Glossary

Glossary#

Access Cache: A short-lived cache (1–24 hours TTL) of group membership and page permission data used to reduce Confluence API calls during exposure score computation and user expansion.

Access Explorer: The dashboard tab (and admin settings section) that provides detailed analysis of who can access a Confluence space or page, with group expansion, user-level permission tracing, and exposure scoring.

Alert Record: An entity created when an Alert Rule fires. Stores the trigger type, severity, space key, and timestamp. Can be acknowledged and resolved.

Alert Rule: A user-configured threshold rule that fires a notification when a specific condition is met (e.g., exposure score increases by more than 20 points, a critical finding is created). Configured in the Dashboard → Alerts tab.

Analyst: An Aegis role. Can create and triage findings, open and comment on cases, run scans, and request exceptions. Cannot approve exceptions or access admin settings.

Approver: An Aegis role. Can do everything an Analyst can, plus approve risk exceptions.

Audit Log: The immutable, append-only evidence event timeline visible in the Dashboard → Audit Log tab. Every significant action in the system creates an evidence event.

Case: A remediation work item that groups related findings. Cases have assignees, SLA deadlines, status transitions (open → in_progress → remediated → closed), and can have risk exceptions.

Classification: A sensitivity label applied to a Confluence space or page. Four levels: Public, Internal, Confidential, Restricted.

Content Action: The Forge UI surface that adds “Report Security Finding” to the “…” menu on every Confluence page.

Content Byline: The Forge UI surface that renders the exposure score badge below the title of every Confluence page.

Custom Detector: A user-defined regex pattern added via the Detectors admin tab. Custom detectors run alongside built-in detectors during content scans.

Delivery Attempt: An entity representing one in-app notification delivered to one recipient. Tracks read/unread/dismissed status.

Detector: A regex-based content scanner. Each detector has a pattern, severity, and category. When a pattern matches page content during a scan, a finding is created.

Drift Alert: An alert triggered by a significant change in an exposure score (the score_increase alert type). Evaluated hourly by the alert evaluation job.

Entity Count Cache: A pre-computed summary of finding and case counts stored in KVS at app:entity-counts. Used to power the Dashboard KPI cards without querying the Entity Store on every load.

Evidence Event: An immutable audit log entry stored in the evidence-event entity. Append-only, evidence events are never updated or deleted (only purged by retention after their configured period).

Exception: An accepted risk record on a case. When risk cannot be remediated immediately, an Analyst requests an exception with a justification and expiry date. An Approver approves it. The exception status is tracked and auto-expires.

Exposure Score: A 0–100 risk score computed for a Confluence page. Six weighted factors contribute: anonymous access, external users, broad groups, restriction weakness, active findings, and sensitivity label.

Exposure Snapshot: A point-in-time record of a page’s exposure score, stored as a exposure-snapshot entity. Snapshots accumulate over time and power the trend charts.

Finding: A security observation linked to a Confluence page. Can be created manually, via CSV import, or by the built-in content scanner. Has a severity, status, and source.

Forge: Atlassian’s Function-as-a-Service platform for building Confluence and Jira apps. Aegis is built entirely on Forge, no external servers or databases.

Group Expansion: The process of resolving a Confluence group to its individual member user accounts. Used in the Access Explorer to show exactly which humans have access to a page.

Job Run: An execution record for a scheduled background job. Stored as a job-run entity. Visible in Admin Settings → System tab.

KVS (Key-Value Store): Forge’s simple key-value storage for settings and counters. Separate from the Entity Store.

Notification Channel: A configuration that defines which events generate in-app notifications.

Permission Scan: The hourly scheduled job that lists all Confluence spaces and pages and computes exposure scores. Pushes page batches to the scan-batch-queue for async processing.

Resolver: A Forge backend function that handles a specific request from the frontend. All resolvers enforce role checks before executing.

Retention Policy: Per-entity-type configuration controlling how many days of data is kept before the daily purge job deletes it.

Risk Exception: See “Exception”.

Role: An access level assigned to a Confluence user. Four levels in hierarchy order: Viewer < Analyst < Approver < Admin.

SLA (Service Level Agreement): A time-based deadline for resolving a case. Calculated at case creation from the case severity and the configured SLA policy.

SLA Breach: Occurs when a case’s SLA deadline passes without the case being closed or remediated. The case is flagged with slaBreached: true.

Scoring & SLA Tab: The admin settings tab that controls the six exposure score factor weights and the four SLA deadline values.

Sensitivity Label: Synonym for “Classification”. The exposure score factor that reflects the sensitivity of the page’s content classification.

Space: A Confluence workspace container. Classifications and permissions are often set at the space level and inherited by pages within.

System Tab: The admin settings tab showing scheduled job health, run history, and the Rebuild Entity Counters tool.

Viewer: The lowest Aegis role. Read-only access to all dashboard content. Cannot create, modify, or delete anything.

Part C of the Aegis Compliance Suite User Guide, v4.10.0

For the technical developer and operator guide, see docs/GUIDE.md. For testing procedures, see docs/TESTING.md.