| agent | application-security-architect |
|---|---|
| name | access-control-review |
| description | Analyze repository-grounded identity, access control, and authorization design. Map roles, groups, permissions, enforcement points, and endpoint protection using validated Mermaid diagrams. |
Goal: Analyze the current repository (and PR diff, if available) to identify how identity, access control, and authorization are implemented, configured, enforced, and consumed throughout the application.
Produce durable artifacts:
- a repo-grounded Markdown report describing the application’s authorization architecture
- validated Mermaid diagrams showing the identity and access control model
- an endpoint-to-access-control mapping
- a concise PR-ready summary (copy/paste)
This review should help developers answer questions such as:
- How do users and services authenticate?
- Which groups, roles, permissions, claims, or policies exist?
- Where are they defined?
- Where and how is access enforced?
- Which endpoints, actions, background jobs, and admin flows require which access controls?
- Are controls centralized, duplicated, inconsistent, or bypassable?
- Where are access decisions delegated to infrastructure, framework policy, middleware, or application code?
- Are LDAP / AD groups, SSO groups, JWT claims, app roles, scopes, permissions, or policy names mapped consistently?
- Review the current repository and/or current PR diff if available.
- Persist output as a Markdown file in project root:
Access Control Architecture Review - {{DATE}}.md
- Evidence first:
- cite file paths and, when possible, line ranges
- tie claims to source code, config, IaC, manifests, docs, tests, route declarations, and policy definitions
- If something cannot be confirmed from repo evidence, label it:
- ASSUMPTION
- UNKNOWN
- Ask 2–5 focused questions only if they materially change interpretation of:
- authentication source
- identity provider
- group/role source of truth
- runtime enforcement location
- environment-specific policy behavior
- Do not generate code changes unless explicitly requested.
Before producing the final report, perform a short intake to reduce ambiguity around identity source, authorization model, and enforcement location.
Ask 4–8 concise questions, chosen based on repository evidence.
Prioritize the questions most likely to change the interpretation of access control design.
Ask 1–3 concise questions to classify how principals are established.
Prioritize these:
-
Which identity sources are used?
- local accounts
- corporate directory / LDAP / Active Directory
- SSO / OIDC / SAML
- external customer identity
- service accounts / workload identity
- API keys
- mTLS / machine identity
- mixed
-
Which principal types should be analyzed?
- end users
- administrators
- support users
- service-to-service callers
- batch jobs / schedulers
- CI/CD or automation identities
-
Are group memberships, roles, or claims resolved:
- in the identity provider
- at login/token issuance
- via directory lookup at runtime
- from an internal database
- from configuration / static mapping
- from policy code
Ask 1–2 questions that determine how access decisions are meant to work.
Prioritize these:
-
Which authorization styles are intended?
- RBAC
- ABAC
- policy-based authorization
- claims-based authorization
- ACL/resource ownership
- scope-based API authorization
- custom/business-rule authorization
- mixed
-
Which access concepts exist in the intended design?
- LDAP / AD groups
- SSO groups
- app roles
- claims
- scopes
- permissions
- policy names
- entitlements
- tenant/organization membership
- feature flags used as access gates
Ask 1–2 questions to understand where checks are actually enforced.
Prioritize these:
-
Where should authorization be enforced?
- edge / gateway
- middleware
- route/controller annotations
- service layer
- domain/business logic
- database row filters / stored procedures
- background job workers
- UI only
- mixed
-
Are there known exceptions, bypass paths, or alternate execution paths such as:
- internal APIs
- admin tools
- support impersonation
- webhooks
- background jobs
- message consumers
- GraphQL resolvers
- file import/export flows
- direct data access paths
-
What is the expected source of truth for access assignments?
- directory groups
- IdP groups/claims
- application database
- deployment config
- IaC/platform policy
- hard-coded mapping
- mixed
-
Do role/group/permission mappings differ by environment or tenant?
- Ask only the questions most likely to change the final architecture mapping.
- Use repository evidence first.
- If unanswered, continue with explicit ASSUMPTION and UNKNOWN markers.
- Distinguish clearly between:
- identity source
- access metadata
- enforcement point
- source of truth
- runtime decision path
You have access to Mermaid Chart tools:
mermaidchart.vscode-mermaid-chart/get_syntax_docsmermaidchart.vscode-mermaid-chart/mermaid-diagram-validatormermaidchart.vscode-mermaid-chart/mermaid-diagram-preview
You MUST use them to prevent syntax errors.
