-
Notifications
You must be signed in to change notification settings - Fork 0
Enterprise Identity And Access Control
Huzefaaa2 edited this page Jul 3, 2026
·
3 revisions
CAVRA Enterprise identity uses a public-safe contract for OIDC, SAML bridge, SCIM lifecycle, RBAC, ABAC, and break-glass operations.
- OIDC/JWKS validation through
CAVRA_APPROVAL_OIDC_CONFIG. - RBAC mappings through
CAVRA_APPROVAL_RBAC_FILE. - Enterprise identity policy contract through
CAVRA_ENTERPRISE_IDENTITY_POLICY. - API endpoints:
/identity/enterprise-contract/identity/enterprise-readiness/console/session/console/security-boundary
| Area | Contract |
|---|---|
| OIDC | Validate issuer, audience, expiry, not-before, JWKS key, RS256 signature, groups, roles, tenant, and workspace claims. |
| SAML bridge | Normalize SAML assertions into the same CAVRA claim contract through the IdP, gateway, or private Enterprise bridge. |
| SCIM | Synchronize groups, roles, tenant/workspace membership, deprovisioning, and audit evidence. |
| RBAC | CISO, security operator, platform security, model owner, auditor, and break-glass approver roles. |
| ABAC | Tenant, workspace, repository, environment, model owner, and data classification boundaries. |
| Break-glass | CAB role, reason, external reference, short TTL, and retained audit event. |
Scoped approval decisions now enforce the Enterprise contract before legacy group authorization succeeds:
| Approval type | Required role | Boundary |
|---|---|---|
| Runtime action approval |
security_operator or platform_security
|
Matching tenant and workspace when supplied. |
| Model or AI artifact approval |
model_owner or ciso
|
Matching tenant and workspace when supplied, plus model owner context. |
| Break-glass approval |
break_glass_approver and Change Advisory Board
|
Reason, external reference, short TTL, and audit evidence. |
Community approvals with no Enterprise ABAC fields still use the existing group and repository RBAC path.
python3 scripts/validate_enterprise_identity_readiness.py
python3 scripts/validate_enterprise_live_identity_packet.py \
--packet .cavra/identity/enterprise-live-identity-validation.json \
--output dist/enterprise-live-identity-validation-result.json
python3 -m pytest tests/test_enterprise_identity.py tests/test_identity_references.py -qLive IdP/SCIM closeout is tracked in Enterprise Live Identity Validation.
The detailed repo document is Enterprise Identity And Access Control.
CAVRA Field Compass
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
Textbook home: Before the Agent Acts |
Development archive: development and testing artifacts |
Source repository: github.com/Huzefaaa2/cavra
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Technology Stack
- Unified Enterprise Roadmap
- Conclusion