Skip to content

Entity reference

Target audience: Solution Architects, Enterprise Architects, Platform Implementers

Reading time: 25 minutes (full read), or jump to a specific entity

Prerequisites: The six-layer model

Introduction

This page is the canonical reference for the twelve entities of the deployment organization model. Each entity definition includes its purpose, key attributes, lifecycle considerations, and concrete examples.

For the layered structure that groups these entities, see The six-layer model. For their relationships and runtime composition, see Relationships and runtime flow.

Organizational entities

Deployment

A Deployment is a complete installation of ANKASecure©. It defines:

  • The infrastructure footprint (compute, network, storage)
  • The global compliance baseline (regulatory region, certification posture)
  • HSM and KMS integrations (vendor, slots, partitions)
  • Default cryptographic policies inherited by tenants

A Deployment maps to a productive environment, a regulatory region, or a logical infrastructure boundary. Organizations operating under conflicting regulatory regimes — for example, jurisdictions with incompatible cryptographic mandates — typically run separate deployments.

Key attributes:

Attribute Description
Compliance region The regulatory frame (BSI, NIST, ANSSI, ETSI, EU, UNRESTRICTED)
HSM provider The cryptographic substrate (PKCS#11, AWS CloudHSM, Thales Luna, SoftHSM)
Default policies The baseline algorithm catalog and lifecycle rules
Environment classification Production, disaster recovery, development

When to define a separate deployment: when the regulatory or jurisdictional context differs in ways that require independent governance. A single multinational organization may run multiple deployments — one per major regulatory region — to satisfy data residency and sovereign cryptography requirements.

Tenant

A Tenant is an isolated cryptographic domain within a Deployment. It provides:

  • Boundaries of key ownership
  • Independent policy scope (within deployment baseline)
  • Administrative separation
  • Audit isolation

Each tenant owns its cryptographic assets and defines its own governance rules within the constraints imposed by the deployment. A compromise within one tenant cannot reach assets in another tenant, even when both run on the same infrastructure.

Key attributes:

Attribute Description
Tenant identifier UUID, stable across the tenant's lifetime
Display name Human-readable name (Core Banking, Digital Channels, Risk & Compliance)
KEK label Reference to the tenant's Key Encryption Key in the HSM
Inherited policies Policies inherited from the deployment baseline
Local policy overrides Tenant-specific policy overrides within allowed ranges

Multi-tenancy scope: a Tenant is the unit of cryptographic isolation. It is also the natural unit of administrative delegation — different tenants can be administered independently. For details on the technical isolation mechanisms, see Multi-Tenant Isolation Model.

Application

An Application is a business system or functional domain. It defines:

  • Business ownership
  • Risk classification
  • Regulatory scope
  • Operational context

Examples: Core Banking, Card Issuance, CRM, Collections, Regulatory Reporting.

Key attributes:

Attribute Description
Application identifier UUID
Display name Human-readable name
Owning tenant The tenant within which this application operates
Business unit Organizational owner (Treasury, Digital Division, Risk)
Cost center Financial accountability tag
Risk level CRITICAL, HIGH, MEDIUM, LOW
Regulatory scope Regulations applicable (SOX, PCI-DSS, GDPR, AML, eIDAS 2)
Data classification RESTRICTED, CONFIDENTIAL, INTERNAL, PUBLIC
Application type INTERNAL, EXTERNAL, HYBRID

Important distinction: Applications are not technical identities. They do not authenticate, do not hold credentials, and do not invoke operations directly. They are the business container under which technical actors operate. The technical identity is the Cryptographic Actor.

Operational identity entities

Cryptographic Actor

A Cryptographic Actor is the operational subject that executes or requests cryptographic operations. It represents:

  • An internal API service
  • A batch processing job
  • An integration channel
  • A third party (for example, a card embossing vendor)
  • A BPO processing system

Each Cryptographic Actor belongs to an Application, operates under defined constraints, and is the primary subject of authorization. Authorization decisions, audit events, and rate-limit enforcement are anchored on the actor.

