Membership Service Deep Dive
Master graph-based role management with Neo4j β identities, role hierarchies, delegations, access reviews, semantic search, and multi-tenant assignments.
πLearning Objectives
- Understand Neo4j graph database concepts and why it's ideal for identity relationships
- Learn about Identity, Role, Group, and Resource entities
- Explore relationship hierarchies and inheritance patterns
- Create and query role assignments with location scoping
- Understand delegations and access reviews
- Use semantic/vector search for identity discovery
- Learn how Membership integrates with PDP as a Policy Information Point (PIP)
π―Membership Service Overview
The Membership Service is the identity fabric of EmpowerNow β managing the complex web of relationships between users, roles, groups, resources, and organizational locations.
Core Capabilities
- Identity Management: Users, accounts, groups, and their attributes
- Role Management: Hierarchical roles with inheritance
- Location-Scoped Assignments: Role assignments bounded to organizational units
- Delegations: Time-bounded privilege delegation between users
- Access Reviews: Periodic certification of access rights
- Semantic Search: Vector-based identity and role discovery
- Policy Information Point: Provides user context to PDP for authorization decisions
https://membership.self.empowernow.ai (Port 8003)
API Docs: /docs
ποΈEntity Model
The membership service manages these core entities:
ββββββ
id, email, name"] Role["π Role
ββββββ
id, name, type"] Group["π₯ Group
ββββββ
id, name"] Location["π’ Location
ββββββ
id, name, path"] User -->|"HAS_ROLE"| Role User -->|"MEMBER_OF"| Group Role -->|"INHERITS"| Role Group -->|"BELONGS_TO"| Location style User fill:#0891b2,color:#fff style Role fill:#7c3aed,color:#fff style Group fill:#059669,color:#fff style Location fill:#f59e0b,color:#000
Entity Types
- User: Individual identity (from IdP)
- Role: Permission container (Admin, Editor, Viewer)
- Group: Collection of users and/or other groups
- Location: Organizational unit (Department, Team, Project)
πRelationship Types
- HAS_ROLE: User has a role (direct assignment)
- MEMBER_OF: User or Group belongs to a Group
- INHERITS: Role inherits from parent role
- BELONGS_TO: Entity belongs to a location
- SCOPED_AT: Role assignment scoped to location
Location-Scoped Roles
A user can have different roles at different locations:
# Alice is Admin at Engineering, but Viewer at Marketing
(alice:User)-[:HAS_ROLE {location: "engineering"}]->(admin:Role)
(alice:User)-[:HAS_ROLE {location: "marketing"}]->(viewer:Role)
π¬Exercise 1: Access Neo4j Browser
SELECT statements, Neo4j uses Cypherβa pattern-matching query language that reads like ASCII art. (user)-[:HAS_ROLE]->(role) literally looks like a relationship!
- Open http://localhost:7474
- Connect with default credentials (neo4j/neo4j or as configured)
- Explore the database schema
View Schema
// Show all node labels
CALL db.labels()
// Show all relationship types
CALL db.relationshipTypes()
// Visualize schema
CALL db.schema.visualization()
πExercise 2: Query Users and Roles
(u:User)-[:HAS_ROLE]->(r:Role {name: 'admin'}). The database does the rest.
// Find all users
MATCH (u:User) RETURN u.id, u.email, u.name LIMIT 10
// Find user's direct roles
MATCH (u:User {id: 'user-123'})-[:HAS_ROLE]->(r:Role)
RETURN r.name, r.description
// Find all roles (including inherited)
MATCH (u:User {id: 'user-123'})-[:HAS_ROLE|MEMBER_OF*]->(r:Role)
RETURN DISTINCT r.name
// Find users with specific role
MATCH (u:User)-[:HAS_ROLE]->(r:Role {name: 'admin'})
RETURN u.email, u.name
βExercise 3: Create Role Assignment via API
# Assign role to user
curl -k -X POST https://membership.self.empowernow.ai/api/v1/assignments \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-d '{
"user_id": "user-123",
"role_id": "editor",
"location_id": "engineering",
"expires_at": "2025-12-31T23:59:59Z"
}'
Query User Roles via API
# Get user's effective roles
curl -k https://membership.self.empowernow.ai/api/v1/roles/user-123 \
-H "Authorization: Bearer $ACCESS_TOKEN"
πHow PDP Uses Membership (PIP Integration)
When PDP evaluates a policy, it queries Membership for user context via the Policy Information Point (PIP) endpoint:
- PDP receives authorization request with user ID
- MembershipPIP queries Membership service at
/api/v1/pip/membership/subject-enrichment - Membership returns effective roles, groups, delegations, and attributes
- PDP evaluates policy with enriched subject context
PIP Endpoint Example
# Get enriched subject for PDP policy evaluation
curl -k "https://membership.self.empowernow.ai/api/v1/pip/membership/subject-enrichment?subject_id=user-123" \
-H "Authorization: Bearer $ACCESS_TOKEN"
Membership results are cached in Redis. The cache TTL is configurable. Direct queries to Neo4j only happen on cache miss. Circuit breakers protect against cascading failures.
