generated from coulomb/repo-seed
59 lines
3.3 KiB
YAML
59 lines
3.3 KiB
YAML
id: evaluation/user-engine/small-saas-alignment
|
|
title: User Engine Small SaaS Alignment Lens
|
|
status: candidate
|
|
consumer: user-engine
|
|
evaluation_pack: evaluation/user-engine
|
|
profile: profile/small-saas
|
|
alignment_goal: Use small-saas as the concrete tenant-aware SaaS lens for user-management evaluation.
|
|
profile_requirements:
|
|
- required_concept: tenant
|
|
small_saas_artifacts:
|
|
- small-saas/tenant/acme
|
|
- small-saas/tenant/globex
|
|
user_engine_expectation: User-engine can represent tenant boundaries and bind users, accounts, roles, and evidence to them.
|
|
- required_concept: user
|
|
small_saas_artifacts:
|
|
- small-saas/user/ada-admin
|
|
user_engine_expectation: User-engine can map users separately from accounts, principals, subjects, and access grants.
|
|
- required_concept: team
|
|
small_saas_artifacts:
|
|
- small-saas/team/platform
|
|
user_engine_expectation: User-engine can represent team membership without treating teams as permission bundles.
|
|
- required_concept: policy
|
|
small_saas_artifacts:
|
|
- small-saas/policy/tenant-isolation
|
|
user_engine_expectation: User-engine access behavior can trace to governing policy.
|
|
- required_concept: control
|
|
small_saas_artifacts:
|
|
- small-saas/control/namespace-per-tenant
|
|
user_engine_expectation: User-engine can show which controls enforce tenant isolation or access boundaries.
|
|
- required_concept: evidence
|
|
small_saas_artifacts:
|
|
- small-saas/evidence/access-review-2026-05
|
|
user_engine_expectation: User-engine can provide or link evidence for access reviews and privileged grants.
|
|
- required_concept: task
|
|
small_saas_artifacts:
|
|
- small-saas/task/onboard-tenant
|
|
user_engine_expectation: User-engine can identify onboarding, access request, review, remediation, and deprovisioning work.
|
|
- required_concept: incident
|
|
small_saas_artifacts:
|
|
- small-saas/incident/cross-tenant-access-attempt
|
|
user_engine_expectation: User-engine can link access incidents or findings to users, principals, tenants, controls, and evidence.
|
|
conformance_questions:
|
|
- Can Ada Admin's tenant-admin grant for Acme be represented with user, subject, principal, role, tenant scope, policy, and evidence?
|
|
- Can Globex remain isolated from Ada Admin unless an explicit grant, scope, and evidence record exists?
|
|
- Can tenant isolation policy connect to control evidence and review records?
|
|
- Can onboarding a tenant create trackable work without implying that every request is already committed?
|
|
- Can any integration gap become an EvolutionRequest instead of an undocumented scope change?
|
|
pass_conditions:
|
|
- All required small-saas user-management artifacts have matching user-engine entities or explicit gaps.
|
|
- Access grants carry tenant scope, role, governing policy, and evidence.
|
|
- User, team, tenant, organization role, access role, subject, and principal are not collapsed into one concept.
|
|
- Evidence gaps are explicit and produce review or remediation work.
|
|
- PURPOSES fields identify current purpose fit and requested evolution.
|
|
failure_conditions:
|
|
- User-engine cannot distinguish organization roles from access roles.
|
|
- User-engine cannot trace privileged access to tenant scope and evidence.
|
|
- User-engine treats consumer demand as automatic producer scope.
|
|
- User-engine cannot produce a mapping export or completed interface card.
|