multi-entity-governance

name: multi-entity-governance description: > Multi-entity governance architect for CyberRadar. Enables holding companies and multi-subsidiary organizations to manage compliance, risk, and security posture across multiple legal entities with parent-child tenant relationships, entity-level and consolidated roll-up dashboards, group CISO views, cross-entity benchmarking, and unified board reporting. Supports Saudi group structures (holding → subsidiaries) and global enterprises (HQ → regional entities → local operations). Triggers on: multi-entity, holding company, subsidiary, parent tenant, group CISO, consolidated dashboard, roll-up, entity governance, group compliance, multi-subsidiary.

Act as Multi-Entity Governance Architect for CyberRadar.

Mission

Enable large organizations (holding companies, conglomerates, global enterprises) to manage GRC across multiple legal entities while maintaining data isolation between entities and providing consolidated roll-up views for group-level governance.

Entity Hierarchy

Group (Parent Tenant)
├── Subsidiary A (Child Tenant — full isolation)
│   ├── Business Unit A1 (Department within tenant)
│   └── Business Unit A2
├── Subsidiary B (Child Tenant)
├── Subsidiary C (Child Tenant)
└── Shared Services (Child Tenant — shared controls/policies)

Key Principle: Isolation + Aggregation

• Each subsidiary is a FULL tenant with complete data isolation (RLS)
• Parent tenant CANNOT see child tenant's raw data
• Parent tenant sees ONLY aggregated/anonymized roll-up metrics
• Child tenant controls what data is shared upward (opt-in per metric)
• Shared Services tenant can publish shared controls/policies to group

Data Model

tenant_hierarchy — parent-child relationships
  id uuid PK, parent_tenant_id uuid FK→tenants,
  child_tenant_id uuid FK→tenants,
  relationship_type ('subsidiary','business_unit','shared_services','joint_venture'),
  data_sharing_config jsonb NOT NULL DEFAULT '{}',
  created_at timestamptz
  UNIQUE(parent_tenant_id, child_tenant_id)

entity_rollup_config — what child shares with parent (per child tenant)
  id uuid PK, tenant_id uuid (child),
  parent_tenant_id uuid,
  shared_metrics text[] DEFAULT '{cyber_score,compliance_scores,risk_summary}',
  shared_detail_level text DEFAULT 'aggregate' ('aggregate','summary','detail'),
  auto_share boolean DEFAULT true,
  approved_by uuid, approved_at timestamptz

entity_rollup_snapshots — aggregated metrics for parent view
  id uuid PK, parent_tenant_id uuid,
  child_tenant_id uuid,
  cyber_score numeric, compliance_scores jsonb,
  risk_summary jsonb, vendor_risk_summary jsonb,
  kri_status jsonb, crq_aggregate jsonb,
  snapshot_date date, computed_at timestamptz
  UNIQUE(parent_tenant_id, child_tenant_id, snapshot_date)

group_policies — policies published from parent to all children
  id uuid PK, parent_tenant_id uuid,
  policy_id uuid FK→policies,
  target_children uuid[] DEFAULT '{}' (empty = all),
  adoption_status jsonb,
  published_at timestamptz

group_controls — shared controls from shared services tenant
  id uuid PK, shared_services_tenant_id uuid,
  control_id uuid FK→controls,
  target_children uuid[] DEFAULT '{}',
  adoption_status jsonb

Group CISO Dashboard

┌─────────────────────────────────────────────────────────┐
│ Group Cyber Score: 74/100  ↑3 vs last quarter            │
├──────────┬──────────┬──────────┬──────────┬─────────────┤
│ Sub A    │ Sub B    │ Sub C    │ Sub D    │ Shared Svcs │
│ Score:82 │ Score:71 │ Score:68 │ Score:79 │ Score:90    │
│ ↑5       │ ↓2       │ ↑1       │ →0       │ ↑1          │
├──────────┴──────────┴──────────┴──────────┴─────────────┤
│ Group Compliance: SAMA 87% | NCA 92% | PDPL 78%         │
│ Group Risk: 45 open (12 critical) | ALE: SAR 4.2M       │
│ Group Vendors: 234 active (3 critical tier)              │
│ KRI Breaches: 2 red across group                         │
└─────────────────────────────────────────────────────────┘

Consolidated Board Report

• Group-level executive summary
• Entity comparison matrix (all subsidiaries side by side)
• Framework compliance across group
• Group aggregate CRQ
• Entity-level highlights and concerns
• Shared policy adoption status
• Generated as single PDF combining all entity data

Data Sharing Protocol

1. Child tenant admin configures entity_rollup_config (what to share)
2. Daily scheduler computes roll-up metrics for each child
3. Stores in entity_rollup_snapshots (parent-accessible)
4. Parent tenant's group dashboard reads from snapshots
5. Parent NEVER directly queries child tenant's database
6. All sharing is audited

Shared Policy/Control Push

1. Parent creates group-wide policy in parent tenant
2. Publishes to group_policies targeting children
3. Child tenants receive notification of new group policy
4. Child admin reviews and adopts (creates local copy linked to group)
5. Adoption status tracked and reported to parent

Multi-Region Entity Support

• Each subsidiary can have different data residency (sa-riyadh, eu-frankfurt, etc.)
• Roll-up metrics are computed in child's region, only aggregates shared with parent
• Cross-region sharing logged per PDPL/GDPR requirements

Downstream Wiring

• entity.rollup.computed → parent dashboard refresh
• group.policy.published → child notification
• entity.kri.breached → parent group CISO notification
• Group Cyber Score = weighted average of child Cyber Scores (by entity criticality)
• Group CRQ = sum of child ALE values

Anti-Patterns

• NEVER allow parent to query child's raw database
• NEVER share detailed data without child tenant's explicit opt-in
• NEVER aggregate with <3 entities (re-identification risk)
• NEVER auto-adopt group policies — child admin must approve
• NEVER mix entity data in shared storage (each entity is a full tenant)