Identity, RBAC & Contextual Authorization
Security administration workspace: Entra OIDC workforce identity, roles and permission sets, ABAC context rules, access-review campaigns, SoD conflicts and the server-side authorization decision trace.
Role catalog
| Role | Permission sets | Members | Default scope | SoD class | Last review | Status |
|---|---|---|---|---|---|---|
| Sales Agent CRM, listings, viewings, offers (no release) | CRM-CORE, PROP-READ, OFFER-DRAFT | 27 | Own branch · own/team records | Maker | 2026-04-30 | Certified |
| Sales Manager Adds discount approval to 5%, reassignment | CRM-CORE, OFFER-APPROVE-L1, TEAM-MGMT | 3 | Own branch, all teams | Approver | 2026-04-30 | Certified |
| Legal Counsel Templates, clause library, contract release | CONTRACT-ADMIN, TEMPLATE-APPROVE | 2 | All branches (legal entity) | Approver | 2026-04-30 | Certified |
| Accountant Journals, invoices, receipts — no payment release | FIN-POST, AR-AP-CORE | 4 | Legal entity | Maker | 2026-04-30 | Certified |
| Finance Manager Payment release, period close, bank rec approval | FIN-POST, PAY-RELEASE, CLOSE-CTRL | 1 | Legal entity | Approver | 2026-04-30 | Certified |
| KYC Maker / KYC Checker Split roles — same user can never hold both | KYC-MAKE · KYC-CHECK | 2 · 2 | Legal entity | Maker/Checker pair | 2026-04-30 | Certified |
| MLRO AML cases, goAML reporting — restricted visibility | AML-CASE, STR-REPORT | 1 | All entities · restricted records | Restricted | 2026-05-15 | Certified |
| Auditor (read-only) Time-boxed grant XG-2026-057, no write capability | AUDIT-READ | 1 | All entities · expires 2026-08-15 | Independent | 2026-07-01 | Time-boxed |
| Config Admin Configuration lifecycle; cannot approve own change | CFG-ADMIN, FLAG-ADMIN | 1 | Platform | Maker | 2026-05-15 | Certified |
| Break-glass emergency Vaulted credential · dual control · mandatory reason & post-use review | EMERGENCY-ALL (alerting) | 0 active | Restricted source only | Emergency | Last used: never | Sealed |
| External broker (portal) Relationship-scoped — never inherits workforce roles | EXT-BROKER | 12 | Active relationship records only | External | 2026-06-20 | 2 pending recert |
Contextual authorization rules
| Rule | Dimension | Condition | Effect | Applies to | Version | Status |
|---|---|---|---|---|---|---|
CTX-SCOPE-01 | Company / branch | record.branch ∈ subject.branches or approved grant | Allow read; else deny + audit | All record queries | v9 | Active |
CTX-OWN-02 | Record ownership | Lead/deal owner = subject or subject ∈ owner team | Allow write | CRM, deals | v9 | Active |
CTX-AMT-03 | Amount / authority | Discount > 5% or offer > AED 5,000,000.00 | Escalate per authority matrix | Offers, invoices, payments | v11 | Active |
CTX-REL-04 | Relationship (external) | Exact relationship active and unexpired (relationship_binding) | Allow scoped read/action; recalc on change | Portals, signing | v6 | Active |
CTX-SENS-05 | Sensitivity | Owner/tenant contact class = CONFIDENTIAL and capability PARTY_SENSITIVE_VIEW absent | Mask fields (784-19●●-●●●●●●●-●) | Party, unit, HR views | v7 | Active |
CTX-STEP-06 | Step-up | Payment release, export > 1,000 rows, break-glass | Require fresh MFA (≤10 min) | Finance, exports | v5 | Active |
CTX-SOD-07 | Segregation of duties | Actor is maker, beneficiary, requester or prior approver | Deny approval + audit | All approvals | v8 | Active |
CTX-HOLD-08 | Hold | Security, legal, sanctions, privacy or transaction hold active | Deny command, keep read for authorized roles | All commands | v8 | Active |
CTX-STATE-09 | Record state | Aggregate state/version forbids command (e.g. released contract) | Deny with STATE_CONFLICT | Contracts, journals | v4 | Active |
CTX-GEO-10 | Session / device | Unmanaged device requests bulk export | Deny + notify security | Exports | v2 draft | Pending approval |
Decision trace — audited denial (acceptance)
Request: external broker user b.mansoor@primelinkrealty.ae (Prime Link Realty) called GET /api/v1/finance/invoices?deal=DL-2026-0142 directly at 2026-07-17 09:41:22 UTC — bypassing the UI.
| Dimension | Question | Evidence | Result |
|---|---|---|---|
| Authentication assurance | Valid external session, MFA fresh? | session ctx · assurance L2 | Pass |
| Feature readiness | Route enabled for tenant? | flag portal.broker ON | Pass |
| Capability | Role grants finance.invoice.read? | permission code EXT-BROKER | FAIL — not granted |
| Scope | Record in authorized branch scope? | tenant + ABAC context | Not evaluated |
| Relationship | Active broker relationship on DL-2026-0142? | relationship_binding | Not evaluated |
| SoD / Authority / Hold | — | short-circuited after first failure | Not evaluated |
Outcome: 403 AUTHZ_DENIED · audit event AUD-2026-118422 · correlation c0a8-77f1-4e02-9b3d · policy snapshot v11 recorded. Full record in Audit Explorer.
Access review campaign AR-2026-Q3
Due 31 Jul 2026 · 68% completeChart alternative: completion percentages are also listed per reviewer in the table below.
| Reviewer | Assigned | Decided | Revoked | Deadline | Status |
|---|---|---|---|---|---|
| MA Mariam Al Suwaidi | 9 | 9 | 1 | 2026-07-31 | Complete |
| AB Ahmed Al Blooshi | 11 | 11 | 2 | 2026-07-31 | Complete |
| VN Vikram Nair | 8 | 6 | 0 | 2026-07-31 | In progress |
| RF Rashid Al Farsi | 30 | 12 | 1 | 2026-07-12 (extended) | Overdue 5 days — escalated to COO |
| FR Fatima Rashid | 11 | 6 | 0 | 2026-07-15 | Overdue 2 days — reminder sent |
| Totals | 69 | 44 | 4 | Unreviewed grants auto-suspend on 07 Aug 2026 | |
Segregation-of-duties conflicts
| Flag | User | Conflicting capabilities | Rule | Risk | Detected | Status |
|---|---|---|---|---|---|---|
SOD-2026-014 | DC Daniel Chen | AP invoice entry + payment release (temp cover) | FIN-SOD-01 | High | 2026-06-28 | Waiver by Fatima Rashid — expires 31 Jul 2026 |
SOD-2026-017 | OH Omar Haddad | Offer maker + listing price override | CRM-SOD-03 | Medium | 2026-07-06 | Pending remediation — remove override by 25 Jul |
SOD-2026-018 | VN Vikram Nair | Flag change maker + flag change approver | CFG-SOD-02 | Medium | 2026-07-11 | Mitigated — approvals rerouted to Fatima Rashid |
SOD-2026-009 | LH Layla Hassan | KYC maker + KYC checker (role request rejected) | KYC-SOD-01 | High | 2026-05-19 | Resolved — request denied, audited |
SOD-2026-011 | RF Rashid Al Farsi | Expense requester attempting self-approval | GOV-SOD-00 | High | 2026-06-02 | Blocked at runtime — rerouted to independent approver |
Static render mockup — no live data. Source: ERP Modern Development Specification v2.0 · Covers: GOV-02 (authentication profiles §36.1, authorization decision §36.2, audit minimum §36.3).