id: evaluation/user-engine/small-saas-alignment
title: User Engine Small SaaS Alignment Lens
status: candidate
consumer: user-engine
evaluation_pack: evaluation/user-engine
profile: profile/small-saas
alignment_goal: Use small-saas as the concrete tenant-aware SaaS lens for user-management evaluation.
profile_requirements:
  - required_concept: tenant
    small_saas_artifacts:
      - small-saas/tenant/acme
      - small-saas/tenant/globex
    user_engine_expectation: User-engine can represent tenant boundaries and bind users, accounts, roles, and evidence to them.
  - required_concept: user
    small_saas_artifacts:
      - small-saas/user/ada-admin
    user_engine_expectation: User-engine can map users separately from accounts, principals, subjects, and access grants.
  - required_concept: team
    small_saas_artifacts:
      - small-saas/team/platform
    user_engine_expectation: User-engine can represent team membership without treating teams as permission bundles.
  - required_concept: policy
    small_saas_artifacts:
      - small-saas/policy/tenant-isolation
    user_engine_expectation: User-engine access behavior can trace to governing policy.
  - required_concept: control
    small_saas_artifacts:
      - small-saas/control/namespace-per-tenant
    user_engine_expectation: User-engine can show which controls enforce tenant isolation or access boundaries.
  - required_concept: evidence
    small_saas_artifacts:
      - small-saas/evidence/access-review-2026-05
    user_engine_expectation: User-engine can provide or link evidence for access reviews and privileged grants.
  - required_concept: task
    small_saas_artifacts:
      - small-saas/task/onboard-tenant
    user_engine_expectation: User-engine can identify onboarding, access request, review, remediation, and deprovisioning work.
  - required_concept: incident
    small_saas_artifacts:
      - small-saas/incident/cross-tenant-access-attempt
    user_engine_expectation: User-engine can link access incidents or findings to users, principals, tenants, controls, and evidence.
conformance_questions:
  - Can Ada Admin's tenant-admin grant for Acme be represented with user, subject, principal, role, tenant scope, policy, and evidence?
  - Can Globex remain isolated from Ada Admin unless an explicit grant, scope, and evidence record exists?
  - Can tenant isolation policy connect to control evidence and review records?
  - Can onboarding a tenant create trackable work without implying that every request is already committed?
  - Can any integration gap become an EvolutionRequest instead of an undocumented scope change?
pass_conditions:
  - All required small-saas user-management artifacts have matching user-engine entities or explicit gaps.
  - Access grants carry tenant scope, role, governing policy, and evidence.
  - User, team, tenant, organization role, access role, subject, and principal are not collapsed into one concept.
  - Evidence gaps are explicit and produce review or remediation work.
  - PURPOSES fields identify current purpose fit and requested evolution.
failure_conditions:
  - User-engine cannot distinguish organization roles from access roles.
  - User-engine cannot trace privileged access to tenant scope and evidence.
  - User-engine treats consumer demand as automatic producer scope.
  - User-engine cannot produce a mapping export or completed interface card.