Skip to content
Alien Giraffe

Context

Context represents why access is needed and provides organizational information in the Alien Giraffe access control model. This component integrates with identity providers, HR systems, and compliance platforms to supply contextual data—user identities, team memberships, manager hierarchies, employment status, and access purposes. Policies reference context in their context: field to specify justification requirements.

Relationship to Policies

Section titled “Relationship to Policies”

Context is one of the five core components that policies coordinate. When you define a policy, the context: field specifies why access is being requested (e.g., customer-support, incident-response, analytics). This component provides the infrastructure for capturing and validating that contextual information through integrations with Systems of Record—the authoritative sources for organizational data.

Overview

Section titled “Overview”

Instead of maintaining a separate user database, Alien Giraffe integrates with your existing systems. When a user requests data access, Alien Giraffe queries these systems to verify:

  • Who is this user?
  • Which teams are they on?
  • Are they still employed?
  • What’s their job role?
  • Who is their manager?

This integration ensures access control stays synchronized with your organization’s reality—when someone joins, changes roles, or leaves, access permissions update automatically.

Key Benefits:

  • Single Source of Truth - No duplicate user management
  • Automatic Synchronization - Changes propagate immediately
  • Lifecycle Management - Access revoked when employees leave
  • Compliance - Audit trail tied to authoritative records
  • Reduced Overhead - No manual user provisioning

System Types

Section titled “System Types”

Identity Providers (IdP)

Section titled “Identity Providers (IdP)”

Authenticate users and provide identity attributes:

Cloud Identity Providers:

  • Okta - Enterprise SSO and identity management
  • Azure Active Directory (Entra ID) - Microsoft cloud identity
  • Google Workspace - Google’s identity platform
  • Auth0 - Developer-focused authentication
  • OneLogin - Cloud-based identity management

On-Premises/Hybrid:

  • Active Directory - Windows domain services
  • LDAP - Lightweight Directory Access Protocol
  • SAML 2.0 IdP - Generic SAML providers
  • Keycloak - Open-source identity and access management

HR Information Systems (HRIS)

Section titled “HR Information Systems (HRIS)”

Provide employee lifecycle data:

Cloud HR Systems:

  • Workday - Enterprise resource planning and HCM
  • BambooHR - SMB-focused HR management
  • Rippling - Unified HR, IT, and finance
  • ADP Workforce Now - Payroll and HR
  • Namely - HR, payroll, and benefits

Integration Benefits:

  • Employee start/end dates
  • Department and team assignments
  • Manager hierarchy
  • Job titles and levels
  • Employment status

IT Service Management (ITSM)

Section titled “IT Service Management (ITSM)”

Track IT assets and access requests:

ITSM Platforms:

  • ServiceNow - Enterprise IT service management
  • Jira Service Management - Atlassian’s ITSM platform
  • Freshservice - Cloud-based IT service desk
  • Zendesk - Customer service and ticketing

Use Cases:

  • Track access requests
  • Link to incident tickets
  • Asset management integration
  • Change management workflows

Compliance & GRC Platforms

Section titled “Compliance & GRC Platforms”

Governance, risk, and compliance tools:

GRC Platforms:

  • Drata - Automated compliance monitoring
  • Vanta - Security and compliance automation
  • OneTrust - Privacy and data governance
  • AuditBoard - Risk and compliance management

Integration Benefits:

  • Compliance evidence collection
  • Access reviews and certification
  • Risk assessment data
  • Control effectiveness tracking

Configuration Examples

Section titled “Configuration Examples”

Okta Integration (OIDC)

Section titled “Okta Integration (OIDC)”

Integrate Okta as identity provider:

apiVersion: v1
kind: IdentityProvider
metadata:
  name: okta-integration
  namespace: production
spec:
  type: oidc
  provider: okta


  config:
    issuer: https://company.okta.com
    clientId: alien-giraffe-prod
    clientSecretRef: okta-client-secret
    discoveryURL: https://company.okta.com/.well-known/openid-configuration


  attributeMapping:
    # Map Okta attributes to Alien Giraffe user properties
    - claim: email
      target: user.email
      required: true


    - claim: given_name
      target: user.firstName


    - claim: family_name
      target: user.lastName


    - claim: groups
      target: user.teams
      transform: lowercase          # Normalize team names


