Skip to content
FedTrustFederated TrustDocs

Enter at least two characters.

Type to search all documentation pages and sections. Use ↑ ↓ to move, Enter to open, and Esc to close.

Platform statuses are part of the claim

Layered authorization

Decide with policy. Delegate with a narrow artifact.

The governing model has two composed layers: Federated Trust supplies cloud authentication and the single authorization write authority, while every app evaluates access to its own resources strictly downstream of those facts. An app can be cloud-first, offline-capable, or both without introducing a competing relationship engine.

Security teams04 chapters
01

Two layers interoperate instead of competing

REPO-017 is the consolidated governing corpus. FederatedTrust owns a first-pilot product, but the target remains a designed deployment profile until its release and operating evidence exists.

Layer 1: Federated Trust

Federated Trust provides cloud authentication plus ReBAC-centered authorization and is the only writer of firm, membership, relationship, role, cross-party or coalition grant, and policy facts.

Layer 2: downstream app evaluation

Each application evaluates its resource-specific decision from live Layer 1 facts or a verified Layer 1 projection plus resource-local state. It may deny or narrow, but cannot invent a grant or run a competing relationship engine.

Cloud and offline paths

Cloud-first and offline-capable applications use the same decision logic. Offline evaluation consumes a signed, versioned, expiring Layer 1 projection, accepts no relationship or policy writes, and fails closed by default for sensitive operations when the projection is stale past its bound.

Pilot product boundary

FederatedTrust owns the product for the first pilot. Broader investment remains governed by BIZ-1/2/3 and is not implied by the authorization architecture.

Layered RBAC, ReBAC, and ABAC decisions

Typed policy and relationship evaluation exists in code and tests. Independent Federated Trust deployment, operational evidence, and relying-party integration remain incomplete.

Customer-controlled and sovereign data planes

Managed, customer-controlled connected, and sovereign/offline profiles are designed target shapes, not generally available offerings. Each requires a validated package and explicit infrastructure, custody, update, recovery, observability, and support responsibilities.

Resource-service final deny

Local audience, tenant, revision, revocation, and resource-policy enforcement is a required design contract; conformance must be proven for each relying service.

02

Three policy lenses answer different questions

RBAC: job-shaped access

Roles provide understandable bundles for recurring responsibilities, but should not become the only source of truth.

ReBAC: durable relationships

Relationship-based policy expresses who owns, belongs to, manages, sponsors, or is affiliated with a resource or organization.

ABAC: contextual narrowing

Attributes such as tenant, environment, assurance, purpose, device, time, or transaction risk can further constrain a request.

Layered RBAC, ReBAC, and ABAC decisions

Typed policy and relationship evaluation exists in code and tests. Independent Federated Trust deployment, operational evidence, and relying-party integration remain incomplete.

03

Capability-based authorization is a delegation target

CapBAC is not a fourth competing policy engine. Size-limited signed-envelope verification, opaque verified artifacts, attenuation, and exact reference-service request binding exist in code; independent issuer-key resolution and relying-party rollout evidence remain gated.

Attenuation only

A delegated artifact can become narrower in resource, action, audience, purpose, or lifetime; it cannot create authority the delegator did not have.

Actor chain

Human, application, agent, and downstream workload identities remain distinguishable for policy and audit.

Short-lived and revocable

High-risk delegation should use bounded lifetimes, unique identifiers, current policy revision, and a revocation path.

04

Layer 2 retains per-app final deny

A Layer 1 decision or valid delegation is necessary but not sufficient to read or change a protected application resource.

Audience match

A service rejects authority issued for another relying service or environment.

Resource-local evaluation

The service evaluates the exact resource, current tenant state, Layer 1 revision and revocation state, and local deny conditions before acting.

Fail closed

Unknown subject mappings, ambiguous tenant context, unverifiable delegation, or an expired projection for a sensitive operation ends in denial.

Resource-service final deny

Local audience, tenant, revision, revocation, and resource-policy enforcement is a required design contract; conformance must be proven for each relying service.