Actors are the unit of trust at runtime. The model treats internal services and external parties uniformly: both are actors with clearly delimited capabilities.

Key attributes:

Attribute Description
Actor identifier UUID
Owning application The Application this actor operates within
Actor type INTERNAL_SERVICE, BATCH_JOB, EXTERNAL_PARTY, BPO_PROCESSOR, INTEGRATION_CHANNEL
Status ACTIVE, SUSPENDED, REVOKED
Display name Human-readable name (visa-embossing-actor, fraud-detection-service)

Actor lifecycle: an actor is created when an integration is established, suspended when it is paused (without losing its authorizations), and revoked when the integration is terminated. Suspending the actor immediately blocks all of its grants without deleting them; reactivation restores the previous state.

Credential

A Credential is the authentication mechanism associated with a Cryptographic Actor. Examples:

  • client_id + secret
  • Asymmetric client authentication
  • mTLS identity (X.509 client certificate)
  • Federated identity (OIDC, SAML)

A Cryptographic Actor may hold multiple credentials simultaneously (for credential rotation), and credentials have independent lifecycle management. The separation between actor and credential allows secret rotation without altering authorization grants.

Key attributes:

Attribute Description
Credential identifier UUID
Owning actor The actor this credential authenticates
Mechanism OAUTH2_CLIENT_CREDENTIALS, MTLS, OIDC, SAML, ASYMMETRIC_CLIENT
Status ACTIVE, EXPIRED, REVOKED, ROTATED
Issued at Timestamp
Expires at Timestamp (for time-limited credentials)

Credential rotation pattern: an actor can hold two ACTIVE credentials simultaneously during a rotation window. The new credential is issued and tested in parallel with the old one; once the new credential is verified, the old one is revoked. No grant changes are required.

Governed exchange entity

Exchange Context

An Exchange Context is a governed interaction scenario involving cryptographic operations. It models:

  • The relationship between parties
  • The purpose of the exchange
  • The direction of data flow
  • The trust model

Examples:

  • Card Embossing — VISA
  • Card Embossing — AMEX
  • Collections Processing — BPO Alpha
  • Regulatory Reporting — Central Bank
  • Internal Analytics Pipeline

Key attributes:

Attribute Description
Context identifier UUID
Owning application The Application that owns the exchange
Counterparty The external or internal party involved
Direction OUTBOUND, INBOUND, BIDIRECTIONAL, INTERNAL
Business purpose The reason the exchange exists
Sensitivity level PUBLIC, INTERNAL, RESTRICTED, CONFIDENTIAL
Status ACTIVE, SUSPENDED, TERMINATED
Effective from Start of validity
Effective until End of validity (optional)

Why this entity exists: the Exchange Context distinguishes ANKASecure© from a traditional KMS. By modeling the business interaction explicitly, authorization decisions can reflect not only who is acting and what they are doing, but the governed business relationship in which the action takes place.

Lifecycle implication: when a third-party relationship is renegotiated or terminated, the cryptographic implications propagate through the affected Exchange Context. Suspending or terminating a context affects every grant scoped to it — without requiring per-grant inspection.

Cryptographic resource entities

Cryptographic Asset

A Cryptographic Asset is managed cryptographic material. Types include:

Type Examples
Symmetric keys AES (128, 192, 256), ChaCha20, Camellia
Asymmetric key pairs RSA, EC (P-256, P-384, P-521)
Post-quantum keys ML-KEM-512/768/1024, ML-DSA-44/65/87, SLH-DSA, Falcon
Hybrid keys Composite PQC + classical pairs
Verification keys Public material derived from private keys
Wrapping keys KEKs used to protect other assets

Each asset belongs to a Tenant, follows a defined lifecycle (ACTIVE, PENDING_ROTATION, ROTATED, EXPIRED, REVOKED, ARCHIVED), and is governed by policy.