    - claim: department
      target: user.department


    - claim: manager_email
      target: user.manager


  groupSync:
    enabled: true
    filter: "alien-giraffe-*"       # Only sync specific groups
    schedule: "*/15 * * * *"        # Every 15 minutes


  sessionManagement:
    timeout: 8h
    renewalEnabled: true

Azure AD Integration (SAML)

Section titled “Azure AD Integration (SAML)”

Configure Azure Active Directory with SAML:

apiVersion: v1
kind: IdentityProvider
metadata:
  name: azure-ad
  namespace: production
spec:
  type: saml
  provider: azure-ad


  config:
    entityId: https://a10e.company.com
    ssoURL: https://login.microsoftonline.com/tenant-id/saml2
    certificate: |
      -----BEGIN CERTIFICATE-----
      [Azure AD signing certificate]
      -----END CERTIFICATE-----


  attributeMapping:
    - claim: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
      target: user.email


    - claim: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
      target: user.firstName


    - claim: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
      target: user.lastName


    - claim: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
      target: user.teams


  groupMapping:
    # Map Azure AD group IDs to Alien Giraffe teams
    - azureGroupId: "a1b2c3d4-..."
      team: engineering


    - azureGroupId: "e5f6g7h8-..."
      team: data-science


  mfa:
    enforced: true
    trustAzureMFA: true             # Trust Azure's MFA verification

Google Workspace Integration

Section titled “Google Workspace Integration”

Connect Google Workspace for identity:

apiVersion: v1
kind: IdentityProvider
metadata:
  name: google-workspace
  namespace: production
spec:
  type: oidc
  provider: google


  config:
    hostedDomain: company.com       # Restrict to company domain
    clientId: google-oauth-client-id
    clientSecretRef: google-oauth-secret
    scopes:
      - openid
      - email
      - profile
      - https://www.googleapis.com/auth/admin.directory.group.readonly


  attributeMapping:
    - claim: email
      target: user.email
      required: true


    - claim: hd                     # Hosted domain
      target: user.domain
      validate: company.com


  groupSync:
    enabled: true
    apiCredentialsRef: google-service-account
    orgUnit: /                      # Sync all org units
    schedule: "0 * * * *"           # Hourly

Workday HRIS Integration

Section titled “Workday HRIS Integration”

Sync employee data from Workday:

apiVersion: v1
kind: HRSystem
metadata:
  name: workday-integration
  namespace: production
spec:
  type: workday
  provider: workday


  connection:
    tenantName: company_production
    apiEndpoint: https://wd2-impl-services1.workday.com
    username: integration-user
    passwordRef: workday-password


  sync:
    enabled: true
    schedule: "0 */6 * * *"         # Every 6 hours


    attributes:
      - workdayField: Worker_ID
        target: user.employeeId


      - workdayField: Email_Address
        target: user.email


      - workdayField: Legal_Name
        target: user.fullName


      - workdayField: Job_Title
        target: user.jobTitle


      - workdayField: Department
        target: user.department


      - workdayField: Manager_Email
        target: user.manager


      - workdayField: Hire_Date
        target: user.startDate


      - workdayField: Termination_Date
        target: user.endDate


  lifecycle:
    # Automatically handle employee lifecycle
    onHire:
      - action: create-user
      - action: notify
        recipients: [it-team@company.com]


    onTermination:
      - action: revoke-all-access
      - action: archive-audit-logs
      - action: notify
        recipients: [security@company.com]


    onDepartmentChange:
      - action: reevaluate-policies
      - action: audit-log

LDAP Integration

Section titled “LDAP Integration”

Connect to Active Directory or LDAP server:

apiVersion: v1
kind: IdentityProvider
metadata:
  name: active-directory
  namespace: production
spec:
  type: ldap
  provider: active-directory


  connection:
    host: ldap.company.internal
    port: 636
    baseDN: dc=company,dc=com
    bindDN: cn=alien-giraffe,ou=service-accounts,dc=company,dc=com
    bindPasswordRef: ldap-bind-password
    useTLS: true
    tlsVerify: true


  userSearch:
    baseDN: ou=users,dc=company,dc=com
    filter: (objectClass=person)
    attributes:
      - userPrincipalName
      - mail
      - givenName
      - sn
      - department
      - manager


  groupSearch:
    baseDN: ou=groups,dc=company,dc=com
    filter: (objectClass=group)
    memberAttribute: member
    nameAttribute: cn


  attributeMapping:
    - ldapAttribute: mail
      target: user.email


    - ldapAttribute: givenName
      target: user.firstName


    - ldapAttribute: sn
      target: user.lastName


    - ldapAttribute: department
      target: user.department


    - ldapAttribute: manager
      target: user.manager
      transform: extract-email      # Extract email from DN


  sync:
    schedule: "*/30 * * * *"        # Every 30 minutes
    fullSyncSchedule: "0 2 * * *"   # Full sync daily at 2 AM

