FFO Schema Reference
Complete reference of the 40 entity types and 48 relation types in the Federal Frontier Ontology, organized by infrastructure domain.
FFO Schema Reference
The Federal Frontier Ontology defines 40 entity types and 48 relation types organized across 8 schema modules. This page documents every type, grouped by domain.
Compute Domain
Infrastructure entities representing Kubernetes clusters, nodes, and workloads.
Entity Types
| Entity Type | Key Attributes | Description |
|---|---|---|
cluster |
name, environment, classification, fips_enabled |
Kubernetes cluster. The primary organizational unit for compute resources. |
node |
name, node_type, status, capacity |
Kubernetes node within a cluster. Worker or control plane. |
deployment |
name, namespace, replicas, status |
Kubernetes deployment (or equivalent workload). |
service |
name, namespace, service_type, port |
Kubernetes service exposing a deployment. |
image |
name, tag, registry, digest |
Container image used by deployments. |
registry |
name, url, type |
Container image registry (e.g., Harbor). |
vm_image |
name, format, os, version |
Virtual machine image in OpenStack Glance. |
pipeline |
name, status, trigger_type |
CI/CD pipeline (build, test, deploy). |
Relation Types
| Relation Type | Roles | Description |
|---|---|---|
cluster_node |
cluster, node | Node belongs to cluster. |
cluster_deployment |
cluster, deployment | Deployment runs in cluster. |
cluster_registry |
cluster, registry | Cluster pulls images from registry. |
cluster_network |
cluster, network | Cluster uses network. |
cluster_storage |
cluster, storage_class | Cluster has storage class available. |
cluster_job |
cluster, job | Job runs in cluster. |
deployment_image |
deployment, image | Deployment uses container image. |
deployment_service |
deployment, service | Deployment is exposed by service. |
deployment_pipeline |
deployment, pipeline | Deployment is built by pipeline. |
deployment_database |
deployment, database | Deployment connects to database. |
deployment_secret |
deployment, secret | Deployment uses secret. |
deployment_storage |
deployment, storage_class | Deployment uses storage class. |
registry_image |
registry, image | Registry hosts image. |
Storage Domain
Ceph distributed storage and Kubernetes storage primitives.
Entity Types
| Entity Type | Key Attributes | Description |
|---|---|---|
ceph_cluster |
entity_name, health_status, fsid |
Ceph storage cluster. Uses entity_name (not name). |
ceph_pool |
entity_name, size, pg_count, type |
Ceph storage pool. Uses entity_name (not name). |
osd |
entity_name, status, host, device_class |
Ceph Object Storage Daemon. Uses entity_name (not name). |
ceph_mon |
entity_name, status, host |
Ceph monitor daemon. Uses entity_name (not name). |
storage_class |
name, provisioner, reclaim_policy |
Kubernetes StorageClass. |
Important: Ceph entities (ceph_cluster, ceph_pool, osd, ceph_mon) use the attribute entity_name rather than name. This is a deliberate schema convention. Do not assume all entities use name for their primary identifier.
Relation Types
| Relation Type | Roles | Description |
|---|---|---|
cluster_storage |
cluster, storage_class | Cluster has storage class. |
deployment_storage |
deployment, storage_class | Deployment uses storage. |
Security Domain
Security findings, vulnerabilities, compliance controls, and frameworks.
Entity Types
| Entity Type | Key Attributes | Description |
|---|---|---|
finding |
name, severity, status, description |
Security finding or misconfiguration discovered by scanners or audits. |
control |
name, family, description, classification |
Compliance control (e.g., NIST 800-53 AC-2). |
framework |
name, version, classification |
Compliance framework (e.g., NIST 800-53, CNSSI 1253). |
Relation Types
| Relation Type | Roles | Description |
|---|---|---|
cluster_finding |
cluster, finding | Finding affects cluster. |
deployment_finding |
deployment, finding | Finding affects deployment. |
image_vulnerability |
image, vulnerability | Image has vulnerability. |
finding_control |
finding, control | Finding maps to compliance control. |
framework_control |
framework, control | Framework includes control. |
control_assessment |
control, assessment | Control has assessment result. |
Inference
TypeDB inference rules propagate findings and controls through the graph:
- If a deployment has a finding, and the deployment runs in a cluster, the cluster inherits awareness of that finding.
- If a cluster belongs to an authorization boundary, and that boundary requires a framework, all controls in that framework apply to the cluster.
- Control applicability flows from frameworks through boundaries to resources.
These derived relationships appear automatically in query results when using ffo.infer or ffo.query (inference is always on in TypeDB 3.x).
Identity Domain
Users, roles, groups, and service accounts.