Key attributes:

Attribute Description
KID (Key Identifier) Stable human-readable identifier (payment-signing-key-001)
Internal UUID System-generated unique reference
Owning tenant The tenant that owns this asset
Algorithm The cryptographic algorithm (ML-DSA-87, AES-GCM-256)
Key type (kty) PQC, ASYMMETRIC, SYMMETRIC, HYBRID
Permitted operations The capabilities this asset supports
Lifecycle status ACTIVE, PENDING_ROTATION, ROTATED, EXPIRED, REVOKED, ARCHIVED
Created at Timestamp
Expires at Timestamp (if time-limited)
Usage count Cumulative operation counter
Max usage limit Hard limit (optional)
Origin GENERATED, IMPORTED
Exportable Boolean (typically false in production)
KEK version Reference to the wrapping key version

Asset identification: assets are referenced by stable KID. The runtime resolves the appropriate version based on policy, lifecycle state, and operation type. This is the foundation of the KID system.

Capability

A Capability is a cryptographic function that can be executed. Capabilities abstract the use of cryptographic material into controlled operations.

Standard capabilities:

Capability Operation Typical use
encrypt Encrypt data with a key Protecting data at rest or in transit
decrypt Decrypt data with a key Unwrapping protected data
sign Produce a digital signature Authenticating data origin
verify Verify a digital signature Validating data origin
reencrypt Decrypt and re-encrypt with the same or different key Algorithm rotation, KEK rotation
resign Verify and re-sign with a different key Signature rotation
wrap Encrypt a key with a key Key transport, KEK operations
unwrap Decrypt a wrapped key Key transport reception
derive Derive a key from a key Key derivation, KDF operations

Why capabilities matter: a consumer never receives a key; it requests the execution of a capability and receives the operational result. This abstraction enables crypto-agility — the underlying algorithm or key version can change without affecting consumers.

For the broader principles behind this design, see Policy-Driven Crypto-Agility.

Control entities

Capability Grant

A Capability Grant is the authorization given to a Cryptographic Actor to invoke a specific capability under specific conditions. It binds:

  • An Actor
  • A Capability
  • One or more Cryptographic Assets
  • An Exchange Context (optional or required, depending on the use case)
  • Constraints

A Capability Grant answers four questions in a single record:

  1. Who can act? — the Actor
  2. What can they do? — the Capability
  3. On what assets? — the Cryptographic Assets
  4. Under what conditions? — the Constraints, scoped to an Exchange Context

Key attributes:

Attribute Description
Grant identifier UUID
Subject actor The Cryptographic Actor receiving the authorization
Capability The function the actor is authorized to invoke
Target assets One or more Cryptographic Assets
Exchange Context The business context this grant is scoped to (optional or required)
Constraint Policies Restrictions applied to this grant
Status ACTIVE, SUSPENDED, REVOKED, EXPIRED
Issued at Timestamp
Issued by Identity of the granting principal

Why this is the unit of authorization: revoking a grant immediately removes the actor's ability to invoke the capability, without affecting other grants or other actors. The grant is the smallest unit of fine-grained governance.

Constraint Policy

A Constraint Policy expresses restrictions on how a capability can be used. Examples:

Constraint type Effect
Time window (valid_from, valid_to) The grant is only active within the period
Maximum usage count The capability may be invoked at most N times
Single-use execution The grant is consumed on first invocation
Batch or dataset scope The capability applies only to a specific data set
Rate limiting Maximum operations per unit of time
Contextual requirements Required headers, source IP ranges, mTLS client certificates
Auto-revocation rules Conditions under which the grant terminates automatically

Key attributes:

Attribute Description
Constraint identifier UUID
Type TIME_WINDOW, MAX_USAGE, SINGLE_USE, BATCH_SCOPE, RATE_LIMIT, CONTEXT_REQUIREMENT, AUTO_REVOKE
Parameters Type-specific parameters (start/end time, count, batch ID, rate value)
Bound grant The Capability Grant this constraint applies to
Status ACTIVE, EXHAUSTED, EXPIRED

Composability: a single Capability Grant can have multiple Constraint Policies attached. They compose by conjunction — all must be satisfied for the grant to be active. For example, a grant might be simultaneously time-windowed (valid Mon-Fri, 8 AM to 6 PM), batch-scoped (only batch #2847), and rate-limited (max 50,000 ops/hour).

