Architecture
Data-model graphics for the composable platform — how the semantic model is shaped as Claritiq becomes brand-agnostic with switchable modules. Generated artefacts; do not hand-edit.
Conformed Identity Spine
Neither AD nor Entra is the base — a conformed Identity spine is, fed by whichever identity sources exist. AD Users and Entra Users are peer sources beneath it, each keeping all native attributes; modules attach to the spine, not to AD. Stripping AD (for a cloud-only tenant like Client C) just removes one source — same architecture, different config, not a fork. The cross-substrate join is keyed by IdentityKey — matched on the AD SID (objectSid ↔ Entra onPremisesSecurityIdentifier), the only config-agnostic key: it survives the modern ms-DS-ConsistencyGuid source-anchor default that silently breaks objectGUID ↔ onPremisesImmutableId matching (fallbacks: sAMAccountName+domain, then UPN soft-match).
Identity Spine — table wiring
How the spine is actually wired in the semantic model. Identity is a new conformed dimension (one row per person); Users and EntraUsers stay as full native satellites — nothing is removed from either. Each satellite computes its own IdentityKey from local data (AD = its SID; Entra = its synced OnPremisesSecurityIdentifier, falling back to its own cloud id), so a synced person collapses to one spine row while cloud-only and AD-only identities each keep theirs. Conformed geo means location is resolved once on the spine from the genuine AD location attributes (l / st / co → City / State / Country) — not parsed from OU names (OU stays a separate org slicer) — so even cloud-only facts (licenses, SharePoint) can be sliced by location through the shared person. The hybrid match is keyed on the SID, the only source-anchor-independent key.