ServiceNow Integration

Section titled “ServiceNow Integration”

Link access requests to ServiceNow tickets:

apiVersion: v1
kind: ITSMIntegration
metadata:
  name: servicenow
  namespace: production
spec:
  type: servicenow


  connection:
    instanceURL: https://company.service-now.com
    username: alien-giraffe-integration
    passwordRef: servicenow-password


  requestTracking:
    enabled: true
    createTicket:
      onAccessRequest: true
      category: Data Access Request
      assignmentGroup: Data Governance
      priority: 3


    updateTicket:
      onApproval: true
      onDenial: true
      onExpiration: true


  approvalWorkflow:
    useServiceNowApprovals: true    # Delegate approvals to ServiceNow
    syncApprovalDecisions: true


  auditLogging:
    exportToServiceNow: true
    table: x_alien_access_audit
    schedule: "0 * * * *"           # Hourly

Attribute Mapping

Section titled “Attribute Mapping”

User Attributes

Section titled “User Attributes”

Map external system attributes to Alien Giraffe user model:

Standard Attributes:

  • user.email - Primary email address (required)
  • user.firstName - First/given name
  • user.lastName - Last/family/surname
  • user.fullName - Complete name
  • user.employeeId - Employee/user ID
  • user.department - Department or business unit
  • user.jobTitle - Job title or role
  • user.manager - Manager’s email or ID
  • user.location - Office location or region
  • user.startDate - Employment start date
  • user.endDate - Employment end date (if terminated)

Custom Attributes:

attributeMapping:
  - claim: cost_center
    target: user.custom.costCenter


  - claim: security_clearance
    target: user.custom.clearanceLevel


  - claim: contractor_status
    target: user.custom.isContractor
    type: boolean

Group/Team Mapping

Section titled “Group/Team Mapping”

Map external groups to internal teams:

Direct Mapping:

groupMapping:
  - externalGroup: "engineering-team"
    team: engineering


  - externalGroup: "data-scientists"
    team: data-science

Pattern-Based Mapping:

groupMapping:
  - pattern: "team-*"
    transform: remove-prefix        # team-engineering → engineering


  - pattern: "*-admin"
    transform: add-suffix-admin     # db-admin → db (with admin flag)

Hierarchical Groups:

groupMapping:
  - externalGroup: "engineering"
    teams:
      - engineering
      - engineering-backend        # Nested groups
      - engineering-frontend

Lifecycle Management

Section titled “Lifecycle Management”

Onboarding

Section titled “Onboarding”

Automate access provisioning for new hires:

lifecycle:
  onHire:
    trigger:
      - hrSystem: workday
        event: new-hire
        condition: start_date <= today + 7d


    actions:
      - action: create-user-account
        assignTeams: [{{department}}]


      - action: assign-default-policies
        policySet: new-employee


      - action: send-welcome-email
        template: employee-onboarding


      - action: notify-manager
        message: "New team member {{fullName}} has been provisioned"

Role Changes

Section titled “Role Changes”

Handle department transfers and promotions:

lifecycle:
  onRoleChange:
    trigger:
      - hrSystem: workday
        event: job-change
        fields: [department, job_title, manager]


    actions:
      - action: reevaluate-policies
        removeInvalidAccess: true


      - action: request-manager-review
        reviewType: access-certification


      - action: audit-log
        severity: info

Offboarding

Section titled “Offboarding”

Revoke access when employees leave:

lifecycle:
  onTermination:
    trigger:
      - hrSystem: workday
        event: termination
        condition: termination_date <= today


    actions:
      - action: revoke-all-access
        immediate: true


      - action: disable-user-account
        grace_period: 0


      - action: archive-user-data
        retention: 7y


      - action: export-audit-logs
        destination: s3://compliance-archive/


      - action: notify
        recipients: [security@company.com, manager]
        template: employee-offboarding

Best Practices

Section titled “Best Practices”

Use Multiple Systems of Record

Section titled “Use Multiple Systems of Record”

Layer multiple authoritative sources:

  • Identity Provider - Authentication and basic user info
  • HRIS - Employment status, org structure, lifecycle
  • ITSM - Access requests, change tracking
  • Compliance Platform - Audit evidence, certifications

No single system has all the data. Integrate multiple sources for complete context.