Policy

A Policy is a global or scoped rule that governs platform behavior. Policies exist at multiple levels:

  • Deployment — regulatory region, allowed algorithms, FIPS posture
  • Tenant — tenant-specific algorithm catalog, lifecycle defaults
  • Exchange Context — rules specific to a business interaction
  • Cryptographic Asset — rotation cadence, usage limits, exportability
  • Capability — invocation rules, audit requirements

What policies define:

Policy domain Examples
Algorithm availability Allowed algorithms and their security levels
Lifecycle rules Rotation, expiration, archival cadence
Compliance constraints FIPS, eIDAS 2, BSI, ANSSI, ETSI alignment
Crypto-agility rules PQC enforcement, hybrid requirements, downgrade prevention
Security enforcement Mandatory wrapping, key origin, attestation requirements

Key attributes:

Attribute Description
Policy identifier UUID
Scope DEPLOYMENT, TENANT, EXCHANGE_CONTEXT, ASSET, CAPABILITY
Domain ALGORITHM, LIFECYCLE, COMPLIANCE, AGILITY, SECURITY
Definition Rule expression (algorithm catalog, allowed values, thresholds)
Inheritance Resolution order (deployment baseline → tenant override → context override)

Policy versus Constraint Policy: Policies govern platform behavior at architectural levels and apply to many grants. Constraint Policies govern individual grants. The two are complementary: a Policy may say "ML-DSA-87 is the required signature algorithm for the Treasury tenant"; a Constraint Policy may say "this specific grant is single-use and expires in 4 hours."

For the broader policy framework, see Policy-Driven Crypto-Agility.

Evidence entity

Audit Event

An Audit Event records every cryptographic operation and every authorization decision. Each event captures the full context of what happened.

Captured fields:

Field Content
Event identifier UUID
Deployment, Tenant Organizational scope
Application, Actor Operational subject
Credential Authentication mechanism used
Exchange Context Business interaction context
Capability Function invoked
Cryptographic Asset Material involved
Constraints applied Active conditions at decision time
Outcome ALLOW, DENY (with reason)
Timestamp Decision time
Correlation identifier Request trace ID for cross-service correlation
Source IP Network origin
Request metadata Additional contextual headers

Integrity: audit events are HMAC-signed at production time using a 9-field canonical format and stored in an isolated audit data store. Tampering is detectable; events are immutable once produced.

Both allow and deny: the evidence layer captures the full decision context, not only successful operations. A denied invocation produces an audit record with the reason for denial, supporting forensic analysis and continuous monitoring.

What audit events enable: compliance reporting (DORA, PCI-DSS, SOX, GDPR), incident response, forensic reconstruction, continuous posture monitoring, and detection of anomalous patterns.

Control plane orchestration entities

The 12 entities above form the runtime authorization model. Core API runtime authorization resolves against Capability Grant and never references the orchestration layer described here.

The platform also exposes one control-plane orchestration entity that lives strictly above the runtime model and exists for administrative usability. The runtime model is unaffected by anything in this section.

Cryptographic Exchange

A Cryptographic Exchange is an admin-managed aggregate that groups one Application + one Cryptographic Actor + one Cryptographic Asset (by KID) + one Exchange Context + one Constraint Policy under a single managed lifecycle. It owns its Capability Grant 1:1.

Where the runtime model asks "is this Actor authorized to invoke this Capability on this Asset?", the orchestration model answers a different question for the admin: "what is this whole intercambio I am setting up, and where is it in its lifecycle?". The 7-step manual onboarding sidebar (Applications → Actors → Contexts → Constraint Policies → Capability Grants) is replaced by a single tabbed wizard that materializes one Exchange.

