Skip to content

Real-Time Synchronization

Open-SSPM uses provider push where available, cursor-based tailing where possible, and periodic full reconciliation everywhere. Push and tail improve freshness, but full sync remains the correctness repair loop.

Data Model

  • event_inbox stores raw push deliveries for retry, dead-letter triage, and delivery-level dedupe.
  • events stores canonical provider evidence. It is partitioned by received_at.
  • event_targets stores every normalized target for multi-target provider events. The singular events.target_* fields are only primary-target denormalization for common queries.
  • event_dedupe_keys is the global idempotency ledger. It prevents duplicate canonical events across partition boundaries.
  • connector_cursor_state stores tail cursors, watermarks, error state, and full-resync flags per source/resource.

Worker Lanes

CommandRole
open-sspm workerFull reconciliation and drift repair
open-sspm worker --lane event-inboxEvent inbox processing
open-sspm worker --lane tailCursor-based incremental tail jobs
open-sspm worker --lane evaluatorEvent policy evaluation and canonical finding projection

Worker processes also maintain daily events and event_targets partitions. They create partitions ahead of time and drop expired daily partitions according to EVENT_RETENTION_DAYS.

Provider Coverage

ProviderPushTailFull
OktaEvent Hook and EventBridge ingest through the generic event inboxSystem Log watermark-overlap tailUsers, groups, apps, assignments
Google WorkspaceNot enabled yetReports activities watermark-overlap tailUsers, groups, grants, app inventory
DatadogPreview forwarding is not enabledAudit Logs API tailUsers and role assignments
AWS Identity CenterCustomer relay is not enabledCloudTrail LookupEvents tail when CloudTrail is configuredIdentity Store and SSO Admin inventory
Microsoft Entra IDNot enabled yetDelta remains coupled to the full sync pathGraph reconciliation
GitHubNot enabled yetAudit API not enabled yetREST/GraphQL reconciliation
VaultNo native direct pushNot enabled without a customer audit collectorVault API reconciliation

Capability metadata reflects executable behavior. Future push or tail surfaces should not be advertised until verification, signature validation, dedupe, cursor handling, and canonical writes exist.

Event Policy Evaluation

Canonical event evaluation writes canonical findings. Suppression, attestation, override, evidence, and historical reporting metadata stay on that findings path so each view can render user-facing state without querying raw event policy output.

Run the event evaluator worker:

bash
just worker evaluator

Operational Checks

  • opensspm_worker_lane_up{lane="tail"} should be 1 when the tail worker is running.
  • opensspm_worker_lane_up{lane="evaluator"} should be 1 when the event evaluator worker is running.
  • opensspm_event_partition_maintenance_runs_total{status="success"} should increase on worker startup and then every maintenance interval.
  • opensspm_event_partition_ensured_until_timestamp_seconds should stay ahead of the current date.
  • Tail cursor failures are visible in connector_cursor_state.last_error and sync run failures where sync_runs.run_mode = 'tail'.

Released under the MIT License.