4.0 KiB
Security Bootstrap User Lifecycle
Status: draft UX contract Date: 2026-05-24
Purpose
This document defines the first guided user lifecycle flows for the security
bootstrap experience. It is the product contract for NET-WP-0016-T04.
The goal is to make common access operations clear without granting platform root by accident.
Actor Classes
| Class | Meaning | Root risk |
|---|---|---|
| Setup operator | Can assemble or observe early infrastructure | Must not imply root custody |
| Platform admin | Day-to-day delegated platform administration | Scoped and revocable |
| Tenant admin | Admin for one tenant or fabric | No platform root |
| Reviewer | Read-only inspection and audit role | No secret reads by default |
| Workload principal | Service account or automation identity | Least privilege |
| King credential | Rare platform-root custody | Break-glass only |
The UI must always distinguish actor class before granting access.
Onboard User
Inputs:
- display name;
- contact address;
- actor class;
- tenant or fabric scope;
- requested groups/roles;
- MFA requirement;
- review date.
Flow:
- Select actor class.
- Select scope.
- Show effective privileges before creation.
- Highlight any platform-admin or root-adjacent role.
- Require MFA for privileged roles.
- Create or prepare identity in the selected IAM provider.
- Record non-secret audit event.
Blocked conditions:
- actor class is missing;
- scope is missing for tenant/fabric roles;
- privileged role without MFA;
- ordinary onboarding tries to grant king custody.
Temporarily Lock User
Purpose: suspend access without deleting identity history.
Flow:
- Select user.
- Show active groups, roles, sessions, keys, tokens, and owned resources where available.
- Disable login or token issuance.
- Revoke active sessions and short-lived tokens where supported.
- Preserve audit subject and ownership records.
- Record unlock instructions and review date.
The UI should label this as reversible.
Permanently Lock And Offboard User
Purpose: remove operational access while preserving audit evidence.
Flow:
- Select user.
- Require reason and effective date.
- Transfer owned resources or service principals.
- Revoke sessions, tokens, app passwords, SSH keys, and OpenBao tokens.
- Remove groups, roles, and tenant memberships.
- Schedule rotation for shared material the user may have seen.
- Record non-secret offboarding evidence.
Platform-admin offboarding requires a second confirmation. King credential offboarding is not a normal lifecycle action; it is a custody replacement ceremony.
Review And Change Credentials
Purpose: inspect posture and rotate safely.
The review screen should show:
- MFA state;
- recovery confirmation age;
- SSH keys;
- active tokens;
- group and role memberships;
- last review date;
- owned service principals; and
- rotation recommendations.
Actions:
| Action | Meaning |
|---|---|
| Rotate credential | Replace a secret or key |
| Reset credential | Emergency replacement |
| Change authorization | Add/remove roles or groups |
| Schedule review | Set next review date |
The UI must keep rotation separate from authorization changes.
New Fabric With Its Own Admin
Purpose: create a fabric with delegated administration but no platform-root authority.
Flow:
- Name the fabric.
- Assign fabric admin.
- Create IAM scope and group mapping.
- Create OpenBao path prefix and policy request.
- Define audit and backup expectations.
- Produce a handover checklist.
- Record non-secret progress event.
Blocked conditions:
- fabric admin missing;
- platform-root role requested;
- no OpenBao path prefix;
- no review date.
UX Rules
- Show effective access before saving.
- Use plain labels: "locked", "offboarded", "needs review".
- Do not use red/yellow/green as the only indicator.
- Do not display secret values.
- Do not send secrets by email.
- Keep every high-risk action reversible where possible, or explain why it is not reversible.