info-tech-canon/infospace/evaluations/user-engine/questions.yaml

id: evaluation/user-engine/questions
title: User Engine Canon Evaluation Questions
status: candidate
consumer: user-engine
evaluation_pack: evaluation/user-engine
question_domains:
  - id: organization
    title: Organization
    canon_anchors:
      - model/organization
      - profile/small-saas
    questions:
      - id: org-001
        question: Which user-engine records map to Person, User, Actor, Agent, Team, Tenant, Role, Membership, Assignment, Responsibility, Authority, and Accountability?
        expected_evidence:
          - entity mapping table
          - examples for human users and service users
      - id: org-002
        question: How does user-engine distinguish Actor, Subject, and Principal in authentication and authorization contexts?
        expected_evidence:
          - concept mapping
          - access-decision trace
      - id: org-003
        question: How are tenant membership, team membership, ownership, and delegated administration represented?
        expected_evidence:
          - tenant/team membership export
          - owner or administrator assignment records
  - id: access-control
    title: Access Control
    canon_anchors:
      - model/access-control
      - standard/caring
      - profile/small-saas
    questions:
      - id: ac-001
        question: Which user-engine concepts map to AccessRole, Permission, Entitlement, ResourceScope, RoleBinding, AuthorizationDecision, and AccessPolicy?
        expected_evidence:
          - entity mapping table
          - role and permission examples
      - id: ac-002
        question: Can every privileged access grant identify subject or principal, access role, resource scope, tenant boundary, governing policy, and evidence?
        expected_evidence:
          - grant trace
          - tenant-scoped role binding example
      - id: ac-003
        question: How are Organization Role, AccessRole, and CARING canonical role kept distinct?
        expected_evidence:
          - distinction notes
          - CARING role classification examples
  - id: governance
    title: Governance
    canon_anchors:
      - model/governance
      - standard/caring
    questions:
      - id: gov-001
        question: Which user-engine records carry policy, control, review, approval, exception, waiver, evidence, and decision semantics?
        expected_evidence:
          - governance mapping table
          - review and approval examples
      - id: gov-002
        question: What evidence shows that access grants are reviewed, approved, remediated, or expired?
        expected_evidence:
          - access review records
          - remediation or exception records
      - id: gov-003
        question: Who has decision rights for accepting, rejecting, or deferring integration gaps?
        expected_evidence:
          - decision authority statement
          - accountable owner
  - id: data
    title: Data
    canon_anchors:
      - model/data
      - profile/small-saas
    questions:
      - id: data-001
        question: Which user-engine data objects contain identity, account, tenant, membership, role, permission, credential, or audit data?
        expected_evidence:
          - data object inventory
          - processing purpose notes
      - id: data-002
        question: How are tenant partitioning, retention, residency, lineage, and processing purpose represented for user-management data?
        expected_evidence:
          - data boundary description
          - tenant partition example
  - id: security
    title: Security
    canon_anchors:
      - model/security
      - model/access-control
      - profile/small-saas
    questions:
      - id: sec-001
        question: How does user-engine represent credentials, sessions, privileged access, MFA or equivalent assurance, and secret handling boundaries?
        expected_evidence:
          - security concept mapping
          - privileged access scenario
      - id: sec-002
        question: Which incidents, findings, or alerts can be linked to users, principals, tenants, controls, and evidence?
        expected_evidence:
          - incident linkage example
          - finding or alert export
  - id: task
    title: Task
    canon_anchors:
      - model/task
      - profile/small-saas
    questions:
      - id: task-001
        question: Which onboarding, access request, review, remediation, deprovisioning, and integration-gap items map to WorkItem, Task, Request, ReviewTask, ApprovalTask, RemediationTask, or ChangeTask?
        expected_evidence:
          - lifecycle task examples
          - task state mapping
      - id: task-002
        question: How does user-engine distinguish captured requests from committed implementation or remediation tasks?
        expected_evidence:
          - task commitment mapping
          - backlog or issue examples
  - id: purposes
    title: PURPOSES
    canon_anchors:
      - model/purpose-demand-extension
      - pattern/intent-scope-purposes
    questions:
      - id: pur-001
        question: What consumer intent, scope, purposes, use cases, demand signals, and consumer needs does user-engine declare for canon integration?
        expected_evidence:
          - completed Canon Interface Card
          - consumer purpose statement
      - id: pur-002
        question: Which purpose fit state applies to user-engine now, and which gaps create scope pressure or evolution requests for InfoTechCanon?
        expected_evidence:
          - purpose fit review
          - requested evolution list