For every Mermaid diagram you include:
- Pick the correct diagram type
- consult
get_syntax_docsbefore drafting the diagram type
- consult
- Draft minimal syntax
- prefer simple, reliable Mermaid constructs
- Validate
- run
mermaid-diagram-validator - fix and re-validate until it passes
- run
- Preview sanity check
- recommended for final architecture diagrams
- Always start with a valid diagram header
- Do not mix diagram grammars
- Keep node IDs simple and alphanumeric/underscore
- Put complex text in labels, not IDs
- Quote edge labels if they contain special characters
- Use unique node IDs
- Prefer
flowchartandsequenceDiagramunless another type is clearly supported
Gating requirement:
Do not output any Mermaid diagram unless it has passed the Mermaid validator.
Identify likely evidence sources such as:
- route declarations
- controllers / handlers / resolvers
- middleware / filters / guards / interceptors
- authorization decorators / annotations / attributes
- policy providers / handlers
- auth configuration
- LDAP / AD / OIDC / SAML / JWT config
- role / permission enums and constants
- database tables related to users, roles, groups, permissions, memberships, grants
- IaC or deployment config affecting authn/authz
- tests asserting authorization behavior
- admin/support tooling
- import/export and batch paths
- background job consumers and message handlers
Produce a short inventory list with evidence links.
Determine, with evidence where possible:
- authentication mechanisms in use
- identity providers / directory integrations
- principal types
- token/session contents relevant to authorization
- group / role / permission resolution path
- whether LDAP / AD groups are used directly or mapped into application roles/claims
- whether identity and authorization metadata are static, configuration-driven, or data-driven
Determine:
- which authorization paradigms are present:
- RBAC
- ABAC
- PBAC
- claims/scopes
- resource ownership checks
- tenant boundary checks
- feature-flag-based gating
- the named roles, groups, permissions, scopes, claims, or policies discovered
- where they are defined
- whether there is a single source of truth or fragmented sources
- whether roles/groups are broad business labels or precise permission bundles
- whether access is coarse-grained, fine-grained, or inconsistent
For each major entry point and action path, identify where access is checked:
- edge/gateway
- middleware
- route/controller decorator/attribute/annotation
- service layer
- domain logic
- repository/data-access layer
- UI-only checks
- job worker / consumer / scheduler path
For each enforcement point, determine whether it appears:
- centralized
- duplicated
- missing
- inconsistent
- bypassable
- dependent on client behavior
- dependent on naming convention rather than durable policy logic
Create a mapping for:
- HTTP endpoints
- GraphQL operations
- RPC methods
- message consumers
- background jobs
- admin/support actions
- export/import flows
For each, capture where possible:
- route/action name
- principal type
- required role/group/permission/policy/claim/scope
- enforcement location
- evidence
- confidence
- whether protection is explicit, inherited, indirect, or missing
Look specifically for:
- missing authorization on sensitive endpoints
- UI-only authorization
- inconsistent policy names
- role explosion or ambiguous role semantics
- hard-coded role strings scattered through code
- stale or unused permissions
- broad wildcard/admin grants
- support/admin impersonation risk
- privilege escalation paths
- missing tenant/resource ownership checks
- confused deputy behavior
- direct object reference exposure
- inconsistent group-to-role mapping
- environment-specific drift
- hidden alternate paths through jobs, webhooks, or internal APIs
You MUST include Mermaid diagrams unless Mermaid rendering is unsupported.
-
Identity & Access Control Overview
- identity sources
- token/session/claims path
- group/role/permission mapping
- major enforcement points
- trust boundaries where relevant
-
Authorization Enforcement Architecture
- major subsystems
- entry points
- middleware/filters/guards
- policy engines/providers
- service/domain enforcement
- datastore lookups
- external group/directory dependencies
-
Endpoint-to-Policy / Role Mapping View
- use a Mermaid diagram that makes major protected surfaces visible
- group similar endpoints when necessary for readability
-
Top 2–3 Sequence Diagrams
- highest-risk or most important auth flows, such as:
- login and claims resolution
- privileged admin action
- export/reporting action
- service-to-service authorization
- support impersonation flow
- highest-risk or most important auth flows, such as:
- LDAP / AD group mapping view
- tenant / organization access model
- data classification vs authorization boundary map
- deployment/runtime auth boundary view
For key access-control concerns, identify whether controls are:
- PRESENT
- ABSENT
- UNKNOWN
Examples:
- centralized policy enforcement
- least-privilege role design
- separation of duties
- admin action protection
- support impersonation controls
- service identity scoping
- tenant isolation checks
- export/download restrictions
- audit logging for authorization decisions or privileged actions
- deny-by-default behavior
- test coverage for authorization rules
When marked PRESENT, provide evidence.
