Active Directory: Node & Edge Schema
Node Types
The following entity types are extracted from Active Directory and represented as nodes in the graph:
| Node Type | Description |
|---|---|
User | An Active Directory user object |
Group | A security or distribution group |
Computer | A computer object joined to the directory |
These nodes are uniquely identified by their ObjectIdentifier (OID) from Active Directory.
Edge Relationships
| Edge Type | From Node | To Node | Description |
|---|---|---|---|
IS_MEMBER_OF | User or Group | Group | Indicates membership in a group |
HAS_MEMBER | Group | User or Group | Inverse of IS_MEMBER_OF |
CONTAINS | Container | User, Group, or Computer | Represents directory containment hierarchy |
IS_CONTAINED_BY | User, Group, Computer | Container | Inverse of CONTAINS |
CAN_ACCESS | User or Computer | Resource | Indicates access permission to a target resource |
These relationships allow the system to perform identity graph analysis, access modeling, and permission auditing across imported AD entities.
Example
Here’s a simplified example of how these relationships might appear in the graph:
(User)-[:IS_MEMBER_OF]->(Group)
(Group)-[:HAS_MEMBER]->(User)
(User)-[:IS_CONTAINED_BY]->(OU)
(OU)-[:CONTAINS]->(Computer)
(Computer)-[:CAN_ACCESS]->(Resource)
Notes
- Containers are inferred objects such as Organizational Units (OUs).
- Resources may be created by other adapters (e.g., AWS, Azure) but can be linked
to AD identities via edges like
CAN_ACCESS.