Copy curl and run in your terminal to fetch a user's effective roles from the Membership service.
You should see an array of roles assigned to the user, including direct assignments and inherited roles through group membership.
Copy curl and run in your terminal. This is what PDP calls to get enriched subject context for authorization decisions.
The response includes: effective roles, group memberships, active delegations, and subject attributesβeverything PDP needs for policy evaluation.
πThe Identity Graph Journey
Role Resolution Steps
- Cache Check: Redis is checked first for the user's cached roles
- Graph Traversal: On cache miss, Cypher query traverses HAS_ROLE and MEMBER_OF edges
- Inheritance Resolution: Roles inherited through role hierarchy are collected
- Delegation Merge: Active delegations are added to effective permissions
- Location Scoping: Roles are filtered by the requested location context
- Response + Cache: Results are cached and returned
@Prod"| Editor Eng -->|"HAS_ROLE"| Viewer Bob -->|"HAS_ROLE
@Prod"| Admin Bob -.->|"DELEGATES TO
until Feb 1"| Alice DevOps -->|"BELONGS_TO"| Prod Admin -->|"INHERITS"| Editor Editor -->|"INHERITS"| Viewer style Alice fill:#0891b2,color:#fff style Admin fill:#7c3aed,color:#fff style Editor fill:#7c3aed,color:#fff style Viewer fill:#7c3aed,color:#fff style Prod fill:#f59e0b,color:#000
In this example, Alice has:
- Direct: Editor role at Production
- Via Group: Viewer role (Engineering group has Viewer)
- Via Inheritance: Editor inherits Viewer permissions
- Via Delegation: Bob's Admin permissions until Feb 1
π€Delegations
Delegations allow users to temporarily grant their permissions to others β essential for vacation coverage, temporary assignments, and approval workflows.
Create a Delegation via API
# Create delegation
curl -k -X POST https://membership.self.empowernow.ai/api/v1/delegations \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-d '{
"delegator_id": "alice-uuid",
"delegate_id": "bob-uuid",
"permission": "approve_expense",
"starts_at": "2026-01-15T00:00:00Z",
"expires_at": "2026-02-01T00:00:00Z",
"reason": "Vacation coverage"
}'
Delegations are audited and can be revoked at any time. Expired delegations are automatically excluded from PIP responses.
