Active Directory: Node & Edge Schema
Node Types
The following entity types are extracted from Active Directory and represented as nodes in the graph:
| Node Type | Description | 
|---|---|
| User | An Active Directory user object | 
| Group | A security or distribution group | 
| Computer | A computer object joined to the directory | 
These nodes are uniquely identified by their ObjectIdentifier (OID) from Active Directory.
Edge Relationships
| Edge Type | From Node | To Node | Description | 
|---|---|---|---|
| IS_MEMBER_OF | UserorGroup | Group | Indicates membership in a group | 
| HAS_MEMBER | Group | UserorGroup | Inverse of IS_MEMBER_OF | 
| CONTAINS | Container | User,Group, orComputer | Represents directory containment hierarchy | 
| IS_CONTAINED_BY | User,Group,Computer | Container | Inverse of CONTAINS | 
| CAN_ACCESS | UserorComputer | Resource | Indicates access permission to a target resource | 
These relationships allow the system to perform identity graph analysis, access modeling, and permission auditing across imported AD entities.
Example
Here’s a simplified example of how these relationships might appear in the graph:
(User)-[:IS_MEMBER_OF]->(Group)
(Group)-[:HAS_MEMBER]->(User)
(User)-[:IS_CONTAINED_BY]->(OU)
(OU)-[:CONTAINS]->(Computer)
(Computer)-[:CAN_ACCESS]->(Resource)
Notes
- Containers are inferred objects such as Organizational Units (OUs).
- Resources may be created by other adapters (e.g., AWS, Azure) but can be linked
to AD identities via edges like CAN_ACCESS.