generated from coulomb/repo-seed
149 lines
4.9 KiB
YAML
149 lines
4.9 KiB
YAML
id: evaluation/user-engine/interface-card-expectations
|
|
title: User Engine Canon Interface Card Expectations
|
|
status: candidate
|
|
consumer: user-engine
|
|
evaluation_pack: evaluation/user-engine
|
|
expected_consumer_fields:
|
|
repo: user-engine
|
|
domain: user-management
|
|
intent: Evaluate and later integrate user-management capability against InfoTechCanon.
|
|
scope:
|
|
- user identity
|
|
- accounts
|
|
- tenants
|
|
- teams
|
|
- memberships
|
|
- roles
|
|
- access decisions
|
|
- access reviews
|
|
- governance evidence
|
|
purposes:
|
|
- id: user-engine/user-management-evaluation
|
|
use_case: Compare user-engine entities and access behavior with InfoTechCanon models and small-saas profile expectations.
|
|
consumer_need: Clear distinction among identities, actors, principals, subjects, roles, grants, policies, controls, evidence, and lifecycle work.
|
|
demand_signals:
|
|
- user-engine will be assessed before integration.
|
|
- user-engine needs a canon-side conformance question set.
|
|
expected_canon_surfaces:
|
|
implemented_profiles:
|
|
- profile/small-saas
|
|
consumed_artifacts:
|
|
- model/organization
|
|
- model/access-control
|
|
- model/governance
|
|
- model/data
|
|
- model/security
|
|
- model/task
|
|
- model/purpose-demand-extension
|
|
- standard/caring
|
|
consumed_concepts:
|
|
- Actor
|
|
- Subject
|
|
- Principal
|
|
- User
|
|
- Team
|
|
- Tenant
|
|
- Organization Role
|
|
- AccessRole
|
|
- Permission
|
|
- Entitlement
|
|
- ResourceScope
|
|
- Policy
|
|
- Control
|
|
- Evidence
|
|
- AccessReview
|
|
- ConsumerPurpose
|
|
- PurposeFit
|
|
- EvolutionRequest
|
|
expected_entities:
|
|
- id: user
|
|
canon_anchor: model/organization
|
|
expectation: Represents a human or service user without collapsing into authenticated principal.
|
|
- id: account
|
|
canon_anchor: model/access-control
|
|
expectation: Represents login or system account bound to a user, actor, or principal.
|
|
- id: principal
|
|
canon_anchor: model/access-control
|
|
expectation: Represents authenticated identity used in an authorization decision.
|
|
- id: subject
|
|
canon_anchor: model/access-control
|
|
expectation: Represents entity evaluated by policy, possibly a user, principal, group, or service account.
|
|
- id: tenant
|
|
canon_anchor: model/organization
|
|
expectation: Represents customer or organization boundary used for membership, data, and access scope.
|
|
- id: team
|
|
canon_anchor: model/organization
|
|
expectation: Represents operational group, not an access role.
|
|
- id: organization-role
|
|
canon_anchor: model/organization
|
|
expectation: Represents responsibility or position.
|
|
- id: access-role
|
|
canon_anchor: model/access-control
|
|
expectation: Represents permission bundle or access capability.
|
|
- id: policy
|
|
canon_anchor: model/governance
|
|
expectation: Governs access or lifecycle behavior.
|
|
- id: control
|
|
canon_anchor: model/security
|
|
expectation: Implements or enforces a policy or objective.
|
|
- id: evidence
|
|
canon_anchor: model/observability
|
|
expectation: Supports review, control, access, or integration claims.
|
|
expected_edges:
|
|
- type: member_of
|
|
source: user
|
|
target: team
|
|
expectation: User or actor belongs to team.
|
|
- type: belongs_to_tenant
|
|
source: user
|
|
target: tenant
|
|
expectation: User or account is scoped to a tenant when applicable.
|
|
- type: authenticates_as
|
|
source: account
|
|
target: principal
|
|
expectation: Account produces or binds authenticated principal.
|
|
- type: evaluated_as
|
|
source: principal
|
|
target: subject
|
|
expectation: Principal is evaluated as policy subject.
|
|
- type: assigned_role
|
|
source: subject
|
|
target: access-role
|
|
expectation: Subject receives access role within explicit scope.
|
|
- type: scoped_to
|
|
source: access-role
|
|
target: tenant
|
|
expectation: Access role or grant declares resource or tenant scope.
|
|
- type: governed_by
|
|
source: access-grant
|
|
target: policy
|
|
expectation: Grant traces to policy or rule.
|
|
- type: implemented_by
|
|
source: policy
|
|
target: control
|
|
expectation: Policy is enforced by a control.
|
|
- type: evidenced_by
|
|
source: access-grant
|
|
target: evidence
|
|
expectation: Grant, review, or control has evidence.
|
|
- type: creates_task
|
|
source: evaluation-gap
|
|
target: task
|
|
expectation: Gap creates work only after triage and commitment.
|
|
evidence_required:
|
|
- completed Canon Interface Card
|
|
- entity and edge mapping export
|
|
- access grant trace
|
|
- tenant-scoped role or permission example
|
|
- access review example
|
|
- policy/control/evidence trace
|
|
- data object inventory for user-management data
|
|
- user lifecycle task or request examples
|
|
- explicit integration gaps and requested evolution
|
|
validation_expectations:
|
|
commands:
|
|
- PYTHONPATH=src python3 -m info_tech_canon validate
|
|
- PYTHONPATH=src python3 -m info_tech_canon profile validate small-saas
|
|
known_gaps_allowed: true
|
|
gap_rule: A gap is acceptable only when recorded with purpose fit state, owner, and proposed disposition.
|