Lifecycle states:

State Meaning
DRAFT References may be NULL; no Grant exists yet
READY All 6 references resolved + cross-validation passed; Grant not created until activate
ACTIVE Capability Grant created; runtime authorization in effect
SUSPENDED Grant suspended; runtime authorization denies invocations. Reversible
EXPIRED Terminal — effective_until passed (scheduled job) or cascade from constraint.expired
REVOKED Terminal — manual revoke or cascade from actor.revoked / asset.revoked / context.terminated / application.deleted

Key attributes:

Attribute Description
Exchange identifier UUID, stable for the lifetime of the aggregate
Owning tenant The tenant that owns this Exchange
Name Display name (e.g., VISA Embossing 2026-04-26)
Business purpose Free-text purpose for the intercambio
Counterparty Derived from the referenced Exchange Context (single source of truth on the Context). Projected on list/detail responses for convenience and remains filterable from the list view; not stored on the aggregator itself.
Status Lifecycle state (table above)
Application The owning Application (reference)
Actor The Cryptographic Actor that will execute the operation (reference)
Asset KID String reference to a Cryptographic Asset by stable Key Identifier
Exchange Context The governance scope (reference)
Constraint Policy The usage restrictions (reference)
Owned Grant The Capability Grant this Exchange composes (1:1, populated on activation)
Owner principal The admin who owns this Exchange
Effective from / until Validity window (optional)
Revocation metadata revoked_at, revoked_by, revoked_reason populated on terminal transitions
Last triggering event id Forensic correlation when a transition was driven by a cascade
Cloned from exchange id Provenance pointer for clones
Tags Free-form tag array
Notes Free-text operator notes
Version JPA optimistic-locking discriminator (carry into PATCH/transition request bodies)

Composition vs reference (key invariant):

  • Composes (1:1, owned): the Capability Grant. The 1:1 invariant is enforced at the database layer via a UNIQUE constraint on grant_id. Two Exchanges cannot share a Grant.
  • References (N:1): Application, Actor, Asset (by KID), Exchange Context, Constraint Policy. These remain reusable across multiple Exchanges. The same Actor can participate in many intercambios.

Why this entity exists: the orchestration layer collapses the admin's mental model from "5 separate entities I have to wire correctly" into "one Exchange I am setting up". Activate / Suspend / Resume / Revoke act on the Exchange and propagate atomically to the underlying Grant. The runtime authorization path (Core API) does not change — it still resolves against the Grant. The orchestration is purely an admin usability layer.

API: the Cryptographic Exchange is exposed by ankasecure-admin-api under /api/v3/admin/exchanges. See the admin-api endpoints documentation for the full surface (list, detail, create, PATCH, validate, activate, suspend, resume, revoke, clone, audit-trail).

Greenfield posture: ANKASecure has no live data to migrate. The schema lands empty at first deployment via the 02e_cryptographic_exchange.sql init-sql script. Demo data alignment is operational tooling in the provision-demo workspace project, which wraps any seed Capability Grants in an owning Exchange to maintain the 1:1 invariant.

Quick reference table

Entity Layer Cardinality
Deployment Organizational One per installation
Tenant Organizational Many per deployment
Application Organizational Many per tenant
Cryptographic Actor Operational identity Many per application
Credential Operational identity Many per actor (rotation)
Exchange Context Governed exchange Many per application
Cryptographic Asset Cryptographic resource Many per tenant
Capability Cryptographic resource Standard set, platform-defined
Capability Grant Control Many per actor
Constraint Policy Control Many per grant
Policy Control Scoped at multiple levels
Audit Event Evidence One per operation/decision
Cryptographic Exchange Control plane orchestration Many per tenant; composes Grant 1:1; references Actor/Asset/Context/Policy N:1

Next steps