Azure: Node & Edge Schema

This document describes the graph model built by the Azure connection, which maps cloud identities, groups, service principals, and IAM roles into a the SlashID identity graph.

---

Node Types

Node Type	Description
AzureUser	A cloud user in Azure Active Directory
AzureGroup	A security or distribution group in Azure AD
AzureRole	A role definition assigned through Azure RBAC
AzureServicePrincipal	A service identity for apps and automation in Azure
AzureManagedIdentity	A managed identity for Azure services
AzureResourceManagerRole	Role used in ARM for access control
Credential	A login credential (e.g., password, token) tied to an identity
Resource	A cloud resource like VM, storage account, etc.

---

Edge Relationships

Edge Type	From Node	To Node	Description
IS_MEMBER_OF	AzureUser, AzureGroup	AzureGroup	Membership within Azure groups
HAS_MEMBER	AzureGroup	AzureUser, AzureGroup	Reverse of IS_MEMBER_OF
HAS_ROLE	AzureUser, AzureServicePrincipal	AzureRole	Indicates that a role is granted to a principal
IS_ROLE_OF	AzureRole	AzureUser, AzureGroup	Reverse of HAS_ROLE
HAS_CREDENTIAL	AzureUser, AzureServicePrincipal	Credential	A credential belonging to an identity
IS_CREDENTIAL_OF	Credential	AzureUser, AzureServicePrincipal	Reverse of HAS_CREDENTIAL
OWNS	AzureUser, AzureServicePrincipal	Resource	Ownership of a resource
IS_OWNED_BY	Resource	AzureUser, AzureServicePrincipal	Reverse of OWNS
CAN_ACCESS	AzureUser, AzureServicePrincipal, AzureGroup	Resource	Identity is allowed access
CAN_BE_ACCESSED	Resource	AzureUser, AzureGroup	Reverse of CAN_ACCESS
IS_ASSIGNED	AzureUser, AzureGroup	AzureRole, Resource	Role/resource assignment
CONTAINS	AzureGroup, Resource	Nested members or resources	Structural containment

---

Examples

(AzureUser)-[:IS_MEMBER_OF]->(AzureGroup)
(AzureUser)-[:HAS_ROLE]->(AzureRole)
(AzureServicePrincipal)-[:HAS_CREDENTIAL]->(Credential)
(AzureUser)-[:OWNS]->(Resource)
(AzureManagedIdentity)-[:CAN_ACCESS]->(Resource)