-
Notifications
You must be signed in to change notification settings - Fork 161
Capabilities_Governance_Infrastructure_Prompt
Using Cedar we can use formal reasoning to make universal statements about the future. But while capabilities based access control might be better, enterprise IT practices don't have a way to govern capabilities. At the same time, they have a long history of using identity to govern, and IGA tools like Sailpoint and Savyint are encumbents and want to see little change.
In order for TBAC adoption, what kind of new governance tools will be needed by enterprise IT departments?
1. Capability Registry & Catalog
- Central repository for defining, versioning, and discovering capabilities
- Semantic mapping between business functions and technical capabilities
- Dependency tracking between capabilities and resources
2. Capability Composition Engine
- Tools to bundle granular capabilities into meaningful business roles
- Policy templates for common capability patterns
- Automated capability inheritance and delegation rules
3. Token Lifecycle Management
- Automated JWT/credential issuance, renewal, and revocation
- Multi-issuer token orchestration
- Evidence chain validation and audit trails
4. Trust Framework Administration
- Certificate authority integration and management
- Verifiable credential schema governance
- Cross-domain trust relationship configuration
5. Cedar Policy Development Environment
- Visual policy builders for non-technical stakeholders
- Policy simulation and testing frameworks
- Formal verification integration for policy correctness
6. Policy Lifecycle Management
- Version control and change management for Cedar policies
- Impact analysis tools (what changes when a policy updates)
- Automated policy compliance checking against regulatory frameworks
7. IAM-to-TBAC Bridge
- Role-to-capability mapping utilities
- Gradual migration pathways from RBAC to TBAC
- Integration adapters for existing IGA tools (SailPoint, Saviynt)
8. Governance Workflow Engines
- Approval workflows for capability grants
- Automated compliance reporting
- Risk assessment integration for capability combinations
9. Capability Usage Analytics
- Real-time capability utilization monitoring
- Anomaly detection for unusual capability patterns
- Business impact analysis of capability changes
10. Audit & Compliance Dashboards
- Regulatory compliance reporting (SOX, GDPR, etc.)
- Capability sprawl detection and cleanup recommendations
- Evidence validation status monitoring
Token Based Access Control ("TBAC") specifies that the domain authorize a capability if supported by evidence. A capability is an action or set of actions on a resource or set of resources.
- Signed JWT Tokens
- X.509 Certificates
- HTTP Message + signature
- Verifiable Credentials (JSON-LD proof…)
Cedar is a policy express language and engine with positive properties:
- Formal verification capabilities
- Fast evaluation engine – embeddable
- Human-readable policy syntax
- CNCF candidate project
- Used by Amazon Verified Permission ("AVP")