Core Concepts
Understand the fundamental building blocks of TigerIdentity. Master these concepts to design and implement effective Zero Standing Privilege architectures.
How It All Fits Together
TigerIdentity creates a real-time graph of identities and resources, evaluates access decisions against dynamic policies, and continuously monitors for changes that should trigger re-evaluation.
1. Ingest
Connectors sync identity and resource data from all your systems into the Identity Fabric.
2. Evaluate
The Decision Engine evaluates access requests against policies in real-time with full context.
3. Monitor
CAEP events trigger continuous re-evaluation and automatic session revocation when needed.
Zero Standing Privilege: Access is granted just-in-time, expires automatically, and is continuously validated
Principals
Who is requesting access
A principal is any entity that can request access to resources. TigerIdentity supports three types of principals, each with full lifecycle management and continuous verification.
Humans
End users authenticated via SSO, with identity federated from providers like Okta, Azure AD, or Google Workspace.
Services
Non-human identities like service accounts, API keys, and machine identities used by applications and infrastructure.
AI Agents
Autonomous agents operating through MCP (Model Context Protocol), with specialized governance and audit trails.
Key Capabilities
- Automatic entity resolution and deduplication across sources
- Real-time attribute synchronization from authoritative systems
- Support for nested groups and dynamic membership
- Lifecycle tracking: created, active, suspended, terminated
Resources
What is being accessed
Resources are the assets, systems, and data that principals request access to. TigerIdentity models resources with rich metadata and hierarchical relationships.
Infrastructure
Cloud resources (AWS, Azure, GCP), databases, Kubernetes clusters, and compute instances.
Applications
SaaS applications, internal tools, APIs, and microservices.
Data
Databases, object storage, data warehouses, and sensitive data repositories.
Key Capabilities
- Hierarchical resource modeling with inheritance
- Rich tagging and metadata (environment, sensitivity, owner)
- Automatic discovery from connected systems
- Resource-specific action sets (read, write, admin, etc.)
Policies
Rules governing access
Policies define the rules for who can access what, when, and under which conditions. Unlike static RBAC, TigerIdentity policies are dynamic, context-aware, and continuously evaluated.
Access Policies
Core policies that grant or deny access based on subjects, resources, actions, and conditions.
Derived Policies
Auto-generated policies based on templates, roles, or policy-as-code frameworks like OPA.
Emergency Access
Break-glass policies for critical incidents, with enhanced logging and required justification.
Key Capabilities
- YAML-based DSL for human-readable policies
- Support for complex conditions (time, location, risk, MFA)
- Policy simulation and testing before deployment
- Version control and rollback capabilities
- Priority-based policy evaluation with conflict resolution
Decisions
Real-time access evaluations
Every access request results in a decision: allow or deny. TigerIdentity evaluates decisions in real-time with sub-50ms latency, considering all applicable policies and current context.
Synchronous
Inline decisions evaluated during the request flow, blocking until a decision is reached.
Asynchronous
Background evaluations for continuous authorization, with callbacks to revoke access if conditions change.
Batch
Bulk decision requests for efficiency when checking multiple permissions at once.
Key Capabilities
- Sub-50ms p95 latency for decision API
- Comprehensive decision logs with full context
- Decision caching with automatic invalidation
- Support for explain mode (why was access granted/denied)
- Real-time decision analytics and monitoring
Connectors
Integrations with external systems
Connectors ingest identity and resource data from your existing infrastructure. TigerIdentity provides 50+ pre-built connectors with automatic synchronization and entity resolution.
Identity Providers
Okta, Azure AD, Google Workspace, Auth0, OneLogin, and other IdPs for user and group data.
Cloud Platforms
AWS, Azure, GCP for IAM roles, resources, and service accounts.
Infrastructure
Kubernetes, databases, VPNs, and on-premises systems.
Key Capabilities
- Real-time sync with configurable intervals
- Automatic entity resolution across multiple sources
- Incremental updates for efficiency
- Webhook support for instant notifications
- Custom connector SDK for proprietary systems
Events (CAEP)
Continuous security signals
TigerIdentity implements CAEP (Continuous Access Evaluation Protocol) to receive and act on real-time security events from identity providers and security tools.
Security Events
Impossible travel, suspicious activity, compromised credentials, and other security signals.
Compliance Events
Termination events, policy changes, and compliance-related triggers.
Risk Events
Risk score changes, device compliance violations, and contextual risk signals.
Key Capabilities
- Standard CAEP (RFC 8935) event format
- Automatic session revocation based on events
- Event correlation and deduplication
- Custom event handlers and webhooks
- Full audit trail of event processing
Access Request Flow
Here's what happens when a principal requests access to a resource.
Request Received
Application makes a decision API call with principal, resource, action, and context.
Identity Resolution
TigerIdentity resolves the principal identity, group memberships, and attributes from the Identity Fabric.
Policy Matching
The Decision Engine finds all policies that apply to this principal, resource, and action combination.
Condition Evaluation
Each policy condition is evaluated against the current context (time, location, MFA status, risk score, etc.).
Decision Rendered
A final allow or deny decision is returned based on policy priority and conflict resolution rules.
Session Created
If allowed, a session is created with the specified TTL and registered for continuous evaluation.
Continuous Monitoring
CAEP events are monitored for changes that might invalidate the session (security events, policy updates, etc.).
Automatic Revocation
If conditions change or TTL expires, the session is automatically revoked and the application is notified.
Example Scenario
Let's walk through a complete example to see how these concepts work together.
Principal
Alice, a DevOps engineer, is a member of the "engineering" group in Okta. She has completed MFA 10 minutes ago and is working from a managed MacBook Pro.
Resource
PostgreSQL production database ("prod-postgres") tagged with environment=production and sensitivity=high.
Policy
Engineering database access policy allows engineers to read/write production databases during business hours (9-5 PT) with recent MFA, 8-hour session limit.
Decision
Alice requests write access at 2:00 PM on Tuesday. All conditions satisfied: business hours, recent MFA, managed device. Access ALLOWED for 8 hours.
Continuous Evaluation
At 6:00 PM, a CAEP event arrives: "impossible travel" detected for Alice's account. TigerIdentity automatically revokes all active sessions and notifies the application.
Zero Standing Privilege in Action
Alice never had "standing access" to the production database. Access was granted just-in-time when needed, would have expired after 8 hours, but was automatically revoked in 4 hours when suspicious activity was detected. No manual intervention required.
Next Steps
Create Your First Policy
Apply these concepts by building a real access policy with the YAML DSL.
Start buildingConnect Your Systems
Integrate TigerIdentity with your identity providers and infrastructure.
View connectorsIdentity Fabric Deep Dive
Learn how the Identity Fabric creates a unified view of all identities and resources.
Read morePolicy Engine Architecture
Understand how policies are compiled, evaluated, and optimized for performance.
Read moreReady to Implement Zero Standing Privilege?
Start your free trial and see how TigerIdentity transforms access management.