erDiagram

    Token
    Policy
    Role
    ServiceIdentity
    NodeIdentity
    AuthMethod
    BindingRule
    Rule
    // TODO: rules are made up of resources and x (enforcement decision or permission?)
    // TODO: add Authorizer and Enforcement Decision

    Policy ||--|{ Rule: grants
    Role ||--|{ Policy: includes
    Role }|--|{ ServiceIdentity: includes
    Role }|--|{ NodeIdentity: includes

    Token }|--|{ Policy: includes
    Token }|--|{ Role: includes
    Token }|--|{ ServiceIdentity: includes
    Token }|--|{ NodeIdentity: includes

    AuthMethod ||--|{ BindingRule: defines
    AuthMethod ||--|{ Token: creates

    ServiceIdentity ||--|{ Rule: implies
    NodeIdentity ||--|{ Rule: implies