Schema design brief

Safe membership is not account ownership.

A CMDB data model that makes Business Application and Application Instance affiliation the single source of truth for who can request, use, or rotate a privileged account — so a PAM vault enforces a permission model it never has to invent on its own.

cmdb_ci_business_app cmdb_ci_appl_instance u_pam_safe u_pam_account sys_user_group
business_app Fortis Trading Platform 1:N appl_instance Production · Non-Prod 1:N pam_safe tagged to instance 1:N pam_account AD · DB · Unix

What this model enforces

Three structural guarantees, derived directly from the schema rather than left to process discipline.

  • 01 No safe exists without an application affiliation. Every u_pam_safe row carries a mandatory foreign key to an appl_instance — there is no "unassigned" safe state.
  • 02 No user sees a safe outside their group. Catalog visibility is a join between sys_user_group membership and the safe's instance tag, resolved server-side at request time.
  • 03 Rotation rights are a separate grant from usage rights. The u_pam_safe_permission junction table stores permission level per grantee — use_retrieve vs reconcile — so the two are never bundled by default.

Explore the model