An Entitlement is permission to access something. In Common Fate, an entitlement consists of the following components:

TargetThe resource the entitlement grants access to, such as an AWS Account or GCP Project.
RoleThe permissions the entitlement grants to the target resource, such as AdministratorAccess or roles/editor.

Access Workflow

An Access Workflow is configuration which defines the duration that entitlements are made available for. Access workflows contain

Entity Identifier (EID)

Common Fate uses Cedar EIDs to represent resources. An example of an EID is AWS::Account::"123456789012".

EIDs consist of a type (AWS::Account) and an ID (123456789012). The type indicates the particular type of resource being granted access to.

Core Identity

A Core Identity is Common Fate’s identifier for a particular user or service account. For a user, Common Fate’s identifier looks like this: CF::User::"usr_2ZDvUXOkW9VX9qSjupKLKxRypGN".

Domain Identity

A Domain Identity is a user identifier in a system integrated with Common Fate.


A Grant is time-bound access to an Entitlement.

Access Request

An Access Request is a collection of Grants requested by a user. Common Fate allows multiple entitlements to be requested together, and these are grouped together as an Access Request to make reviewing and approval easier. By default, approval actions will act on all Grants contained in an Access Request.