Entity Types
| Entity Type | Key Attributes | Description |
|---|---|---|
principal |
name, email, status |
Human user or system identity. |
iam_role |
name, description, scope |
IAM role granting permissions. |
group |
name, description |
Group of principals. |
service_account |
name, namespace, cluster |
Kubernetes service account. |
Relation Types
| Relation Type | Roles | Description |
|---|---|---|
principal_role |
principal, iam_role | Principal holds IAM role. |
group_principal |
group, principal | Principal is member of group. |
group_role |
group, iam_role | Group grants IAM role. |
service_account_role |
service_account, iam_role | Service account holds role. |
principal_deployment |
principal, deployment | Principal owns or manages deployment. |
Note: These relations model what roles and group memberships exist. They do not enforce authorization. Authorization enforcement is handled by PostgreSQL per ADR-001.
Cloud Domain
Cloud providers and regions.
Entity Types
| Entity Type | Key Attributes | Description |
|---|---|---|
cloud |
name, provider, type |
Cloud provider or environment (e.g., on-prem OpenStack, AWS GovCloud). |
network |
name, cidr, type, classification |
Network segment or VPC. |
Relation Types
| Relation Type | Roles | Description |
|---|---|---|
cloud_cluster |
cloud, cluster | Cluster runs in cloud environment. |
cloud_region |
cloud, region | Cloud has region. |
Operations Domain
Incidents, alerts, changes, and work items linked to infrastructure.
Entity Types
| Entity Type | Key Attributes | Description |
|---|---|---|
incident |
name, severity, status, description |
Operational incident. |
alert |
name, severity, status, source |
Monitoring alert from Grafana or other sources. |
change |
name, status, type, description |
Change request or change record. |
workitem |
name, status, type, priority |
Work item from Jira or another tracker. |
Relation Types
| Relation Type | Roles | Description |
|---|---|---|
incident_alert |
incident, alert | Alert triggered incident. |
incident_deployment |
incident, deployment | Incident affects deployment. |
alert_deployment |
alert, deployment | Alert fires for deployment. |
change_deployment |
change, deployment | Change targets deployment. |
workitem_deployment |
workitem, deployment | Work item relates to deployment. |
workitem_finding |
workitem, finding | Work item tracks remediation of finding. |
Configuration Domain
Databases, secrets, and configuration items.
Entity Types
| Entity Type | Key Attributes | Description |
|---|---|---|
database |
name, type, version, host |
Database instance (PostgreSQL, MySQL, etc.). |
secret |
name, namespace, type |
Kubernetes secret or vault entry. |
Relation Types
| Relation Type | Roles | Description |
|---|---|---|
deployment_database |
deployment, database | Deployment connects to database. |
deployment_secret |
deployment, secret | Deployment uses secret. |
Service Dependencies
Cross-cutting relation for service-to-service dependencies.
| Relation Type | Roles | Description |
|---|---|---|
service_dependency |
service, dependency | Service depends on another service. |
Complete Relation Type Index
All 48 relation types in alphabetical order for quick reference:
| # | Relation Type | Domain |
|---|---|---|
| 1 | alert_deployment |
Operations |
| 2 | change_deployment |
Operations |
| 3 | cloud_cluster |
Cloud |
| 4 | cloud_region |
Cloud |
| 5 | cluster_deployment |
Compute |
| 6 | cluster_finding |
Security |
| 7 | cluster_job |
Compute |
| 8 | cluster_network |
Compute |
| 9 | cluster_node |
Compute |
| 10 | cluster_registry |
Compute |
| 11 | cluster_storage |
Storage |
| 12 | control_assessment |
Security |
| 13 | deployment_database |
Configuration |
| 14 | deployment_finding |
Security |
| 15 | deployment_image |
Compute |
| 16 | deployment_pipeline |
Compute |
| 17 | deployment_secret |
Configuration |
| 18 | deployment_service |
Compute |
| 19 | deployment_storage |
Storage |
| 20 | finding_control |
Security |
| 21 | framework_control |
Security |
| 22 | group_principal |
Identity |
| 23 | group_role |
Identity |
| 24 | image_vulnerability |
Security |
| 25 | incident_alert |
Operations |
| 26 | incident_deployment |
Operations |
| 27 | principal_deployment |
Identity |
| 28 | principal_role |
Identity |
| 29 | registry_image |
Compute |
| 30 | service_account_role |
Identity |
| 31 | service_dependency |
Compute |
| 32 | workitem_deployment |
Operations |
| 33 | workitem_finding |
Operations |
Note: The ontology has 48 relation types total. The remaining types not listed individually above include boundary relations (boundary_asset, approval_principal, evidence_control), additional cloud relations, and specialized relations used by inference rules. These are queryable but are primarily internal to the inference engine.