From cfbbcf416c21b82a602ac70176267f76c10e8c2a Mon Sep 17 00:00:00 2001 From: eric-intuitem <71850047+eric-intuitem@users.noreply.github.com> Date: Fri, 6 Dec 2024 01:01:02 +0100 Subject: [PATCH] Update data-model.md Enhance project management --- documentation/architecture/data-model.md | 80 ++++++++++++++++++------ 1 file changed, 61 insertions(+), 19 deletions(-) diff --git a/documentation/architecture/data-model.md b/documentation/architecture/data-model.md index 20766a703..39aefd3d0 100644 --- a/documentation/architecture/data-model.md +++ b/documentation/architecture/data-model.md @@ -46,7 +46,7 @@ erDiagram erDiagram ROOT_FOLDER ||--o{ DOMAIN : contains - DOMAIN ||--o{ PROJECT : contains + DOMAIN ||--o{ PROJECT_OBJECT : contains DOMAIN ||--o{ RISK_ASSESSMENT_REVIEW : contains DOMAIN ||--o{ COMPLIANCE_ASSESSMENT_REVIEW: contains ROOT_FOLDER ||--o{ FRAMEWORK : contains @@ -89,6 +89,25 @@ erDiagram LOADED_LIBRARY2 }o--o{ LOADED_LIBRARY : depends_on ``` +### Project management model + +```mermaid +erDiagram + + PROJECT_OBJECT |o--o{ COMPLIANCE_ASSESSMENT : contains + PROJECT_OBJECT |o--o{ RISK_ASSESSMENT : contains + PROJECT_OBJECT |o--o{ PROJECT_OBJECT : contains + USER |o--o{ PROJECT_OBJECT : manages + + PROJECT_OBJECT { + string ref_id + string name + string description + string ref_id + string status + string category + } +``` ### General data model @@ -98,7 +117,6 @@ erDiagram COMPLIANCE_ASSESSMENT_REVIEW }o--|| COMPLIANCE_ASSESSMENT : reviews REQUIREMENT_NODE }o--o{ REFERENCE_CONTROL : leverages COMPLIANCE_ASSESSMENT }o--|| FRAMEWORK : is_based_on - PROJECT |o--o{ COMPLIANCE_ASSESSMENT : contains COMPLIANCE_ASSESSMENT ||--o{ REQUIREMENT_ASSESSMENT: contains APPLIED_CONTROL }o--o{ EVIDENCE : is_proved_by FRAMEWORK ||--o{ REQUIREMENT_NODE : contains @@ -108,7 +126,6 @@ erDiagram APPLIED_CONTROL }o--o| REFERENCE_CONTROL : implements REQUIREMENT_NODE }o--o{ THREAT : addresses RISK_ASSESSMENT }o--|| RISK_MATRIX : applies - PROJECT |o--o{ RISK_ASSESSMENT : contains RISK_ASSESSMENT ||--o{ RISK_SCENARIO : contains RISK_SCENARIO }o--o{ APPLIED_CONTROL : is_mitigated_by RISK_SCENARIO }o--o{ THREAT : derives_from @@ -124,14 +141,6 @@ erDiagram ASSET ||--o{ SECURITY_OBJECTIVE : has SECURITY_OBJECTIVE }o--|| QUALIFICATION : implements - PROJECT { - string ref_id - string name - string description - string ref_id - string status - } - FRAMEWORK { string urn string locale @@ -375,7 +384,6 @@ erDiagram json mapping_rules } - ``` ### Labels @@ -404,24 +412,57 @@ All models have the following fields: - created_at: the date when the object has been created. - modified_at: the date when the object has been lastly modified. -## Projects and domains - -Projects are fundamental context objects defined by the entity using CISO Assistant. They are grouped in domains. +## Project management and domains The domain is the fundamental perimeter for access control. All objects, in particular domains, within a domain, have consistent access rights. If this granularity is not sufficient, the entity shall define new domains. +Project objects are defined by the entity using CISO Assistant. Assessments can be attached to a project object, though this is optional. Project objects are organized hierarchically, each project object can have a parent, but loops are not allowed. + Note: the IAM model is based on folders. A folder has a type among: - ROOT: the root folder, which is also called "global domain". - DOMAIN: a user-defined domain. - ENCLAVE: a invisible folder used to confine the actions of a third party. -Projects have the following fields: +Projects objects have the following fields: - ref_id (ex internal reference) - Name - Description -- Status: --/Design/Development/Production/End of life/Dropped +- Phase: --/Initiation/Planning/Execution/Monitoring/Closure/Closed/Dropped +- Category: --/Portfolio/Program/Project/Initiative/Activity + +Note: the old status field of projects is mapped to the phase following this mapping: + +status | Phase +------------|-------- +-- | -- +Design | Initiation +Development | Planning +Production | Execution +End of life | Closed +Dropped | Dropped + + +Here is an example of a project management structure: + +```mermaid +flowchart TB + +PF1[portfolio 1] --> PF1A[portfolio 1A] +PF1[portfolio 1] --> PF1B[portfolio 1B] +PF1[portfolio 1] --> PJ4[Project 4] +PF2[portfolio 2] --> IN2[Intiative 2] +PF2[portfolio 2] --> PJ6[Project 6] +PF1A --> PG1[Program 1] +PF1A --> PG2[Program 2] +PF1B --> PJ1[Project 1] +PG1 --> PJ2[Project 2] +PG2 --> PJ3[Project 3] +PG2 --> IN1[Initiative 1] +PJ4 --> PJ5[Project 5] +PJ7[Project 7] +``` ## Qualifications @@ -971,7 +1012,7 @@ erDiagram ENTITY_ASSESSMENT }o--o| COMPLIANCE_ASSESSMENT : leverages ENTITY_ASSESSMENT }o--o| EVIDENCE : leverages COMPLIANCE_ASSESSMENT }o--|| FRAMEWORK : uses - PROJECT |o--o{ ENTITY_ASSESSMENT : contains + PROJECT_OBJECT |o--o{ ENTITY_ASSESSMENT : contains ENTITY { string name @@ -1267,7 +1308,7 @@ The frontend for risk study shall propose the following steps: ```mermaid erDiagram DOMAIN ||--o{ EBIOS_RM_STUDY : contains - DOMAIN ||--o{ STAKEHOLDER : contains + DOMAIN ||--o{ STAKEHOLDER : contains DOMAIN ||--o{ OPERATIONAL_SCENARIO : contains DOMAIN ||--o{ FEARED_EVENT : contains DOMAIN ||--o{ RO_TO : contains @@ -1297,6 +1338,7 @@ erDiagram ATTACK_PATH }o--o{ STAKEHOLDER : leverages STAKEHOLDER }o--o{ APPLIED_CONTROL : reinforces FEARED_EVENT }o--o{ QUALIFICATION : bears + PROJECT_OBJECT |o--o{ EBIOS_RM_STUDY : contains EBIOS_RM_STUDY { string ref_id