π€AI Agent Authorization
Why AI Agent Authorization Matters
- Identity Binding: Ensure an agent is truly acting for a specific user/service pair
- Delegation Clarity: Explicitly constrain what an agent can do (capabilities) and for how long
- Data Scope: Enforce tenant/row/column restrictions for safe RAG (Retrieval-Augmented Generation)
- Cost Control: Attach
budget_usdandmax_stepsto bound spend and chain length - Identity Chaining: Express eligibility for downstream provider tokens
The DELEGATES_TO Relationship
When a user delegates to an AI agent, the relationship carries rich metadata:
// User-to-Agent delegation in Neo4j
(user:User)-[:DELEGATES_TO {
id: "delegation:user1-to-agent1",
status: "active", // active|paused|revoked|expired
capabilities: ["mcp:flights:search", "mcp:flights:book"],
budget_usd: 25.0, // Max spend for this delegation
max_steps: 5, // Max tool invocations
valid_from: datetime(),
expires_at: datetime("2026-02-01"),
jkt: "sha256:abc123..." // DPoP key thumbprint
}]->(agent:AIAgent)
PIP Endpoints for AI Authorization
| Endpoint | Purpose | Returns |
|---|---|---|
/pip/membership/capabilities |
What can this agent do for this user? | ["mcp:flights:search", "mcp:flights:book"] |
/pip/membership/delegations |
Active delegations with budget/steps | {budget_usd: 25.0, max_steps: 5, ...} |
/pip/membership/data-scope |
What data can this subject access? | {tenant_ids: [...], row_filter_sql: "..."} |
/pip/membership/step-up |
Does this action require MFA? | {mfa_required: true, level: "strong"} |
/pip/membership/chain-eligibility |
What downstream tokens can be obtained? | [{audience: "api.flights.com", scopes: [...]}] |
When IdP issues tokens for user-bound agents, it embeds ARIA extensions based on active delegations:
{
"aria_extensions": {
"budget": { "unit": "usd", "amount": 25.0 },
"max_steps": 5,
"schema_pins": { "tool:flights": { "schema_hash": "sha256:..." } }
}
}
πAccess Reviews
Access Review Workflow
- Campaign Creation: Admin creates a review campaign targeting specific roles, groups, or all access
- Reviewer Assignment: System assigns reviewers (typically managers) based on organizational hierarchy
- Certification: Reviewers approve, revoke, or flag access for each assignment
- Remediation: Revoked access is automatically removed; flagged items escalate
- Audit: Complete audit trail of all decisions with timestamps and justifications
Access Review API
# Create an access review campaign
curl -X POST https://membership.self.empowernow.ai/api/v1/access-reviews \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-d '{
"name": "Q1 2026 Engineering Access Review",
"scope": {
"location_id": "engineering",
"role_types": ["admin", "editor"]
},
"due_date": "2026-02-15T23:59:59Z",
"reviewer_assignment": "manager"
}'
# Certify an access item
curl -X POST https://membership.self.empowernow.ai/api/v1/access-reviews/{id}/certify \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-d '{
"item_id": "assignment-123",
"decision": "approve",
"justification": "User still needs Editor role for current project"
}'
Many compliance frameworks (SOX, SOC2, HIPAA) require periodic access reviews. The Membership service provides the audit trail and automation needed for certification.
πSemantic Search
The Membership service includes vector-based semantic search β find identities, roles, and resources using natural language queries.
Unified Search Endpoint
# Search for identities matching a description
curl -k "https://membership.self.empowernow.ai/api/search/unified?query=engineers%20who%20can%20approve%20deployments&limit=10" \
-H "Authorization: Bearer $ACCESS_TOKEN"
Identity Node Search
# Search by node type and filters
curl "https://membership.self.empowernow.ai/api/v1/identity_nodes/search?\
node_type=Person&search=John&system=active_directory&limit=10&skip=0"
# Search with metadata (includes total count, has_more flag)
curl "https://membership.self.empowernow.ai/api/v1/identity_nodes/search/with-metadata?\
node_type=Person&search=engineer&use_fulltext=true"
Full-Text Search Indexes
The Membership service maintains full-text indexes across identity properties:
- Labels indexed: Identity, Person, AIAgent, Group, Account
- Properties indexed: name, display_name, email, job_title, country, telephone
- Search modes: Substring (case-insensitive), Full-text with relevance scoring
Semantic search uses OpenAI embeddings stored in Neo4j vector indexes. Combines with full-text search for hybrid results. Set use_fulltext=true for relevance scoring and fuzzy matching.
πCypher Query Cookbook
Capability Check (User β Agent)
// What can this agent do for this user?
MATCH (u:User {id: $user_id})-[:DELEGATES_TO {status: 'active'}]->
(d:Delegation)-[:BINDS]->(:AIAgent {id: $agent_id})
MATCH (d)-[:HAS_CAPABILITY]->(c:Capability)
WHERE d.expires_at IS NULL OR d.expires_at > datetime()
RETURN collect(DISTINCT c.id) AS capabilities
Data Scope (Tenant Resolution)
// What tenants can this user access?
