Access Control
Access to the EDS is restricted to two service identities for data operations. No human operator has read access to job data contents. All access is logged to the audit trail.
Identity Matrix
| Identity | Access type | Scope | Purpose |
|---|---|---|---|
| Data Collector service | Write only | Job namespace at write time | Writes collection.json.enc once per job |
| Assessment Engine service | Read only | Job namespace during active assessment | Reads collection.json.enc once per job |
| CYC Tier 2 analyst | Read only — audit logged | Retained tier only, per explicit client consent | Reads findings.json for consultation engagements |
| CYC operations staff | Metadata only | Audit log and manifest | Monitors job health and TTL compliance. Cannot read encrypted content. |
| Client | None | — | Client receives report only. Raw data is never exposed. |
| Drift Detection service | Read only | Prior assessment namespace, retained tier only | Reads prior findings.json for delta comparison |
Access Rules
- Service identities authenticate via managed identity — no static credentials
- Job namespace access tokens are scoped to the specific job and expire at job completion
- Tier 2 analyst access requires: client opted in to retained tier + explicit per-engagement authorisation logged in audit trail
- Cross-job access is architecturally prevented — a job's namespace token cannot be used to access another job's namespace
danger
If a component or identity not listed above attempts to access the EDS, the request is rejected and an security alert is triggered.