PermissionAttribute
Defines metadata and properties associated with permissions that influence their behavior, evaluation, and management within the access control system. Permission attributes are key-value pairs that enrich permissions with additional context beyond simple grant/deny - they specify quality of service parameters, risk indicators, compliance tags, and operational constraints. These attributes enable fine-tuning of permission behavior: setting expiration dates, defining usage quotas, specifying required authentication strength, or marking permissions as high-risk. Attributes support permission classification for governance (marking permissions as 'financial', 'personal_data', 'system_critical'), automated policy application (all 'financial' permissions require MFA), and compliance mapping (permissions tagged 'gdpr_relevant' need special handling). They enable permission lifecycle management with attributes like 'deprecated', 'experimental', or 'migration_required'. The entity handles inherited attributes from parent permissions, computed attributes derived from usage patterns, and dynamic attributes that change based on context. Attributes influence runtime behavior - a permission with 'require_justification' attribute prompts users for reasons, while 'notify_on_use' triggers alerts. This metadata layer transforms simple permissions into rich, self-describing capabilities that adapt to organizational needs, support automated governance, and enable sophisticated permission analytics.
Properties
| Property | Type | Mode | Description | Required |
|---|---|---|---|---|
| attributeId | uuid | stored | Unique identifier for this attribute | Required |
| permissionId | uuid | stored | Permission this attribute belongs to | Required |
| attributeName | string | stored | Name of the attribute Example: | Required |
| attributeValue | string | stored | Value of the attribute Example: | Required |
| valueType | string | enum | Data type of the attribute value Values: | Required |
| category | string | enum | Category of attribute Values: | Required |
| description | string | stored | Explanation of what this attribute represents Example: | Optional |
| isInherited | boolean | stored | Whether inherited from parent permission | Optional |
| inheritedFrom | uuid | stored | Parent permission this was inherited from | Optional |
| isComputed | boolean | stored | Whether this is a calculated attribute | Optional |
| computeExpression | string | stored | Expression to compute attribute value Example: | Optional |
| isDynamic | boolean | stored | Whether value changes based on context | Optional |
| updateFrequency | string | stored | How often dynamic attributes update Example: | Optional |
| validationRules | string | stored | JSON rules for validating attribute values Example: | Optional |
| defaultValue | string | stored | Default value if not specified | Optional |
| allowedValues | string | stored | JSON array of permitted values Example: | Optional |
| impactOnBehavior | string | stored | How this attribute affects permission behavior Example: | Optional |
| visibility | string | enum | Who can see this attribute Values: | Optional |
| modifiable | boolean | stored | Whether attribute can be modified | Optional |
| propagateToChildren | boolean | stored | Whether child permissions inherit this | Optional |
| priority | integer | stored | Priority when attributes conflict | Optional |
| tags | string | stored | JSON array of tags for categorization | Optional |
| auditChanges | boolean | stored | Whether to audit attribute changes | Optional |
| effectiveFrom | DateTime | stored | When attribute becomes effective | Optional |
| effectiveUntil | DateTime | stored | When attribute expires | Optional |
| isActive | boolean | stored | Whether attribute is currently active | Optional |
| createdBy | User | stored | Who created this attribute | Optional |
| createdAt | DateTime | stored | When attribute was created | Required |
| updatedAt | DateTime | stored | Last update timestamp | Optional |
| metadata | object | stored | Additional attribute configuration | Optional |
Examples
Example 1
{
"@type": "PermissionAttribute",
"attributeId": "attr_001",
"permissionId": "perm_delete_user",
"attributeName": "risk_level",
"attributeValue": "critical",
"valueType": "string",
"category": "security",
"description": "Indicates this permission can cause irreversible data loss",
"isInherited": false,
"isComputed": false,
"isDynamic": false,
"validationRules": "{\"enum\":[\"low\",\"medium\",\"high\",\"critical\"],\"required\":true}",
"defaultValue": "medium",
"allowedValues": "[\"low\",\"medium\",\"high\",\"critical\"]",
"impactOnBehavior": "Requires additional confirmation and MFA when risk_level is critical",
"visibility": "admin",
"modifiable": false,
"propagateToChildren": true,
"priority": 100,
"tags": "[\"dangerous\",\"audit_required\",\"approval_needed\"]",
"auditChanges": true,
"isActive": true,
"createdAt": "2024-01-01T00:00:00Z",
"metadata": {
"compliance_impact": "high",
"require_justification": true
}
}Example 2
{
"@type": "PermissionAttribute",
"attributeId": "attr_002",
"permissionId": "perm_export_data",
"attributeName": "usage_quota",
"attributeValue": "100",
"valueType": "number",
"category": "operational",
"description": "Maximum number of exports allowed per month",
"isInherited": false,
"isComputed": false,
"isDynamic": true,
"updateFrequency": "monthly",
"validationRules": "{\"min\":0,\"max\":1000,\"type\":\"integer\"}",
"defaultValue": "50",
"impactOnBehavior": "Blocks permission usage when quota is exceeded",
"visibility": "public",
"modifiable": true,
"propagateToChildren": false,
"priority": 50,
"auditChanges": true,
"isActive": true,
"createdAt": "2024-01-01T00:00:00Z",
"metadata": {
"reset_period": "monthly",
"quota_type": "rolling",
"alert_threshold": 0.8
}
}