OH

Identity, RBAC & Contextual Authorization

Security administration workspace: Entra OIDC workforce identity, roles and permission sets, ABAC context rules, access-review campaigns, SoD conflicts and the server-side authorization decision trace.

GOV-02
Workforce SSO
Entra OIDC
MFA / Conditional Access · token validation OK
MFA coverage
98%
1 exception · expires 24 Jul 2026
Roles · permission sets
24 · 61
0 orphan permissions
Open SoD conflicts
3
1 waiver expiring
Denials audited (7d)
412
Top: FIN capability from broker clients

Role catalog

All Business Restricted Emergency
RolePermission setsMembersDefault scopeSoD classLast reviewStatus
Sales Agent
CRM, listings, viewings, offers (no release)
CRM-CORE, PROP-READ, OFFER-DRAFT27Own branch · own/team recordsMaker2026-04-30Certified
Sales Manager
Adds discount approval to 5%, reassignment
CRM-CORE, OFFER-APPROVE-L1, TEAM-MGMT3Own branch, all teamsApprover2026-04-30Certified
Legal Counsel
Templates, clause library, contract release
CONTRACT-ADMIN, TEMPLATE-APPROVE2All branches (legal entity)Approver2026-04-30Certified
Accountant
Journals, invoices, receipts — no payment release
FIN-POST, AR-AP-CORE4Legal entityMaker2026-04-30Certified
Finance Manager
Payment release, period close, bank rec approval
FIN-POST, PAY-RELEASE, CLOSE-CTRL1Legal entityApprover2026-04-30Certified
KYC Maker / KYC Checker
Split roles — same user can never hold both
KYC-MAKE · KYC-CHECK2 · 2Legal entityMaker/Checker pair2026-04-30Certified
MLRO
AML cases, goAML reporting — restricted visibility
AML-CASE, STR-REPORT1All entities · restricted recordsRestricted2026-05-15Certified
Auditor (read-only)
Time-boxed grant XG-2026-057, no write capability
AUDIT-READ1All entities · expires 2026-08-15Independent2026-07-01Time-boxed
Config Admin
Configuration lifecycle; cannot approve own change
CFG-ADMIN, FLAG-ADMIN1PlatformMaker2026-05-15Certified
Break-glass emergency
Vaulted credential · dual control · mandatory reason & post-use review
EMERGENCY-ALL (alerting)0 activeRestricted source onlyEmergencyLast used: neverSealed
External broker (portal)
Relationship-scoped — never inherits workforce roles
EXT-BROKER12Active relationship records onlyExternal2026-06-202 pending recert
11 of 24 roles

Contextual authorization rules

RuleDimensionConditionEffectApplies toVersionStatus
CTX-SCOPE-01Company / branchrecord.branch ∈ subject.branches or approved grantAllow read; else deny + auditAll record queriesv9Active
CTX-OWN-02Record ownershipLead/deal owner = subject or subject ∈ owner teamAllow writeCRM, dealsv9Active
CTX-AMT-03Amount / authorityDiscount > 5% or offer > AED 5,000,000.00Escalate per authority matrixOffers, invoices, paymentsv11Active
CTX-REL-04Relationship (external)Exact relationship active and unexpired (relationship_binding)Allow scoped read/action; recalc on changePortals, signingv6Active
CTX-SENS-05SensitivityOwner/tenant contact class = CONFIDENTIAL and capability PARTY_SENSITIVE_VIEW absentMask fields (784-19●●-●●●●●●●-●)Party, unit, HR viewsv7Active
CTX-STEP-06Step-upPayment release, export > 1,000 rows, break-glassRequire fresh MFA (≤10 min)Finance, exportsv5Active
CTX-SOD-07Segregation of dutiesActor is maker, beneficiary, requester or prior approverDeny approval + auditAll approvalsv8Active
CTX-HOLD-08HoldSecurity, legal, sanctions, privacy or transaction hold activeDeny command, keep read for authorized rolesAll commandsv8Active
CTX-STATE-09Record stateAggregate state/version forbids command (e.g. released contract)Deny with STATE_CONFLICTContracts, journalsv4Active
CTX-GEO-10Session / deviceUnmanaged device requests bulk exportDeny + notify securityExportsv2 draftPending approval

Decision trace — audited denial (acceptance)

Request: external broker user b.mansoor@primelinkrealty.ae (Prime Link Realty) called GET /api/v1/finance/invoices?deal=DL-2026-0142 directly at 2026-07-17 09:41:22 UTC — bypassing the UI.

DimensionQuestionEvidenceResult
Authentication assuranceValid external session, MFA fresh?session ctx · assurance L2Pass
Feature readinessRoute enabled for tenant?flag portal.broker ONPass
CapabilityRole grants finance.invoice.read?permission code EXT-BROKERFAIL — not granted
ScopeRecord in authorized branch scope?tenant + ABAC contextNot evaluated
RelationshipActive broker relationship on DL-2026-0142?relationship_bindingNot evaluated
SoD / Authority / Holdshort-circuited after first failureNot evaluated

Outcome: 403 AUTHZ_DENIED · audit event AUD-2026-118422 · correlation c0a8-77f1-4e02-9b3d · policy snapshot v11 recorded. Full record in Audit Explorer.

Access review campaign AR-2026-Q3

Due 31 Jul 2026 · 68% complete
Sales (R. Al Farsi)40%
Finance (F. Rashid)55%
Legal (M. Al Suwaidi)100%
Compliance (A. Al Blooshi)100%
Platform (V. Nair)75%

Chart alternative: completion percentages are also listed per reviewer in the table below.

ReviewerAssignedDecidedRevokedDeadlineStatus
MA Mariam Al Suwaidi9912026-07-31Complete
AB Ahmed Al Blooshi111122026-07-31Complete
VN Vikram Nair8602026-07-31In progress
RF Rashid Al Farsi301212026-07-12 (extended)Overdue 5 days — escalated to COO
FR Fatima Rashid11602026-07-15Overdue 2 days — reminder sent
Totals69444Unreviewed grants auto-suspend on 07 Aug 2026

Segregation-of-duties conflicts

FlagUserConflicting capabilitiesRuleRiskDetectedStatus
SOD-2026-014DC Daniel ChenAP invoice entry + payment release (temp cover)FIN-SOD-01High2026-06-28Waiver by Fatima Rashid — expires 31 Jul 2026
SOD-2026-017OH Omar HaddadOffer maker + listing price overrideCRM-SOD-03Medium2026-07-06Pending remediation — remove override by 25 Jul
SOD-2026-018VN Vikram NairFlag change maker + flag change approverCFG-SOD-02Medium2026-07-11Mitigated — approvals rerouted to Fatima Rashid
SOD-2026-009LH Layla HassanKYC maker + KYC checker (role request rejected)KYC-SOD-01High2026-05-19Resolved — request denied, audited
SOD-2026-011RF Rashid Al FarsiExpense requester attempting self-approvalGOV-SOD-00High2026-06-02Blocked at runtime — rerouted to independent approver

Static render mockup — no live data. Source: ERP Modern Development Specification v2.0 · Covers: GOV-02 (authentication profiles §36.1, authorization decision §36.2, audit minimum §36.3).