Skip to content

Enterprise Identity And Access Control

Huzefaaa2 edited this page Jul 3, 2026 · 3 revisions

CAVRA Enterprise Identity And Access Control

CAVRA Enterprise identity uses a public-safe contract for OIDC, SAML bridge, SCIM lifecycle, RBAC, ABAC, and break-glass operations.

What Is Public

  • OIDC/JWKS validation through CAVRA_APPROVAL_OIDC_CONFIG.
  • RBAC mappings through CAVRA_APPROVAL_RBAC_FILE.
  • Enterprise identity policy contract through CAVRA_ENTERPRISE_IDENTITY_POLICY.
  • API endpoints:
    • /identity/enterprise-contract
    • /identity/enterprise-readiness
    • /console/session
    • /console/security-boundary

Required Identity Areas

Area Contract
OIDC Validate issuer, audience, expiry, not-before, JWKS key, RS256 signature, groups, roles, tenant, and workspace claims.
SAML bridge Normalize SAML assertions into the same CAVRA claim contract through the IdP, gateway, or private Enterprise bridge.
SCIM Synchronize groups, roles, tenant/workspace membership, deprovisioning, and audit evidence.
RBAC CISO, security operator, platform security, model owner, auditor, and break-glass approver roles.
ABAC Tenant, workspace, repository, environment, model owner, and data classification boundaries.
Break-glass CAB role, reason, external reference, short TTL, and retained audit event.

Runtime Enforcement

Scoped approval decisions now enforce the Enterprise contract before legacy group authorization succeeds:

Approval type Required role Boundary
Runtime action approval security_operator or platform_security Matching tenant and workspace when supplied.
Model or AI artifact approval model_owner or ciso Matching tenant and workspace when supplied, plus model owner context.
Break-glass approval break_glass_approver and Change Advisory Board Reason, external reference, short TTL, and audit evidence.

Community approvals with no Enterprise ABAC fields still use the existing group and repository RBAC path.

Validation

python3 scripts/validate_enterprise_identity_readiness.py
python3 scripts/validate_enterprise_live_identity_packet.py \
  --packet .cavra/identity/enterprise-live-identity-validation.json \
  --output dist/enterprise-live-identity-validation-result.json
python3 -m pytest tests/test_enterprise_identity.py tests/test_identity_references.py -q

Live IdP/SCIM closeout is tracked in Enterprise Live Identity Validation.

The detailed repo document is Enterprise Identity And Access Control.

Clone this wiki locally