Entities and Relationships

Systems of Record

Systems of Record (SoR) provide SGNL with valuable business context in order to make policy decisions. When you configure a System of Record, you tell SGNL how to connect to the source, as well as describe the types of objects and attributes you want to bring into the SGNL graph.

SGNL Graph

Once the Systems of Record are configured and data ingestion commences, SGNL begins to construct a graph from the ingested data. Consider a graph created by integrating employee data from an Identity Provider (IdP), ticket data from a Customer Service Management system, customer data from a CRM, and on-call schedules from an on-call management system. In SGNL, nodes represent entities, and edges represent relationships.

For example, consider an access policy stating that Employees who are Engineers can only work on a Customer ticket if they are assigned to the ticket and are also on-call at the time. The graph includes all necessary context for SGNL to make this decision. Any changes in ticket assignments or on-call status are automatically updated by SGNL, maintaining the accuracy of the relationships in the graph. For instance, if an engineer is removed as an assignee from a ticket, the Assignee relationship is also removed, and consequently, the policy will no longer apply to that user.

Entities and Attributes

Entities and their Attributes for a SoR may be created either through a SoR Template YAML file in Catalogs (recommended), or directly through the SGNL Console.

Creating Entities and Attributes through a SoR template YAML file

SGNL allows the creation of SoRs using YAML templates. Please refer to SGNL Catalog and Templates documentation.

Creating Entities and Attributes through the SGNL Console

If you are quickly testing Entities and Attributes creation and synchronization, you can create them through the SGNL Console.

  1. For the SoR of interest, click on “Add Entity”

Add Entity

  1. Add Entity details. These fields directly map to entity fields supported by YAML templates

Add Entity Details

  1. Click on “Add Attribute”, and enter Attribute details. The supported fields can be found in YAML templates

Add Attribute

  1. Repeat for other attributes. Once saved, enable ingestion on the entity. If the SoR and Entities are configured correctly, you should see a log for successful ingestion in SGNL Ingestion Logs.


SGNL automatically creates relationships between entities for most well-known SoRs that are launched through SGNL-managed catalogs and templates. For any such SoR, you can check out the created relationships in the SoR’s Relationships tab. For example, SGNL creates the following relationships for Okta:

Relationships created for Okta by SGNL

SGNL also allows the creation of custom relationships between entities. Such relationships can then be referred to in policies for access evaluation. SGNL supports three types of relationships:

  1. Entity Relationships
  2. Path Relationships
  3. Parent Relationships

Entity Relationships

Entity relationships are used to associate entities that may be related in some way. There are two types of Entity relationships:

Same-As relationship

Create a Same-As relationship between two entities when they represent the same type. For example, the User entity and On-Call User entity in the example graph represent the type User.

Same-As Relationship

In the above figure, we are creating a Same-As relationship between an Okta User and a Jira User and indicating the corresponding attributes that are common between the two entities.

Custom Entity Relationship

Create a Custom Entity relationship between two entities when they represent different types. For example, when you want to connect a Ticket entity to a User entity by a AssignedTo relationship.

Custom Entity Relationship

In the above figure, we are creating a AssignedTo relationship between a Jira Issue and an Okta User and indicating the corresponding attributes that are common between the two entities.

Path Relationships

Path relationships in the SGNL Graph enable you to define a path through multiple relationships. Once a path relationship is created, it can be directly referenced in a Policy Snippet. If a match is found during policy evaluation, access is granted.

Consider the graph above. If you want to implement a policy that restricts a user from accessing customer details in the CRM unless they are assigned a ticket created by that customer, you can create a Path relationship. This relationship, which could be named “UserToCustomer,” would traverse two relationships in the path: “Assignee” and “RelatesTo.” The “UserToCustomer” relationship can then be referenced in the SGNL policy snippet.

When a customer creates a ticket in the Customer Service Management (CSM) system and a user is assigned to that ticket, the policy evaluates to true. As a result, the user is allowed to access the customer’s details in the CRM. This approach ensures that access is granted based on relevant and specific criteria, maintaining both security and efficiency in data handling.

Parent Relationships

In certain scenarios, the business context provided by Systems of Record (SoR) can be quite complex, featuring multiple nestings of multi-valued complex attributes. These complex attributes may refer to a different entity within the SoR, adding to the complexity.


Using Jira Service Management APIs, Jira allows the creation of assets, which can subsequently be linked to Jira issues. The Jira Issues API schema represents these assets as a nested list of JSON objects, with each object containing the asset’s ID. In SGNL, a user might need to create a policy that assesses the state of an asset referenced in an issue. To facilitate this, and to enable both ingestion and policy evaluation in SGNL, users can create Child Entities and establish Parent relationships in the following manner:

  1. Create an Asset Entity: Define an Asset Entity with relevant attributes, including the ID, for ingestion into the SGNL graph.
  2. Create a ChildAsset Entity:

Child Entity

  • Define the JSON Path to the child entity as the external ID.
  • Ensure the attribute includes the external ID of the asset present in the Jira issue response.
  • In the Parent Entity dropdown, select ‘Jira Issue’ as the parent and click ‘Save’.
  1. Ingestion and Parent Relationship: Upon ingestion, SGNL automatically establishes a Parent relationship between ChildAsset entities and Jira Issue entities.

Parent Relationship

  1. Create a Parent Relationship: Create a Parent relationship and designate ChildAsset as the child entity. This action creates a relationship named “parent,” which can be referenced in policy snippets.