MATCH (u:User {id: $subject_id})-[:BELONGS_TO]->(t:Tenant)
OPTIONAL MATCH (u)-[:ASSIGNED_TO]->(:Project)-[:OWNED_BY]->(tp:Tenant)
WITH collect(DISTINCT t.id) + collect(DISTINCT tp.id) AS tids
RETURN {
tenant_ids: [x IN tids WHERE x IS NOT NULL],
row_filter_sql: CASE WHEN size(tids) > 0
THEN 'tenant_id IN (\'' + apoc.text.join(tids, '\',\'') + '\')'
ELSE '1=0'
END
} AS scope
Chain Eligibility (For Identity Chaining)
// What downstream tokens can be obtained for this tool?
MATCH (u:User {id: $user_id})-[:DELEGATES_TO {status: 'active'}]->
(:Delegation)-[:BINDS]->(:AIAgent {id: $agent_id})
-[:HAS_CAPABILITY]->(:Capability)-[:CAN_INVOKE]->(tool:Tool {id: $tool_id})
MATCH (tool)-[:REQUIRES]->(app:SaaSApp)
RETURN collect({
audience: app.audience,
scopes: app.scopes
}) AS chain_eligibility
ReBAC Walk: Expense Approval
// Can John approve this expense in cost center CC-100?
MATCH (u:User {id: $user_id})-[:MEMBER_OF]->(:Group)
-[:ASSIGNED_TO]->(br:BusinessRole {name: 'ExpenseApprover'})
MATCH (br)-[:SCOPED_TO]->(cc:CostCenter {id: $cost_center_id})
MATCH (r:ExpenseReport {id: $report_id})-[:BELONGS_TO]->(cc)
RETURN r.id AS report_id LIMIT 1
Find Orphan Nodes
// Find identities with no relationships (potential cleanup)
MATCH (n:Identity)
WHERE NOT (n)-[]-()
RETURN n.id, labels(n) AS type, n.name
LIMIT 50
Path Analysis
// Find shortest path between two identities
MATCH path = shortestPath(
(a:Identity {id: $from_id})-[*..10]-(b:Identity {id: $to_id})
)
RETURN path, length(path) AS hops
πKey API Endpoints Reference
Identity Management
| Endpoint | Method | Purpose |
|---|---|---|
/api/v1/identities | GET/POST | List or create identities |
/api/v1/identities/{id} | GET/DELETE | Get or delete identity |
/api/v1/persons | POST | Create person identity |
/api/v1/ai-agents | POST | Create AI agent identity |
/api/v1/identities/fulltext-search | GET | Full-text identity search |
Roles & Assignments
| Endpoint | Method | Purpose |
|---|---|---|
/api/v1/roles/{user_id} | GET | Get user's roles |
/api/v1/roles/batch | POST | Batch role lookup |
/api/v1/assignments | POST/PUT | Create or update assignment |
/api/v1/assignments/bulk | POST | Bulk create assignments |
/api/v1/brl | POST/PUT/DELETE | Business Role Location management |
Delegations & AI Agents
| Endpoint | Method | Purpose |
|---|---|---|
/api/v1/delegations | POST/GET | Manage delegations |
/api/v1/agent/agents/{id}/control | PUT/GET/DELETE | Agent control relationships |
/api/v1/agent/agents/{id}/controllers | GET | List agent controllers |
PIP Endpoints (for PDP)
| Endpoint | Purpose |
|---|---|
/api/v1/pip/membership/subject-enrichment?subject_id={id} | Full subject enrichment |
/api/v1/pip/membership/capabilities | Agent capabilities for user |
/api/v1/pip/membership/delegations | Active delegations with budget/steps |
/api/v1/pip/membership/data-scope | Tenant and row filtering |
/api/v1/pip/membership/step-up | MFA requirements |
/api/v1/pip/membership/chain-eligibility | Identity chaining audiences/scopes |
Governance & Compliance
| Endpoint | Method | Purpose |
|---|---|---|
/api/v1/access-reviews | POST/GET | Access review campaigns |
/api/v1/resources/{id}/owners | POST/GET/DELETE | Resource ownership |
/api/v1/rtrs/assign | POST | RTR (rights) assignment |
/api/v1/rtrs/assign-at | POST | Location-scoped RTR assignment |
Reports & Diagnostics
| Endpoint | Purpose |
|---|---|
/api/v1/reports/top-identities-by-accounts | Identities with most accounts |
/api/v1/reports/access-outliers | Unusual access patterns |
/api/v1/node-label-counts | Count nodes by label |
/api/v1/relationship-type-counts | Count relationships by type |
/api/v1/orphan-node-counts | Nodes without relationships |
/api/v1/shortest-path | Path between nodes |
/metrics | Prometheus metrics |
/health | Health check |
π¬Hands-on Labs
Let's explore the structure of the identity graph in Neo4j.
