PolicySet

Groups related access policies into cohesive sets that can be managed, deployed, and evaluated together, providing organizational structure for complex policy landscapes. Policy sets are containers that bundle policies sharing common purposes, compliance requirements, or organizational scope - like 'GDPR Compliance Policies' or 'Financial Data Protection'. This hierarchical organization allows policy administrators to manage hundreds of policies efficiently, deploy entire policy frameworks at once, and ensure comprehensive coverage without gaps or conflicts. Each set can contain other sets (nested hierarchy), individual policies, and rules, with sophisticated combination algorithms determining how multiple policies interact. The entity supports different policy combination methods: permit-overrides (any allow wins), deny-overrides (any deny wins), first-applicable (stop at first match), or consensus-based. Policy sets can be versioned as a unit, enabling rollback of entire policy frameworks if issues arise. They support staged deployment where sets are tested in non-production before enterprise-wide activation. The entity handles policy inheritance where child organizations inherit parent policy sets but can add local policies. This is essential for multi-tenant systems where base policies apply to all while allowing customization, regulatory compliance where entire frameworks must be adopted together, and enterprise governance where consistent policy application across divisions is required.

28 properties

Schema

Properties

Property	Type	Mode	Description	Required
policySetId	uuid	stored	Unique identifier for this policy set	Required
code	string	stored	Unique machine-readable identifier Example: `"PS_FINANCIAL_COMPLIANCE"`	Required
name	string	stored	Human-readable name of the policy set Example: `"Financial Services Compliance Policy Set"`	Required
description	string	stored	Detailed explanation of the policy set's purpose Example: `"Comprehensive policies ensuring compliance with SOX, PCI-DSS, and internal financial controls"`	Required
category	string	enum	Category of policy set Values: `compliance, security, privacy, operational, custom`	Required
scope	string	stored	Organizational scope where this set applies Example: `"organization:finance_dept"`	Optional
parentSetId	uuid	stored	Parent policy set in hierarchy	Optional
policies	string	stored	JSON array of policy IDs in this set Example: `"[\"pol_001\",\"pol_002\",\"pol_003\"]"`	Optional
childSets	string	stored	JSON array of child policy set IDs	Optional
combiningAlgorithm	string	enum	How to combine policy decisions Values: `permit_overrides, deny_overrides, first_applicable, only_one_applicable, consensus`	Optional
priority	integer	stored	Evaluation order when multiple sets apply	Optional
target	string	stored	JSON criteria for when this set applies Example: `"{\"resource_type\":[\"financial_data\",\"payment_info\"],\"user_department\":\"finance\"}"`	Optional
obligations	string	stored	JSON array of required actions when set is evaluated	Optional
advice	string	stored	JSON array of optional recommendations	Optional
version	string	stored	Version identifier for the policy set Example: `"2.1.0"`	Required
status	string	enum	Current status of the policy set Values: `draft, testing, active, deprecated, archived`	Optional
effectiveFrom	DateTime	stored	When this policy set becomes effective	Optional
effectiveUntil	DateTime	stored	When this policy set expires	Optional
complianceFrameworks	string	stored	JSON array of compliance requirements addressed Example: `"[\"SOX\",\"PCI-DSS\",\"GDPR\"]"`	Optional
testResults	string	stored	JSON results from policy testing	Optional
deploymentStage	string	enum	Current deployment stage Values: `development, testing, staging, production`	Optional
approvedBy	User	stored	Who approved this policy set	Optional
approvedAt	DateTime	stored	When the set was approved	Optional
lastReviewDate	DateTime	stored	Last compliance review	Optional
nextReviewDate	DateTime	stored	When next review is due	Optional
createdBy	User	stored	Policy set author	Required
createdAt	DateTime	stored	Creation timestamp	Required
metadata	object	stored	Additional configuration	Optional

Examples

Example 1

{
  "@type": "PolicySet",
  "policySetId": "ps_financial_001",
  "code": "PS_FINANCIAL_COMPLIANCE",
  "name": "Financial Services Compliance Suite",
  "description": "Complete policy framework for financial data protection, transaction security, and regulatory compliance",
  "category": "compliance",
  "scope": "department:finance",
  "policies": "[\"pol_transaction_limits\",\"pol_dual_approval\",\"pol_audit_logging\",\"pol_data_encryption\"]",
  "childSets": "[\"ps_sox_compliance\",\"ps_pci_compliance\"]",
  "combiningAlgorithm": "deny_overrides",
  "priority": 100,
  "target": "{\"resource_classification\":[\"financial\",\"pii\"],\"transaction_value\":{\"$gt\":1000}}",
  "obligations": "[{\"action\":\"audit_log\",\"level\":\"detailed\"},{\"action\":\"encrypt\",\"algorithm\":\"AES-256\"}]",
  "version": "3.2.1",
  "status": "active",
  "effectiveFrom": "2024-01-01T00:00:00Z",
  "complianceFrameworks": "[\"SOX\",\"PCI-DSS\",\"Basel III\"]",
  "deploymentStage": "production",
  "approvedBy": "compliance_officer",
  "approvedAt": "2023-12-15T10:00:00Z",
  "lastReviewDate": "2024-02-01T00:00:00Z",
  "nextReviewDate": "2024-05-01T00:00:00Z",
  "createdAt": "2023-11-01T00:00:00Z",
  "metadata": {
    "regulatory_citations": [
      "SOX-404",
      "PCI-DSS-3.2.1"
    ],
    "risk_rating": "critical"
  }
}

Example 2

{
  "@type": "PolicySet",
  "policySetId": "ps_gdpr_002",
  "code": "PS_GDPR_PRIVACY",
  "name": "GDPR Privacy Protection Framework",
  "description": "EU data protection policies ensuring GDPR compliance for personal data processing",
  "category": "privacy",
  "scope": "global",
  "parentSetId": "ps_master_privacy",
  "policies": "[\"pol_consent_management\",\"pol_right_to_erasure\",\"pol_data_portability\",\"pol_breach_notification\"]",
  "combiningAlgorithm": "deny_overrides",
  "priority": 90,
  "target": "{\"data_subjects\":[\"eu_resident\"],\"data_type\":\"personal_data\"}",
  "obligations": "[{\"action\":\"obtain_consent\"},{\"action\":\"maintain_processing_records\"},{\"action\":\"enable_data_export\"}]",
  "advice": "[{\"recommendation\":\"privacy_impact_assessment\"}]",
  "version": "2.0.0",
  "status": "active",
  "effectiveFrom": "2018-05-25T00:00:00Z",
  "complianceFrameworks": "[\"GDPR\",\"ePrivacy\"]",
  "deploymentStage": "production",
  "approvedBy": "dpo",
  "approvedAt": "2018-05-01T00:00:00Z",
  "lastReviewDate": "2024-01-15T00:00:00Z",
  "nextReviewDate": "2024-07-15T00:00:00Z",
  "createdBy": "privacy_team",
  "createdAt": "2018-03-01T00:00:00Z",
  "metadata": {
    "gdpr_articles": [
      "6",
      "7",
      "15-22",
      "25",
      "32"
    ],
    "automated_enforcement": true
  }
}