SecurityPrincipal

Represents any entity that can be authenticated and authorized in the system, providing a unified abstraction for users, service accounts, API clients, and automated systems. A security principal is anything that can have permissions and make requests - it could be a human user, a microservice, an IoT device, a scheduled job, or an external system. This abstraction allows the access control system to treat all these entities consistently while maintaining their unique characteristics. Each principal has credentials for authentication (passwords, certificates, keys), attributes for authorization decisions (clearance level, department, trust score), and a security context that defines their capabilities. Service principals enable machine-to-machine authentication without user involvement, essential for automated workflows and microservices. System principals represent internal components that need controlled access to resources. External principals handle third-party integrations with limited, scoped access. The entity tracks the principal's lifecycle from creation through various trust states to eventual deactivation. It maintains security posture information like last security review, compliance status, and risk assessments. This unified approach simplifies access control policies - a single policy can apply to users, services, and systems without separate implementations. It's fundamental for zero-trust architectures where every request must be authenticated and authorized regardless of source.

34 properties

Schema

Properties

Property	Type	Mode	Description	Required
principalId	uuid	stored	Unique identifier for this security principal	Required
principalType	string	enum	Category of security principal Values: `user, service, application, device, system, external, federated`	Required
principalName	string	stored	Unique name identifier across all principals Example: `"svc_payment_processor"`	Required
displayName	string	stored	Human-friendly name for display Example: `"Payment Processing Service"`	Required
description	string	stored	Purpose and function of this principal Example: `"Automated service for processing customer payments and refunds"`	Optional
authenticationMethod	string	enum	How this principal authenticates Values: `password, certificate, api_key, oauth, saml, kerberos, biometric, hardware_token`	Required
credentialHash	string	stored	Hashed credential for authentication	Optional
certificateThumbprint	string	stored	Certificate identifier for cert-based auth	Optional
publicKey	string	stored	Public key for asymmetric authentication	Optional
realm	string	stored	Authentication realm or domain Example: `"corporate.example.com"`	Optional
trustLevel	integer	stored	Trust score from 0 (untrusted) to 100 (fully trusted)	Optional
clearanceLevel	integer	stored	Security clearance level	Optional
owner	User	stored	User responsible for this principal	Optional
organization	string	stored	Organization this principal belongs to	Optional
department	string	stored	Department or team	Optional
attributes	string	stored	JSON attributes for policy evaluation Example: `"{\"location\":\"us-east-1\",\"environment\":\"production\",\"data_classification\":\"sensitive\"}"`	Optional
allowedIpRanges	string	stored	JSON array of permitted IP ranges	Optional
allowedTimeWindows	string	stored	JSON array of time-based access windows	Optional
maxConcurrentSessions	integer	stored	Maximum simultaneous active sessions	Optional
status	string	enum	Current status of the principal Values: `active, inactive, suspended, locked, expired, pending_approval`	Optional
activatedAt	DateTime	stored	When principal became active	Optional
expiresAt	DateTime	stored	When principal access expires	Optional
lastAuthenticationAt	DateTime	stored	Last successful authentication	Optional
lastActivityAt	DateTime	stored	Last recorded activity	Optional
lastSecurityReview	DateTime	stored	Last security assessment date	Optional
nextReviewDate	DateTime	stored	When next security review is due	Optional
complianceStatus	string	stored	Compliance assessment status	Optional
riskScore	integer	stored	Current risk assessment score	Optional
isSystem	boolean	stored	Whether this is a system principal	Optional
canImpersonate	boolean	stored	Whether principal can act as other principals	Optional
tags	string	stored	JSON array of tags for categorization	Optional
createdAt	DateTime	stored	When principal was created	Required
createdBy	User	stored	Who created this principal	Optional
metadata	object	stored	Additional principal configuration	Optional

Examples

Example 1

{
  "@type": "SecurityPrincipal",
  "principalId": "prin_svc_001",
  "principalType": "service",
  "principalName": "svc_data_pipeline",
  "displayName": "Data Pipeline Service",
  "description": "ETL service that processes and transforms customer data between systems",
  "authenticationMethod": "certificate",
  "certificateThumbprint": "3f:2a:45:67:89:ab:cd:ef:12:34:56:78:90:ab:cd:ef:12:34:56:78",
  "realm": "services.internal",
  "trustLevel": 85,
  "clearanceLevel": 3,
  "owner": "user_data_team_lead",
  "organization": "DataEngineering",
  "department": "Analytics",
  "attributes": "{\"service_type\":\"etl\",\"data_access_level\":\"full\",\"pii_handler\":true,\"sox_compliant\":true}",
  "allowedIpRanges": "[\"10.0.0.0/8\",\"172.16.0.0/12\"]",
  "maxConcurrentSessions": 5,
  "status": "active",
  "activatedAt": "2024-01-01T00:00:00Z",
  "expiresAt": "2025-01-01T00:00:00Z",
  "lastAuthenticationAt": "2024-03-15T14:00:00Z",
  "lastActivityAt": "2024-03-15T14:30:00Z",
  "lastSecurityReview": "2024-02-15T00:00:00Z",
  "nextReviewDate": "2024-05-15T00:00:00Z",
  "complianceStatus": "compliant",
  "riskScore": 25,
  "isSystem": false,
  "canImpersonate": false,
  "tags": "[\"production\",\"critical\",\"data_processor\",\"gdpr_scope\"]",
  "createdAt": "2024-01-01T00:00:00Z",
  "metadata": {
    "kubernetes_namespace": "data-services",
    "service_account": "data-pipeline-sa"
  }
}

Example 2

{
  "@type": "SecurityPrincipal",
  "principalId": "prin_ext_002",
  "principalType": "external",
  "principalName": "ext_partner_api",
  "displayName": "Partner Integration - TechCorp",
  "description": "External partner API client for inventory synchronization",
  "authenticationMethod": "api_key",
  "realm": "partners.external",
  "trustLevel": 60,
  "clearanceLevel": 1,
  "organization": "TechCorp",
  "attributes": "{\"partner_id\":\"PARTNER_123\",\"integration_type\":\"inventory\",\"rate_limit\":\"1000/hour\"}",
  "allowedIpRanges": "[\"203.0.113.0/24\"]",
  "allowedTimeWindows": "[{\"days\":[\"mon\",\"tue\",\"wed\",\"thu\",\"fri\"],\"hours\":\"00:00-23:59\"}]",
  "maxConcurrentSessions": 3,
  "status": "active",
  "activatedAt": "2024-02-01T00:00:00Z",
  "expiresAt": "2024-08-01T00:00:00Z",
  "lastAuthenticationAt": "2024-03-15T10:00:00Z",
  "lastActivityAt": "2024-03-15T10:15:00Z",
  "lastSecurityReview": "2024-02-01T00:00:00Z",
  "nextReviewDate": "2024-04-01T00:00:00Z",
  "complianceStatus": "under_review",
  "riskScore": 45,
  "isSystem": false,
  "canImpersonate": false,
  "tags": "[\"partner\",\"external\",\"limited_access\",\"inventory_only\"]",
  "createdAt": "2024-02-01T00:00:00Z",
  "metadata": {
    "contract_id": "CONTRACT_2024_001",
    "data_sharing_agreement": "DSA_2024_TC"
  }
}