Skip to main content

Prizm Security Architecture

Prizm implements a comprehensive security model designed to provide robust protection and flexible access management. The security architecture addresses the complex requirements of modern enterprises while maintaining usability.

Security Design Principles

Defense in Depth

Multiple security layers protect critical assets — no single control point is a single point of failure.

Least Privilege

Users receive the minimum access needed for their role, scoped to specific resources.

Zero Trust Architecture

Continuous verification regardless of network location. Trust is never assumed.

Privacy by Design

Data protection controls are built into the core architecture, not bolted on.

Data Protection

Prizm employs comprehensive data protection measures across the entire data lifecycle:
MechanismDetail
Encryption at RestAES-256 encryption for all stored data
Encryption in TransitTLS 1.3 for all network communication
Data ClassificationAutomated tagging system categorizes data sensitivity
Access ControlsFine-grained permissions based on data classification
Masking & TokenizationPII/sensitive data protection for authorized viewing
Audit LoggingComprehensive tracking of all data access and modifications

Compliance Framework

Prizm is designed to help organizations meet regulatory requirements including:
Built-in controls for data subject rights, consent management, data minimization, and breach notification workflows.
Tools to support consumer rights requests, data inventory, and opt-out of sale workflows.
PHI classification, access controls, and audit trails aligned with HIPAA Security Rule requirements.
Comprehensive audit capabilities and built-in controls aligned with SOC 2 trust service criteria.
Information security management controls and reporting tools that streamline certification.

Role-Based Access Control (RBAC)

Prizm uses a flexible RBAC model with optional attribute-based constraints (ABAC).

Standard Roles

RolePriorityPermissions Summary
Member1Read-only for non-sensitive assets; can request access
Steward2Limited to assigned resources; can edit metrics/sources, but not security
Owner3Full control of owned domains/apps/products; manage semantics, metrics, sources
Admin4Full access to all resources; can manage security, approve anything
Custom5+Tailored by admins (e.g., Data Scientist, ViewerPII) with specific filters

Permission Matrix

PermissionAdminOwnerStewardMemberCustom
Create/Edit SecurityConfigurable
Create/Edit SemanticsConfigurable
Create/Edit SourcesConfigurable
Create/Edit Metrics / QueriesConfigurable
Approve ResourcesConfigurable
View / Request AccessConfigurable

Access Evaluation Logic

At runtime, Prizm determines effective permissions through:
  1. Identify the requesting user and their group memberships
  2. Collect all applicable role assignments (direct and via groups)
  3. Determine effective permissions based on role precedence (highest-role-wins)
  4. Apply tag-based or attribute-based constraints (allow/deny lists)
  5. Make final access decision and enforce at runtime
Important: Even if a single resource is tagged with deny, access to that resource is denied — even if other resources in the same assignment are tagged allow. Deny always wins at the resource level.

SSO Integration

Prizm supports comprehensive Single Sign-On (SSO) integration with major identity providers:
  • SAML 2.0 — Okta, Azure AD, OneLogin
  • OAuth 2.0 / OpenID Connect — Standard authorization and authentication frameworks
  • LDAP — Directory services for enterprise authentication

Assignment Structure

Assignments map users or groups to roles on specific resources, with optional tag constraints: 
{
  "assignee_type": "user|group",
  "assignee_id": "[user_id|group_id]",
  "resources": [
    {
      "resource_type": "domain|product|app|connection",
      "resource": "[resource_id]",
      "resource_role": "admin|owner|steward|member|custom",
      "role_priority": 1,
      "resource_constraints": {
        "allow": ["tag1", "tag2"],
        "deny": ["PII"]
      }
    }
  ]
}

Example Assignments

{
  "resources": [
    {
      "resource_type": "domain",
      "resource_role": "owner",
      "role_priority": 3,
      "resource": "Customer360",
      "resource_constraints": { "allow": ["*"] }
    },
    {
      "resource_type": "domain",
      "resource_role": "owner",
      "role_priority": 3,
      "resource": "Marketing",
      "resource_constraints": { "allow": ["*"] }
    }
  ]
}

{
  "resources": [
    {
      "resource_type": "product",
      "resource_role": "member",
      "role_priority": 1,
      "resource": "MarketingData",
      "resource_constraints": { "deny": ["PII"] }
    }
  ]
}

{
  "resources": [
    {
      "resource_type": "*",
      "resource_role": "admin",
      "role_priority": 5,
      "resource": "*",
      "resource_constraints": { "allow": ["*"] }
    }
  ]
}

Database Schema

Core Security Tables

TablePurpose
users, groups, user_groupsIdentity model for user and group management
roles, permissions, role_permissionsRole definitions with associated permission sets
assignmentsGrants roles to users/groups scoped to specific resources
resourcesFlattened table with all resource types (domain, app, tag, etc.)
role_precedenceEnsures conflict resolution by priority ranking
resource_tags, app_domainsOptional mappings between loosely coupled assets