Open Neo4j Browser:
Navigate to http://localhost:7474 and log in.
View the database schema:
CALL db.schema.visualization()
This shows all node types and their relationships.
Count entities by type:
MATCH (n) RETURN labels(n)[0] as type, count(*) as count ORDER BY count DESC
Visualize a sample of the graph:
MATCH (u:User)-[r]->(n) RETURN u, r, n LIMIT 25
- Schema shows User, Role, Group, Location nodes
- Relationships include HAS_ROLE, MEMBER_OF, INHERITS, BELONGS_TO
- Visualization shows interconnected nodes
Understand how roles inherit from each other and how that affects effective permissions.
Find the role hierarchy:
// Show role inheritance tree
MATCH path = (child:Role)-[:INHERITS*]->(parent:Role)
RETURN child.name as child_role,
[n in nodes(path) | n.name] as inheritance_path
ORDER BY length(path) DESC
Find all permissions a role grants (including inherited):
// Get admin role and all it inherits
MATCH (r:Role {name: 'admin'})-[:INHERITS*0..]->(inherited:Role)
RETURN DISTINCT inherited.name as role, inherited.permissions as permissions
Find a user's effective roles through all paths:
// Alice's roles: direct, via groups, via inheritance
MATCH (u:User {id: 'alice'})
OPTIONAL MATCH directPath = (u)-[:HAS_ROLE]->(directRole:Role)
OPTIONAL MATCH groupPath = (u)-[:MEMBER_OF*]->(g:Group)-[:HAS_ROLE]->(groupRole:Role)
OPTIONAL MATCH inheritPath = (directRole)-[:INHERITS*]->(inheritedRole:Role)
RETURN DISTINCT
COALESCE(directRole.name, groupRole.name, inheritedRole.name) as role,
CASE
WHEN directRole IS NOT NULL THEN 'direct'
WHEN groupRole IS NOT NULL THEN 'via group'
ELSE 'inherited'
END as source
- How many levels deep is your role hierarchy?
- Does Admin inherit from Editor? Does Editor inherit from Viewer?
- What's the difference between direct and inherited roles?
Practice creating delegations via the API and see how they affect role resolution.
Get an access token:
ACCESS_TOKEN=$(curl -s -X POST https://idp.self.empowernow.ai/api/oidc/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-d "client_id=bff-client" \
-d "client_secret=YOUR_SECRET" \
-d "scope=openid membership.write" | jq -r '.access_token')
echo $ACCESS_TOKEN
Create a delegation:
curl -X POST https://membership.self.empowernow.ai/api/v1/delegations \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-d '{
"delegator_id": "bob",
"delegate_id": "alice",
"permission": "approve_expense",
"starts_at": "2026-01-01T00:00:00Z",
"expires_at": "2026-02-01T00:00:00Z",
"reason": "Training lab exercise"
}' | jq .
Verify the delegation in Neo4j:
// Find active delegations
MATCH (delegator:User)-[d:DELEGATES_TO]->(delegate:User)
WHERE d.expires_at > datetime()
RETURN delegator.id, delegate.id, d.permission, d.expires_at
Check Alice's effective permissions now include the delegation:
curl -s "https://membership.self.empowernow.ai/api/v1/pip/membership/subject-enrichment?subject_id=alice" \
-H "Authorization: Bearer $ACCESS_TOKEN" | jq '.delegations'
- Delegation created successfully with 201 response
- Neo4j shows DELEGATES_TO relationship
- PIP response includes the active delegation
π§Troubleshooting Membership Issues
User can't access a resource. They insist they have the right role. PDP denies the request.
- Check if the role assignment has a location scope that doesn't match the request
- Verify the assignment hasn't expired
- Check if it's a direct role or inherited through a group
// Check all assignments for a user
MATCH (u:User {id: 'alice'})-[r:HAS_ROLE]->(role:Role)
RETURN role.name, r.location, r.expires_at, r.assigned_at
- Reassign role with correct location scope
- Extend expiration date if assignment was time-bounded
- Add user to the correct group for inherited access
Role assignment was just created, but PDP still denies access. Direct Neo4j query shows the role exists.
