptual model with explicit scenario paths, reconcile
canon surfaces and open questions, and mark the workplan finished.
2026-06-21 20:22:20 +02:00

114 lines
4.7 KiB
Markdown

# Cedar Principal Action Resource Context
## Source Type
Standard and product reference. Cedar policy language (AWS Verified Permissions)
with principal-action-resource-context evaluation model.
## Domain
Fine-grained authorization, policy-based access control, and ABAC/RBAC
hybrid evaluation.
## Why This Source Matters
Cedar's principal-action-resource-context distinction preserves orthogonality
between identity, action, resource, and request context.
## Key Concepts
- **Principal**: entity requesting access; typed entity reference (`User::"alice"`,
`Role::"admin"`).
- **Action**: operation being attempted (`Action::"view"`, `Action::"delete"`).
- **Resource**: entity being accessed (`Document::"report"`).
- **Context**: request-time record with additional attributes (IP, time,
delegated-by).
- **Policy**: Cedar statement allowing or forbidding `(principal, action, resource)`
under conditions.
- **Entity**: typed object in entity store with attributes and parents.
- **Schema**: defines entity types, actions, and attribute shapes.
- **Group / Role entity**: principal may be member of groups; roles as entities.
- **Authorization request**: tuple of principal, action, resource, context
evaluated against policies.
- **Conditional policies**: when-clauses over context and entity attributes.
## Relevant Terminology
| Term | Source meaning |
| --- | --- |
| Principal | Entity requesting access in authorization decision. |
| Action | Verb/operation being authorized. |
| Resource | Target entity of the action. |
| Context | Ephemeral request attributes. |
| Entity | Typed node in entity store with UID and attributes. |
| Policy | Rule governing allow/deny. |
| Schema | Type system for entities and actions. |
| Role | Entity type principals can assume or belong to. |
| Group | Entity type with membership edges. |
| UID | Unique entity identifier string (`Type::"id"`). |
## Modeling Assumptions
- **Authorization is a decision over four orthogonal dimensions** (PARTICIPANT,
ACTION, TARGET, CONTEXT).
- **Principals are entity references**, not full identity records.
- **Entity store is separate** from identity directory; may sync from IAM.
- **Roles and groups are entities**, not free-floating strings.
- **Context carries delegation and environmental facts** at decision time.
- **Policies are declarative** and evaluated without imperative code.
- **No social or legal relationship model** beyond entity parent/group links.
## Identity-Canon Implications
- Cedar **Principal** maps to **Authorization Principal** projection.
- **Resource** maps to **Authorization Resource** projection.
- **Action** maps to **Authorization Action** projection.
- **Context** maps to request **Context** projection (may carry Delegation
evidence).
- **Entity** in store may represent Account, Group, Role, or Organization
projection — not canonical Actor directly.
- Parent/group entity links parallel **Membership** in authz layer.
- Context `delegatedBy` or custom attributes support S11 (AI agent delegation).
- Strong evidence for **P6** and **P2** (principal ≠ actor ≠ account).
## Terminology Conflicts
- **Principal vs. Actor**: Cedar principal is decision participant; actor is
conceptual entity.
- **Principal vs. Subject**: OIDC subject is identifier; Cedar principal is
typed entity UID.
- **Role**: Cedar Role entity vs. IAM role vs. social role.
- **Group**: Cedar group entity vs. LDAP group vs. community.
- **Entity**: Cedar entity vs. canon Entity family (actor layer).
## Candidate Canonical Mappings
| Cedar concept | Candidate canonical concept |
| --- | --- |
| Principal | Authorization Principal |
| Resource | Authorization Resource |
| Action | Authorization Action |
| Context | Request context projection |
| Entity (User) | Authorization Principal (Account projection) |
| Entity (Group) | Group (authz projection) |
| Entity (Role) | Role (authorization projection) |
| Policy | Authorization Policy (downstream artifact) |
| Schema | Authorization schema (downstream) |
| parent relation | Membership/inheritance (authz projection) |
| Context.delegatedBy | Delegation Relationship (context reference) |
## Open Questions
- Should canon define a minimal Context projection schema for delegation and
assurance attributes?
- How should Cedar User entities map to Account vs. Service Account vs.
Artificial Agent?
- Are Cedar Role entities always authorization projections, or can they mirror
canonical Role relationships?
- Should entity UID format be standardized in downstream recommendations?
## References
- Cedar policy language — https://www.cedarpolicy.com/
- Cedar schema format — https://www.cedarpolicy.com/policies/syntax-schema.html
- AWS Verified Permissions — https://docs.aws.amazon.com/verifiedpermissions/