Create a validation plan with 3–6 scenarios, prioritizing the highest-risk or least-certain flows.
Include:
- scenario intent
- preconditions
- steps
- expected result
- evidence to collect
- owner
Examples:
- user without required role denied a privileged route
- stale LDAP group no longer grants access
- service token cannot call admin-only API
- cross-tenant object access is denied
- support impersonation is logged and approval-gated
You MUST assign an overall score from 0–100 reflecting the maturity and risk posture of the application’s identity and authorization design.
Purpose:
- This is not a vulnerability score.
- It reflects how understandable, enforceable, consistent, least-privilege, and bypass-resistant the authorization architecture appears to be.
-
Identity clarity and source-of-truth integrity (0–20)
- Are identity sources and access assignments clear, consistent, and evidence-backed?
-
Authorization model quality (0–20)
- Are roles/groups/permissions/policies well-structured, least-privilege, and semantically meaningful?
-
Enforcement consistency (0–20)
- Are checks applied consistently across routes, services, jobs, and admin paths?
-
Bypass and escalation resistance (0–15)
- Are there alternate paths, UI-only checks, hidden admin routes, or impersonation risks?
-
Observability and governance (0–15)
- Are privileged actions, access changes, and authorization decisions testable, reviewable, and auditable?
-
Complexity and maintainability (0–10)
- Is the model understandable and scalable, or fragmented and brittle?
- 0–19: Very weak
- 20–39: Weak
- 40–59: Mixed
- 60–79: Strong
- 80–100: Mature
Also report:
- Confidence: High / Medium / Low
- Score volatility:
+X / -Y - Top 3 score drivers
- What would raise the score
- What would lower the score
Return the review as PR-comment-ready Markdown in chat.
If the environment supports writing files, also write:
./Access Control Architecture Review - {{DATE}}.md
- 5–10 bullets
- what was found
- what appears strong
- what appears risky
- major unknowns
- next actions
- Overall access control architecture score:
NN/100 - Confidence: High / Medium / Low
- Score volatility:
+X / -Y - Primary score drivers: ...
- What would raise the score: ...
- What would lower the score: ...
- In-scope components:
- Out-of-scope:
- Principal types analyzed:
- Trust boundaries relevant to identity/access:
- Key protected assets/actions:
- Identity source classification:
- Principal types:
- Authorization model:
- Source of truth for assignments:
- Main enforcement locations:
- Environment/tenant variance:
- Confidence in this section:
- ASSUMPTION: ...
- UNKNOWN: ... (include “Who can confirm” + question)
- Score-moving unknown: ... (include likely score effect)
flowchart LR
%% validated diagram
Evidence
path/to/file(symbol: ..., lines ...)
flowchart LR
%% validated diagram
Evidence
- ...
flowchart LR
%% validated diagram
Evidence
- ...
sequenceDiagram
%% validated diagram
Evidence
- ...
Table:
Component | Mechanism | Evidence | Notes
Table:
Type | Name | Defined In | Consumed In | Source of Truth | Notes
Table:
Surface | Enforcement Type | Location | Required Access | Confidence | Notes
Table:
Entry Point / Action | Principal Type | Required Role/Group/Permission/Policy | Enforcement Location | Evidence | Status | Notes
Status values:
- Explicit
- Inherited
- Indirect
- Missing
- Unknown
Table:
ID | Category | Summary | Severity (L/M/H) | Evidence | Why it matters | Recommendation
Suggested categories:
- Missing authorization
- Inconsistent enforcement
- Weak role design
- Group-role mapping drift
- Privilege escalation
- Tenant isolation gap
- Admin/support risk
- Hidden alternate path
- Observability gap
- Maintainability risk
Table:
Control | Status (PRESENT/ABSENT/UNKNOWN) | Evidence | Notes/Open questions
For each scenario:
- Intent
- Preconditions
- Steps
- Expected result
- Evidence to collect
- Owner
- Who confirms assumptions:
- Who validates identity source mappings:
- Who owns policy definitions:
- Who owns route/service enforcement:
- Who drives remediation:
- bullets with owner and where to look in repo
- Groups, roles, permissions, claims, scopes, and policies are distinguished rather than conflated
- LDAP / directory mappings are explicitly marked as confirmed or assumed
- Endpoint/action mappings tie to concrete enforcement points
- UI-only controls are not treated as sufficient authorization
- Alternate execution paths were reviewed
- Evidence vs inference is clearly separated
- All Mermaid diagrams were validated using
mermaid-diagram-validator