Glossary¶

All key terms used throughout the Verity documentation, listed alphabetically. Use Ctrl+F (or Cmd+F on macOS) to jump to a specific term.

A¶

Access Decay

The gradual increase in risk that occurs when an access grant remains in place but is no longer actively needed. Verity quantifies decay as a score from 0 (fresh / actively used) to 100 (fully decayed / high risk).

Access Grant

A single permission linking a Principal to an Asset. For example, "jane.doe has db_datareader on analytics-warehouse." Grants are the atomic unit that Verity scores.

Asset

Any protected resource — a database, schema, workspace, storage account, API, or application. Assets are ingested from source-system connectors and stored in the canonical model.

Asset Sensitivity

A classification (1–5) assigned to an asset that reflects how sensitive the data or resource is. Higher sensitivity amplifies the Decay Score via the Sensitivity Multiplier.

B¶

Blast Radius

A composite metric estimating the potential damage if a given Access Grant were exploited. Factors include asset sensitivity, privilege level, and number of downstream dependents.

C¶

ClickHouse

A columnar OLAP database used by Verity as the immutable audit store. Every state change — score update, review decision, remediation action — is appended to ClickHouse for compliance reporting and forensic analysis.

Compliance Report

A point-in-time or continuous report generated by the Compliance Reporter service. Reports map Verity evidence to regulatory controls such as SOX § 404, HIPAA § 164.312, and SOC 2 CC6.1–CC6.3.

Connector

A pluggable adapter that extracts identity, permission, and usage data from an external system. Verity ships with connectors for Azure AD (Entra ID), Microsoft Fabric, Azure Synapse, Databricks, PostgreSQL, and HR systems (CSV / SCIM).

Continuous Scoring

The process by which the Decay Engine re-evaluates every grant on a configurable schedule (default: every 6 hours), ensuring scores reflect the latest usage telemetry.

D¶

Data Owner

The person or team responsible for reviewing and approving access to a specific Asset. Data owners receive Review Packets when grants on their assets exceed a risk threshold.

Decay Engine

The core scoring microservice (decay-engine). It combines six weighted factors — days since last use, peer comparison, privilege level, asset sensitivity, login frequency, and HR signals — into a single 0–100 Decay Score.

Decay Score

A numeric value (0–100) representing how "stale" an Access Grant is.

Range	Risk Level	Typical Action
0–29	Low	No action required
30–59	Medium	Flag for next review
60–79	High	Route to data owner
80–100	Critical	Auto-remediate

Decision

The outcome of a Review. Possible decisions are Approve (keep access), Revoke (remove access), Downgrade (reduce privilege level), or Escalate (send to a higher authority).

DLQ (Dead Letter Queue)

A Kafka topic that captures events that could not be processed after the configured retry limit. Operators can inspect and replay DLQ messages via the operations API.

Dry Run

A remediation execution mode where revocation commands are logged but not applied to the source system. Useful for validating automation before enabling live remediation.

E¶

Escalation Chain

An ordered list of reviewers contacted when the primary Data Owner does not respond within the SLA. Escalation chains are configured per asset or asset group.

Evidence Package

A bundle of audit artefacts — score history, review decisions, remediation logs — assembled for a specific compliance control and time window. Evidence packages are exported as signed JSON or PDF.

G¶

Grant Lifecycle

The complete journey of an Access Grant through Verity: Discovered → Scored → Reviewed → Decided → Remediated → Archived.

stateDiagram-v2
    [*] --> Discovered
    Discovered --> Scored
    Scored --> Reviewed : score ≥ threshold
    Scored --> Scored : score < threshold (re-score)
    Reviewed --> Decided
    Decided --> Remediated : revoke / downgrade
    Decided --> Scored : approve (re-enter scoring)
    Remediated --> Archived
    Archived --> [*]

H¶

Hypertable

A TimescaleDB concept used by Verity. The decay_scores table is a hypertable partitioned by time, enabling efficient time-range queries and automatic data-retention policies.

I¶

Identity Resolution

The process of matching raw principal identifiers (email, SID, UPN, employee ID) from multiple connectors to a single canonical Principal record. Handled by the Normalise Engine.

Ingest Plane

The first processing plane. Consists of Connectors and the Ingest Worker, which pull raw access data from source systems and publish it to Kafka for downstream processing.

K¶

Kafka Topic

A named event stream in Kafka (KRaft mode). Key topics include:

Topic	Purpose
verity.raw-events	Raw connector output
verity.normalised	Canonical model events
verity.scores	Decay-score updates
verity.reviews	Review lifecycle events
verity.remediations	Remediation commands
verity.audit	Immutable audit log
verity.dlq.*	Dead-letter queues

N¶

Normalise Plane

The second processing plane. The Normalise Engine consumes raw events, performs Identity Resolution, classifies assets, and produces canonical-model events.

P¶

Peer Comparison

A scoring factor that compares a principal's access pattern against peers in the same department or role. Outliers (e.g., a marketing analyst with DBA privileges) receive a higher decay score.

Principal

Any identity that holds access — a user, service principal, managed identity, or service account. Principals are identified by a stable principal_id after Identity Resolution.

R¶

Remediation

The act of modifying or revoking an Access Grant in the source system. Remediation is executed by the Remediation Executor service and may operate in Dry Run or live mode.

Remediation Plane

The fifth and final processing plane. Executes approved revocation or downgrade actions against source systems and logs results to the audit trail.

Review

A human-in-the-loop evaluation of one or more Access Grants that have exceeded a score threshold. Reviews are orchestrated by the Workflow Engine using Temporal workflows.

Review Lifecycle

The stages a review passes through: Created → Assigned → Pending Response → Decided → Closed. Each transition is tracked with timestamps for SLA enforcement.

Review Packet

A curated bundle of context sent to a reviewer: the grant details, current Decay Score, score trend, peer comparison, and recommended action. Displayed in the dashboard or sent via email / Slack.

Review Plane

The fourth processing plane. The Review Generator creates review packets and the Workflow Engine orchestrates the review lifecycle via Temporal workflows.

Risk Level

A human-readable label derived from the Decay Score: Low, Medium, High, or Critical. Risk levels drive routing rules and SLA timers.

S¶

SLA (Service-Level Agreement)

A time-bound expectation for review completion. Default SLAs:

Risk Level	SLA
Medium	14 days
High	7 days
Critical	48 hours

Breached SLAs trigger the Escalation Chain.

Score Plane

The third processing plane. The Decay Engine reads normalised grants, computes scores, persists them to the decay_scores hypertable, and publishes score events to Kafka.

Sensitivity Multiplier

A weighting factor (1.0×–3.0×) applied to the raw decay calculation based on Asset Sensitivity. A sensitivity-5 asset triples the effective score contribution of time-since-last-use.

T¶

Temporal Workflow

A durable, fault-tolerant workflow managed by Temporal. Verity uses Temporal workflows for the review lifecycle, ensuring that reviews survive service restarts and honour SLA timers.

TimescaleDB

A PostgreSQL extension that adds time-series capabilities. Verity stores the decay_scores table as a Hypertable for efficient historical queries and automatic partition management.