generated from coulomb/repo-seed
Enterprise access control refinement and flex-auth delegation
This commit is contained in:
@@ -56,7 +56,10 @@ Initial provider-neutral interfaces now exist in
|
||||
- `EnterprisePolicyMapper`
|
||||
- `DecisionLogStore`
|
||||
|
||||
Documentation: `docs/enterprise-access-control-integration.md`.
|
||||
Documentation:
|
||||
|
||||
- `docs/enterprise-access-control-integration.md`
|
||||
- sibling `flex-auth/docs/flex-auth-authorization-registry-research.md`
|
||||
|
||||
## Decision
|
||||
|
||||
@@ -65,6 +68,14 @@ Markitect should keep accepting normalized `PolicySubject` and `PolicyObject`
|
||||
models, while enterprise adapters handle token verification, group freshness,
|
||||
claim mapping, durable decision logs, and external PDP calls.
|
||||
|
||||
Boundary refinement: central enterprise authorization administration should
|
||||
live in a separate `flex-auth` repo/service under the NetKingdom authorization
|
||||
umbrella. Markitect-side WP-0014 work should implement the narrow integration
|
||||
contract: resource registration, policy requests, decision envelopes, local
|
||||
fixtures, diagnostics, and adapters. It should not grow into the central
|
||||
resource registry, policy administration UI/API, enterprise directory sync, or
|
||||
global audit store.
|
||||
|
||||
Do not map raw AD/LDAP/Entra group names directly to Markitect privileges.
|
||||
Always map:
|
||||
|
||||
@@ -72,7 +83,7 @@ Always map:
|
||||
directory groups -> canonical roles/scopes/trust labels -> PolicySubject
|
||||
```
|
||||
|
||||
## P14.1 - Define enterprise policy map schema
|
||||
## P14.1 - Define flex-auth resource and policy contract
|
||||
|
||||
```task
|
||||
id: MKTT-WP-0014-T001
|
||||
@@ -81,9 +92,17 @@ priority: high
|
||||
state_hub_task_id: "1894c50f-95c3-4e1a-bd4f-388f7624ebd7"
|
||||
```
|
||||
|
||||
Define the mapping file that translates enterprise groups, roles, scopes,
|
||||
tenants, assurance levels, and emergency rules into Markitect labels, trust
|
||||
zones, allowed actions, and object constraints.
|
||||
Define the Markitect-facing contract for flex-auth integration:
|
||||
|
||||
- resource registration manifests
|
||||
- action vocabulary
|
||||
- label and trust-zone metadata
|
||||
- policy request and decision envelopes
|
||||
- subject mapping expectations
|
||||
- local fixtures for development
|
||||
|
||||
Do not define the central enterprise rule administration schema inside
|
||||
Markitect. That belongs in flex-auth.
|
||||
|
||||
Output: schema, examples, diagnostics, and tests.
|
||||
|
||||
@@ -123,8 +142,9 @@ Implement `EnterprisePolicyMapper` over the policy map schema. It should map
|
||||
verified identity claims and resolved groups into gateway-ready
|
||||
`PolicySubject` objects.
|
||||
|
||||
Output: mapper, examples, and tests for roles, scopes, groups, trust zones,
|
||||
tenancy, and emergency access.
|
||||
Output: mapper/adapter examples and tests for roles, scopes, groups, trust
|
||||
zones, tenancy, and emergency access. Central group-to-resource policy
|
||||
administration remains flex-auth scope.
|
||||
|
||||
## P14.4 - Add directory group resolution boundary
|
||||
|
||||
@@ -141,7 +161,7 @@ adapter hooks for SCIM, Microsoft Graph, LDAP, and Keycloak.
|
||||
|
||||
Output: resolver contract, freshness metadata, overage handling, and tests.
|
||||
|
||||
## P14.5 - Persist decision logs
|
||||
## P14.5 - Add decision log sink and flex-auth audit adapter
|
||||
|
||||
```task
|
||||
id: MKTT-WP-0014-T005
|
||||
@@ -150,8 +170,10 @@ priority: high
|
||||
state_hub_task_id: "f212662c-4ffc-4cac-ace2-a43777f4960c"
|
||||
```
|
||||
|
||||
Implement a durable `DecisionLogStore` for policy decisions from query, search,
|
||||
context packages, workflows, exports, and assisted prompt assembly.
|
||||
Implement the Markitect-side `DecisionLogStore` sink for policy decisions from
|
||||
query, search, context packages, workflows, exports, and assisted prompt
|
||||
assembly. The durable enterprise audit store should live in flex-auth; local
|
||||
Markitect storage should remain a development/testing fallback.
|
||||
|
||||
Decision logs should record subject id, token hash, action, object id, policy
|
||||
version, decision effect, reason, redaction status, and provenance.
|
||||
@@ -173,7 +195,8 @@ Provide reference adapters or documented examples for:
|
||||
`RelationshipPolicyAdapter`
|
||||
- OPA/Rego or Cedar-style rule checks through `RulePolicyAdapter`
|
||||
|
||||
Output: examples, adapter stubs, and policy request/decision fixtures.
|
||||
Output: examples, adapter stubs, and policy request/decision fixtures. Full
|
||||
external PDP administration belongs in flex-auth.
|
||||
|
||||
## P14.7 - Integrate policy identity into workflows and context packages
|
||||
|
||||
|
||||
Reference in New Issue
Block a user