ApprovalDecision

Records decisions made on access requests, permission changes, and policy exceptions, capturing the complete decision-making process including approver rationale, conditions, and stipulations. This entity goes beyond simple approve/deny to document the nuanced decisions made in complex authorization scenarios - conditional approvals with restrictions, time-limited grants with review requirements, or partial approvals for subset of requested permissions. Each decision captures the approver's identity, their authority level, the basis for their decision (policy compliance, business need, risk assessment), and any concerns or observations. Decisions can include stipulations like 'approved for 30 days pending security training' or 'denied but can resubmit with manager endorsement'. The entity supports multi-stage approval workflows where each approver adds their decision to build consensus, escalation paths where initial denials can be overridden, and delegation where approvers pass decisions to others. It maintains decision history for audit trails, precedent analysis for consistency, and machine learning to improve future decision-making. Decisions can trigger automated actions like permission provisioning, notification sending, or follow-up scheduling. This comprehensive decision recording is essential for regulatory compliance, demonstrating due diligence in access control, and continuous improvement of authorization processes through decision analytics.

31 properties

Schema

Properties

Property	Type	Mode	Description	Required
decisionId	uuid	stored	Unique identifier for this decision	Required
requestId	uuid	stored	The access request being decided on	Required
approver	User	stored	Person making the decision	Required
decision	string	enum	The decision made Values: `approved, denied, conditional, deferred, escalated, partial, revoked`	Required
decisionDate	DateTime	stored	When the decision was made	Required
rationale	string	stored	Detailed reasoning for the decision Example: `"Approved based on valid business justification and completion of required security training"`	Required
approvalLevel	string	enum	Level of approval in hierarchy Values: `initial, secondary, final, override, emergency`	Required
authoritySource	string	stored	Basis for approver's authority Example: `"role:manager,delegation:from_director"`	Optional
conditions	string	stored	JSON conditions attached to approval Example: `"{\"valid_until\":\"2024-06-01\",\"restricted_to\":\"read_only\",\"requires_mfa\":true}"`	Optional
stipulations	string	stored	Requirements for approval to remain valid Example: `"Must complete advanced security training within 30 days"`	Optional
partialGrants	string	stored	JSON subset of permissions granted if partial	Optional
riskAssessment	string	stored	JSON risk evaluation performed Example: `"{\"risk_score\":35,\"risk_factors\":[\"external_contractor\",\"sensitive_data\"],\"mitigation\":\"additional_monitoring\"}"`	Optional
complianceCheck	string	stored	JSON compliance verification results	Optional
precedentIds	string	stored	JSON array of similar past decisions	Optional
overrides	string	stored	JSON policies or rules overridden	Optional
escalationReason	string	stored	Why decision was escalated	Optional
delegatedFrom	User	stored	Original approver if delegated	Optional
reviewRequired	boolean	stored	Whether decision needs review	Optional
reviewDate	DateTime	stored	When decision should be reviewed	Optional
expiryDate	DateTime	stored	When approval expires	Optional
autoRenewable	boolean	stored	Whether approval can auto-renew	Optional
comments	string	stored	Additional approver comments	Optional
confidenceLevel	number	stored	Approver's confidence in decision (0-1)	Optional
consultedParties	string	stored	JSON array of people consulted	Optional
evidenceProvided	string	stored	JSON supporting documentation	Optional
notificationsSent	string	stored	JSON array of notifications triggered	Optional
followUpActions	string	stored	JSON array of required follow-ups	Optional
isActive	boolean	stored	Whether decision is currently valid	Optional
revocationReason	string	stored	Why decision was revoked	Optional
auditNotes	string	stored	Notes for audit purposes	Optional
metadata	object	stored	Additional decision data	Optional

Examples

Example 1

{
  "@type": "ApprovalDecision",
  "decisionId": "dec_001",
  "requestId": "req_access_001",
  "decision": "conditional",
  "decisionDate": "2024-03-15T14:30:00Z",
  "rationale": "Approved for limited production access based on urgent operational need, with restrictions due to contractor status",
  "approvalLevel": "final",
  "authoritySource": "role:engineering_director,policy:emergency_access",
  "conditions": "{\"valid_until\":\"2024-03-22T00:00:00Z\",\"restricted_operations\":[\"delete\",\"modify_schema\"],\"require_pair_programming\":true}",
  "stipulations": "Must work with senior engineer for all production changes, daily review of all actions required",
  "riskAssessment": "{\"risk_score\":65,\"risk_factors\":[\"contractor\",\"production_access\",\"first_time\"],\"mitigation\":[\"time_limit\",\"supervision\",\"audit_enhanced\"]}",
  "complianceCheck": "{\"sox_compliant\":true,\"requires_documentation\":true}",
  "reviewRequired": true,
  "reviewDate": "2024-03-18T00:00:00Z",
  "expiryDate": "2024-03-22T00:00:00Z",
  "autoRenewable": false,
  "comments": "Contractor has demonstrated competence in staging environment. Close monitoring recommended.",
  "confidenceLevel": 0.75,
  "consultedParties": "[\"security_team\",\"senior_architect\"]",
  "followUpActions": "[{\"action\":\"security_training\",\"due_date\":\"2024-03-20\"},{\"action\":\"access_review\",\"frequency\":\"daily\"}]",
  "isActive": true,
  "createdAt": "2024-03-15T14:30:00Z",
  "metadata": {
    "ticket": "OPS-2024-1234",
    "approval_chain": "complete"
  }
}

Example 2

{
  "@type": "ApprovalDecision",
  "decisionId": "dec_002",
  "requestId": "req_role_002",
  "decision": "denied",
  "decisionDate": "2024-03-15T10:00:00Z",
  "rationale": "Denied due to insufficient justification and availability of alternative solutions that don't require elevated privileges",
  "approvalLevel": "initial",
  "authoritySource": "role:team_lead",
  "escalationReason": "Requester may appeal to department head with additional justification",
  "riskAssessment": "{\"risk_score\":78,\"risk_factors\":[\"unnecessary_elevation\",\"alternative_exists\"],\"recommendation\":\"use_existing_tools\"}",
  "comments": "Suggested using existing reporting tools instead of direct database access. Happy to reconsider with stronger business case.",
  "confidenceLevel": 0.9,
  "evidenceProvided": "{\"similar_requests_denied\":3,\"policy_reference\":\"MIN_PRIVILEGE_POLICY\"}",
  "notificationsSent": "[{\"recipient\":\"requester\",\"type\":\"email\"},{\"recipient\":\"manager\",\"type\":\"notification\"}]",
  "isActive": true,
  "createdAt": "2024-03-15T10:00:00Z",
  "metadata": {
    "alternative_suggested": true,
    "can_appeal": true
  }
}