Entities and Relationships

Systems of Record (SoR) provide SGNL with valuable business context in order to make policy decisions. When you configure a System of Record, you tell SGNL how to connect to the source, as well as describe the types of objects and attributes you want to bring into the SGNL graph.

Once the Systems of Record are configured and data ingestion commences, SGNL begins to construct a graph from the ingested data. Consider a graph created by integrating employee data from an Identity Provider (IdP), ticket data from a Customer Service Management system, customer data from a CRM, and on-call schedules from an on-call management system. In SGNL, nodes represent entities, and edges represent relationships.

For example, consider an access policy stating that Employees who are Engineers can only work on a Customer ticket if they are assigned to the ticket and are also on-call at the time. The graph includes all necessary context for SGNL to make this decision. Any changes in ticket assignments or on-call status are automatically updated by SGNL, maintaining the accuracy of the relationships in the graph. For instance, if an engineer is removed as an assignee from a ticket, the Assignee relationship is also removed, and consequently, the policy will no longer apply to that user.

Entities and Attributes

Entities and their Attributes for a SoR may be created either through a SoR Template YAML file in Catalogs (recommended), or directly through the SGNL Console.

Creating Entities and Attributes through a SoR template YAML file

SGNL allows the creation of SoRs using YAML templates. Please refer to SGNL Catalog and Templates documentation.

Creating Entities and Attributes through the SGNL Console

If you are quickly testing Entities and Attributes creation and synchronization, you can create them through the SGNL Console.

1. For the SoR of interest, click on “Add Entity”

2. Add Entity details. These fields directly map to entity fields supported by YAML templates

1. Click on “Add Attribute”, and enter Attribute details. The supported fields can be found in YAML templates

4. Repeat for other attributes. Once saved, enable ingestion on the entity. If the SoR and Entities are configured correctly, you should see a log for successful ingestion in SGNL Ingestion Logs.

Synchronization Safety

SGNL’s Synchronization Safety feature protects your access decisions from unintended large-scale changes in your Systems of Record. When a synchronization run detects that deletions exceed a configurable threshold, SGNL prevents those changes from affecting your graph, alerting you and giving you time to investigate, then resolve the issue.

Why Synchronization Safety Matters

While SGNL is designed to keep your graph current with your Systems of Record, there are scenarios where rapid, sweeping changes may not accurately reflect your desired state:

• A misconfiguration in your System of Record temporarily removes large numbers of objects
• An unintentional API change returns incomplete datasets
• A sweeping change my cause entities to no longer match filters you’ve configured

Synchronization Safety acts as a safeguard, ensuring that access decisions remain stable and accurate even when upstream systems experience issues.

How Synchronization Safety Works

Synchronization Safety is configured on a per-entity basis. Before committing deletions to the SGNL graph, the system calculates the percentage of objects that would be deleted in the current synchronization run. If this percentage meets or exceeds your configured threshold, SGNL:

1. Prevents all deletions from that synchronization run
2. Logs an error in SGNL Logs with details about the threshold breach
3. Displays a warning in SGNL, alerting administrators
4. Takes the configured next action (either retry the next scheduled sync or disable synchronization)

Configuring Synchronization Safety

To configure Synchronization Safety for an entity:

1. Navigate to your System of Record in the SGNL Console
2. Select the entity you want to configure
3. Open the Synchronization Safety settings
4. Configure the following options:

Enable/Disable

• Toggle Synchronization Safety on or off for this entity
• When disabled, all deletions are processed without threshold checks

Deletion Threshold (%)

• Set the maximum percentage of objects that can be deleted in a single sync
• If deletions meet or exceed this percentage, the safety mechanism activates
• Recommended range: 10-30% depending on your entity’s typical change patterns

Next Sync Behavior

Choose how SGNL should handle subsequent synchronizations after exceeding the assigned threshold:

• Continue: End this sync without deletion, and continue to schedule and run upcoming synchronization attempts. Use this if the issue might be transient (e.g., temporary network issues, brief API unavailability)
• Disable Synchronization: Stop all synchronization for this entity until an administrator manually re-enables it. Use this for critical entities where you want explicit control after detecting anomalies