- Membership caches role lookups in Redis
- PDP also caches authorization decisions
- Both caches need to be invalidated or expire
- Wait for cache TTL to expire (default: 5 minutes)
- In development, restart the services to clear all caches
Role queries are extremely slow or timeout. CPU usage on Neo4j spikes during role lookups.
Check for cycles in role inheritance or group membership:
// Find cycles in role inheritance
MATCH path = (r:Role)-[:INHERITS*]->(r)
RETURN path
// Find cycles in group membership
MATCH path = (g:Group)-[:MEMBER_OF*]->(g)
RETURN path
- Remove the cyclic relationship
- Redesign the hierarchy to be strictly acyclic
- Add validation to prevent cycles during assignment
βKnowledge Check
Identity is fundamentally about relationships: who belongs to what, who has which roles, who delegated to whom. In SQL, you'd need multiple JOIN operations to traverse these relationships, which becomes slow and complex.
In Neo4j:
- Relationships are first-class citizens, not implied by foreign keys
- Traversing N levels of hierarchy is O(1) per hop, not O(N) JOINs
- Queries read like the patterns you're looking for
HAS_ROLE: Direct assignment of a role to a user or group. Can have properties like location scope and expiration.
MEMBER_OF: Indicates a user belongs to a group, or a group belongs to another group. Used for organizational structure.
A user's effective roles come from: (1) direct HAS_ROLE, (2) HAS_ROLE inherited through MEMBER_OF, and (3) INHERITS relationships between roles.
A role assignment that only applies within a specific organizational unit (location). For example:
- Alice is Admin at Engineering
- Alice is Viewer at Marketing
When PDP evaluates, it considers the location context of the request. Alice trying to delete something in Marketing would only have Viewer permissions, not Admin.
PDP uses a Policy Information Point (PIP) to fetch user context. The flow:
- PDP receives authorization request with user ID
- MembershipPIP calls
/api/v1/pip/membership/subject-enrichment?subject_id={id} - Membership returns effective roles, groups, delegations
- PDP evaluates policies with this enriched context
Results are cached to avoid calling Membership on every request.
Delegations are temporary permission transfers from one user to another. Use cases:
- Vacation coverage: Manager delegates approval authority
- Temporary assignments: Project lead role for a sprint
- Emergency access: On-call engineer gets elevated permissions
Delegations have start/end dates, reasons, and are fully audited. Expired delegations are automatically excluded from PIP responses.
Semantic search uses AI embeddings to find identities, roles, and resources by meaning rather than exact keywords.
Example: "engineers who can approve production deployments" finds users who:
- Have "engineer" in their title or group
- Have roles that include deployment approval permissions
- Have location scope that includes production
Uses OpenAI embeddings stored in Neo4j vector indexes, combined with full-text search for hybrid results.
Role inheritance means a role automatically includes all permissions of its parent roles. Common patterns:
- Admin β inherits β Editor β inherits β Viewer
- Having Admin means you can do everything Editor and Viewer can do
Technically inheritance can be arbitrarily deep, but in practice keep it to 3-4 levels for maintainability. Deep hierarchies become hard to audit and reason about.
πWeek 2 Assessment
Before moving to Week 3 (Plugin Development), verify you can:
- Obtain an access token from IdP using any flow
- Explain the difference between Access, Refresh, and ID tokens
- Make a PDP evaluation request and interpret the response
- Write a basic YAML policy rule
- Query Neo4j for user roles and group memberships
- Create a role assignment via the Membership API
- Understand how Membership integrates with PDP as a PIP
- Create and query delegations
End-to-End Integration: Get a token from IdP β Query Membership for user's effective roles β Make a PDP authorization request with subject properties β Verify the policy decision considers inherited roles and active delegations.
πDay 10 Checkpoint
- Understand why Neo4j is ideal for identity relationships
- Know all core entity types: Identity, Role, Group, Resource, Location
- Can query Neo4j for users, roles, and hierarchies using Cypher
- Understand location-scoped role assignments
- Can create delegations and understand their lifecycle
- Understand access reviews and governance workflows
- Can use semantic search to find identities and roles
- Understand how PDP uses Membership as a Policy Information Point
- Completed Week 2 assessment