AODIM Architecture Document

Attribute-Oriented Directory & Identity Model — technical architecture

Author

Michael Stratton

Published

April 1, 2026

AODIM — Attribute-Oriented Directory & Identity Model

Executive Summary

Modern enterprises using cloud identity platforms face a mismatch between dynamic organizational structures and static access control models. AODIM addresses this by making identity attributes the authoritative driver of access, enabling automated, deterministic, and scalable identity governance.

Core Principle

Identity attributes define organizational structure; access is computed, not assigned.

Problem Statement

Traditional directory systems rely on hierarchical placement (OUs), which do not translate well to cloud environments. This leads to:

- Manual access management

- Poor handling of role changes (movers)

- Over-permissioning

- Audit complexity

Architecture Overview

Technical architecture diagram showing the AODIM attribute flow: HR System…

HR System → Identity Attributes → Dynamic Groups → Access & Policy Enforcement

Attribute Model

Key attributes include:

- orgPath (hierarchical string)

- orgCode (normalized identifier)

- department

- costCenter

- manager

Example:

orgPath = CORP/US/EAST/BALTIMORE/IT

Dynamic Group Model

Groups are defined by rules:

- Node groups (exact match)

- Branch groups (hierarchical match)

- Functional groups (role/department)

Example Rules:

user.orgPath -startsWith "CORP/US/EAST"

user.orgPath -eq "CORP/US/EAST/BALTIMORE/IT"

Delegation Model

Side-by-side comparison diagram: Left panel labeled ’Legacy OU-Based…

Administrative Units and scoped roles replace OU-based delegation.

Operational Flow

Operational flow diagram showing the AODIM runtime cycle: Identity Event…

HR updates → Attribute change → Group recalculation → Access update

Key Benefits

- Automatic access alignment

- Deterministic and explainable access

- Reduced operational overhead

- Continuous least privilege

Risks and Mitigations

- Data quality → validation pipelines

- Group sprawl → naming standards

- Complexity → governance model

Reference Implementation

Includes:

- Attribute schema

- Dynamic group rules

- CLI tool for simulation and explanation

CLI Example

Commands:

orgtree explain

orgtree move CORP/US/WEST/SEATTLE/HR

Demonstrates automatic access recalculation.

Strategic Impact

- Enables Zero Trust

- Aligns HR, IT, Security

- Supports SaaS environments

Conclusion

AODIM transforms identity into a dynamic control plane where access follows the user automatically.

Back to top