Schema design brief
Safe membership is not account ownership.
A CMDB data model that makes Business Application and Application Instance affiliation the single source of truth for who can request, use, or rotate a privileged account — so a PAM vault enforces a permission model it never has to invent on its own.
cmdb_ci_business_app
cmdb_ci_appl_instance
u_pam_safe
u_pam_account
sys_user_group
What this model enforces
Three structural guarantees, derived directly from the schema rather than left to process discipline.
-
01
No safe exists without an application affiliation. Every
u_pam_saferow carries a mandatory foreign key to anappl_instance— there is no "unassigned" safe state. -
02
No user sees a safe outside their group. Catalog visibility is a join between
sys_user_groupmembership and the safe's instance tag, resolved server-side at request time. -
03
Rotation rights are a separate grant from usage rights. The
u_pam_safe_permissionjunction table stores permission level per grantee —use_retrievevsreconcile— so the two are never bundled by default.