Responding to Synchronization Safety Events

When Synchronization Safety prevents deletions, take these steps:

1. Review the notification in the SGNL console and check SGNL Logs for details
2. Investigate the source - Check your System of Record for:
   • Configuration changes
   • Service availability
   • API changes or issues
   • Data integrity problems
3. Resolve the underlying issue in your System of Record
4. Decide on next steps:
   • If the issue is resolved and the behavior was “Continue,” the next sync will retry automatically
   • If the behavior was “Disable Synchronization,” manually re-enable synchronization after verification
   • If the deletions are actually correct (e.g., planned deprovisioning), temporarily disable Synchronization Safety and allow the sync to complete

Relationships

SGNL automatically creates relationships between entities for most well-known SoRs that are launched through SGNL-managed catalogs and templates. For any such SoR, you can check out the created relationships in the SoR’s Relationships tab. For example, SGNL creates the following relationships for Okta:

SGNL also allows the creation of custom relationships between entities. Such relationships can then be referred to in policies for access evaluation. SGNL supports three types of relationships:

1. Entity Relationships
2. Path Relationships
3. Parent Relationships

Entity Relationships

Entity relationships are used to associate entities that may be related in some way. There are two types of Entity relationships:

Same-As relationship

Create a Same-As relationship between two entities when they represent the same type. For example, the User entity and On-Call User entity in the example graph represent the type User.

In the above figure, we are creating a Same-As relationship between an Okta User and a Jira User and indicating the corresponding attributes that are common between the two entities.

Custom Entity Relationship

Create a Custom Entity relationship between two entities when they represent different types. For example, when you want to connect a Ticket entity to a User entity by a AssignedTo relationship.

In the above figure, we are creating a AssignedTo relationship between a Jira Issue and an Okta User and indicating the corresponding attributes that are common between the two entities.

Path Relationships

Path relationships in the SGNL Graph enable you to define a path through multiple relationships. Once a path relationship is created, it can be directly referenced in a Policy Snippet. If a match is found during policy evaluation, access is granted.

Consider the graph above. If you want to implement a policy that restricts a user from accessing customer details in the CRM unless they are assigned a ticket created by that customer, you can create a Path relationship. This relationship, which could be named “UserToCustomer,” would traverse two relationships in the path: “Assignee” and “RelatesTo.” The “UserToCustomer” relationship can then be referenced in the SGNL policy snippet.

When a customer creates a ticket in the Customer Service Management (CSM) system and a user is assigned to that ticket, the policy evaluates to true. As a result, the user is allowed to access the customer’s details in the CRM. This approach ensures that access is granted based on relevant and specific criteria, maintaining both security and efficiency in data handling.

Parent Relationships

In certain scenarios, the business context provided by Systems of Record (SoR) can be quite complex, featuring multiple nestings of multi-valued complex attributes. These complex attributes may refer to a different entity within the SoR, adding to the complexity.

Example:

Using Jira Service Management APIs, Jira allows the creation of assets, which can subsequently be linked to Jira issues. The Jira Issues API schema represents these assets as a nested list of JSON objects, with each object containing the asset’s ID. In SGNL, a user might need to create a policy that assesses the state of an asset referenced in an issue. To facilitate this, and to enable both ingestion and policy evaluation in SGNL, users can create Child Entities and establish Parent relationships in the following manner:

1. Create an Asset Entity: Define an Asset Entity with relevant attributes, including the ID, for ingestion into the SGNL graph.
2. Create a ChildAsset Entity:

• Define the JSON Path to the child entity as the external ID.
• Ensure the attribute includes the external ID of the asset present in the Jira issue response.
• In the Parent Entity dropdown, select ‘Jira Issue’ as the parent and click ‘Save’.

3. Ingestion and Parent Relationship: Upon ingestion, SGNL automatically establishes a Parent relationship between ChildAsset entities and Jira Issue entities.

4. Create a Parent Relationship: Create a Parent relationship and designate ChildAsset as the child entity. This action creates a relationship named “parent,” which can be referenced in policy snippets.