Implement Real-Time Sync

Section titled “Implement Real-Time Sync”

Sync critical events immediately:

  • User terminations (revoke access)
  • Team membership changes (reevaluate policies)
  • Manager changes (update approval chains)
  • Department transfers (access review)

Use webhooks or event streams instead of polling when possible.

Handle Sync Failures Gracefully

Section titled “Handle Sync Failures Gracefully”

Plan for integration failures:

  • Cache last-known-good data
  • Fail closed (deny access if sync is stale)
  • Alert on sync failures
  • Manual override for emergencies
  • Regular health checks

Normalize Data

Section titled “Normalize Data”

Standardize attribute formats:

  • Lowercase email addresses
  • Trim whitespace
  • Normalize team names
  • Parse manager relationships
  • Handle missing data
attributeMapping:
  - claim: email
    target: user.email
    transform:
      - lowercase
      - trim


  - claim: department
    target: user.department
    transform:
      - normalize-department        # "Eng" → "Engineering"

Audit Synchronization

Section titled “Audit Synchronization”

Log all sync operations:

  • What changed
  • When it changed
  • Source system
  • Before/after values
  • Who initiated (automated vs manual)

Implement Fallback Authentication

Section titled “Implement Fallback Authentication”

Always have a backup:

  • Emergency admin accounts (not synced)
  • Break-glass procedures
  • Local authentication fallback
  • Alternative identity providers

Test Offboarding

Section titled “Test Offboarding”

Regularly verify termination workflows:

  • Create test employee in HRIS
  • Terminate test employee
  • Verify access is revoked
  • Check audit logs
  • Confirm notifications sent

Common Patterns

Section titled “Common Patterns”

Multi-IdP Setup

Section titled “Multi-IdP Setup”

Support multiple identity providers:

# Primary: Okta for employees
---
apiVersion: v1
kind: IdentityProvider
metadata:
  name: okta-employees
spec:
  type: oidc
  provider: okta
  userType: employee


---
# Secondary: Azure AD for contractors
apiVersion: v1
kind: IdentityProvider
metadata:
  name: azure-contractors
spec:
  type: saml
  provider: azure-ad
  userType: contractor

HR System as Authority

Section titled “HR System as Authority”

Use HRIS as source of truth for org structure:

# Identity from Okta
identityProvider: okta


# Organization data from Workday
hrSystem: workday
authorityPrecedence:
  - attribute: department
    authority: workday              # HRIS takes precedence
  - attribute: manager
    authority: workday
  - attribute: jobTitle
    authority: workday
  - attribute: teams
    authority: okta                 # But teams from IdP

Automated Access Reviews

Section titled “Automated Access Reviews”

Trigger reviews based on HR events:

lifecycle:
  onAnniversary:
    trigger:
      - hrSystem: workday
        event: employment-anniversary
        interval: 1y


    actions:
      - action: initiate-access-review
        reviewType: annual-certification
        reviewers: [user.manager, data-governance-team]
        deadline: 30d

Security Considerations

Section titled “Security Considerations”

Credential Management

Section titled “Credential Management”

Protect system credentials:

  • Store in secret manager (Vault, AWS Secrets Manager)
  • Rotate regularly (90 days)
  • Use least-privilege service accounts
  • Monitor for unauthorized access
  • Encrypt in transit and at rest

Data Minimization

Section titled “Data Minimization”

Only sync necessary attributes:

  • Request minimal scopes
  • Filter sensitive attributes
  • Avoid syncing personal data when possible
  • Respect data privacy regulations (GDPR)

Audit All Changes

Section titled “Audit All Changes”

Log synchronization activities:

  • User additions/modifications/deletions
  • Group membership changes
  • Attribute updates
  • Sync failures and errors
  • Manual overrides

Validate Data Integrity

Section titled “Validate Data Integrity”

Sanity-check synced data:

  • Validate email formats
  • Check for duplicates
  • Verify required fields
  • Detect anomalies (e.g., all users deleted)
  • Alert on large bulk changes
Section titled “Related Components”
  • Policies - Centralize context definitions with other access control components
  • Subjects - Provide identity and team membership context for subjects
  • Resources - Supply organizational ownership context for resources
  • Constraints - Enable manager-based approval workflows
  • Channels - Authenticate applications and service accounts