{"id":"identity-governs-operator-and-workload-access","text":"OpenShift identity and authorization governance controls both operator lifecycle and workload deployment: the complete OAuth→User→Identity→Authorization chain gates OLM operator installation (ClusterRole/ServiceAccount for InstallPlans) and workload pod admission (SCC evaluation), making identity the root of all platform access regardless of OLM generation.","truth_value":"IN","source":"","source_url":"","source_hash":"","justifications":[{"type":"SL","antecedents":["identity-session-and-authorization-complete","olm-transitioning-between-generations"],"outlist":[],"label":"Identity governance is upstream of both operator installation and workload admission — the OLM chain cannot begin without RBAC, making identity the root dependency."}],"dependents":["identity-governed-software-delivery"],"metadata":{},"explanation":{"steps":[{"node":"identity-governs-operator-and-workload-access","truth_value":"IN","reason":"SL justification valid","antecedents":["identity-session-and-authorization-complete","olm-transitioning-between-generations"],"label":"Identity governance is upstream of both operator installation and workload admission — the OLM chain cannot begin without RBAC, making identity the root dependency."},{"node":"identity-session-and-authorization-complete","truth_value":"IN","reason":"SL justification valid","antecedents":["identity-to-authorization-governance-chain","oauth-session-lifecycle-management"],"label":"depth-2 identity-to-authorization covers the static mapping; depth-1 session lifecycle adds the temporal dimension — combining reveals that authorization is not just identity-based but session-scoped, and revocation propagates through the entire chain"},{"node":"identity-to-authorization-governance-chain","truth_value":"IN","reason":"SL justification valid","antecedents":["openshift-identity-lifecycle-chain","openshift-extends-k8s-authorization-model"],"label":"Identity chain output (authenticated users) is the input to the authorization model — combining reveals the full access control pipeline"},{"node":"openshift-identity-lifecycle-chain","truth_value":"IN","reason":"SL justification valid","antecedents":["oauth-config-singleton-named-cluster","oauth-requires-integratedoauth-type","user-api-group-user-openshift-io","useridentitymapping-maps-user-to-identity","oauthclientauthorization-delete-revokes"],"label":"Five resources form a directed chain from authentication config to session lifecycle"},{"node":"oauth-config-singleton-named-cluster","truth_value":"IN","reason":"premise"},{"node":"oauth-requires-integratedoauth-type","truth_value":"IN","reason":"premise"},{"node":"user-api-group-user-openshift-io","truth_value":"IN","reason":"premise"},{"node":"useridentitymapping-maps-user-to-identity","truth_value":"IN","reason":"premise"},{"node":"oauthclientauthorization-delete-revokes","truth_value":"IN","reason":"premise"},{"node":"openshift-extends-k8s-authorization-model","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-two-authorization-api-groups","openshift-has-own-authorization-api","scc-api-group-security-openshift","default-clusterroles-list"],"label":"Parallel authorization APIs reflect OpenShift's extension of Kubernetes security model"},{"node":"ocp-two-authorization-api-groups","truth_value":"IN","reason":"premise"},{"node":"openshift-has-own-authorization-api","truth_value":"IN","reason":"premise"},{"node":"scc-api-group-security-openshift","truth_value":"IN","reason":"premise"},{"node":"default-clusterroles-list","truth_value":"IN","reason":"premise"},{"node":"oauth-session-lifecycle-management","truth_value":"IN","reason":"SL justification valid","antecedents":["oauth-five-api-resources","oauth-delete-token-revokes-session","delete-oauthaccesstoken-revokes-session"],"label":"OAuth token deletion as the primary session revocation mechanism"},{"node":"oauth-five-api-resources","truth_value":"IN","reason":"premise"},{"node":"oauth-delete-token-revokes-session","truth_value":"IN","reason":"premise"},{"node":"delete-oauthaccesstoken-revokes-session","truth_value":"IN","reason":"premise"},{"node":"olm-transitioning-between-generations","truth_value":"IN","reason":"SL justification valid","antecedents":["olm-full-lifecycle-chain","clusterextension-replaces-subscription-operatorgroup","fbc-modernizes-operator-catalog-format"],"label":"depth-2 synthesis — OLM is not static; the v1→v1alpha1 transition creates a dual-path operational reality"},{"node":"olm-full-lifecycle-chain","truth_value":"IN","reason":"SL justification valid","antecedents":["olm-resource-chain","olm-subscription-tracks-channel","subscription-triggers-installplan-then-csv","installplan-required-spec-fields"],"label":"End-to-end OLM lifecycle with each resource's role clarified"},{"node":"olm-resource-chain","truth_value":"IN","reason":"premise"},{"node":"olm-subscription-tracks-channel","truth_value":"IN","reason":"premise"},{"node":"subscription-triggers-installplan-then-csv","truth_value":"IN","reason":"premise"},{"node":"installplan-required-spec-fields","truth_value":"IN","reason":"premise"},{"node":"clusterextension-replaces-subscription-operatorgroup","truth_value":"IN","reason":"premise"},{"node":"fbc-modernizes-operator-catalog-format","truth_value":"IN","reason":"SL justification valid","antecedents":["fbc-default-since-ocp-411-sqlite-deprecated","opm-validate-checks-catalog","fbc-skiprange-prunes-update-graph"],"label":"FBC as the complete modern catalog toolchain"},{"node":"fbc-default-since-ocp-411-sqlite-deprecated","truth_value":"IN","reason":"premise"},{"node":"opm-validate-checks-catalog","truth_value":"IN","reason":"premise"},{"node":"fbc-skiprange-prunes-update-graph","truth_value":"IN","reason":"premise"}]}}