AccessPolicy

Defines high-level security policies that govern access control decisions across the entire system, implementing policy-based access control (PBAC) on top of role and permission-based systems. Access policies are rules that apply globally or to specific contexts, enforcing organizational security requirements like 'all financial data requires MFA' or 'contractors cannot access customer PII'. These policies act as an additional layer above RBAC, allowing dynamic, attribute-based decisions. Policies can be preventive (blocking access even if permissions exist) or permissive (granting access in specific situations). They evaluate multiple factors including user attributes (department, clearance level), resource attributes (classification, owner), environmental context (time, location, threat level), and action context (sensitivity, risk). Policies support complex boolean logic, combining multiple conditions with AND/OR operators. They can enforce compliance requirements ('GDPR data can only be accessed from EU locations'), implement zero-trust principles ('verify device trust before allowing access'), or handle break-glass scenarios ('allow emergency access with heavy auditing'). The entity includes policy versioning for change tracking, testing capabilities to validate policies before activation, and conflict resolution when multiple policies apply. This is essential for large enterprises with complex compliance requirements and dynamic security needs.

27 properties

Schema

Properties

Property	Type	Mode	Description	Required
policyId	uuid	stored	Unique identifier for this policy	Required
code	string	stored	Unique machine-readable policy identifier Example: `"POL_FINANCIAL_MFA"`	Required
name	string	stored	Human-readable policy name Example: `"Financial Data MFA Requirement"`	Required
description	string	stored	Detailed explanation of policy purpose and effect Example: `"Requires multi-factor authentication for all access to financial data and transactions over $1000"`	Required
type	string	enum	Type of access policy Values: `preventive, permissive, detective, corrective, mandatory` Example: `"preventive"`	Required
scope	string	enum	Scope where this policy applies Values: `global, organization, department, resource_type, custom`	Optional
priority	integer	stored	Evaluation order (higher priority evaluated first)	Required
effect	string	enum	What happens when policy conditions are met Values: `allow, deny, require_mfa, require_approval, audit, notify` Example: `"deny"`	Required
subjects	string	stored	JSON criteria for who this policy applies to Example: `"{\"user_type\":[\"contractor\",\"vendor\"],\"clearance_level\":{\"$lt\":3}}"`	Required
resources	string	stored	JSON criteria for what resources this covers Example: `"{\"classification\":[\"confidential\",\"secret\"],\"data_type\":\"financial\"}"`	Required
actions	string	stored	JSON array of actions this policy governs Example: `"[\"read\",\"write\",\"delete\",\"export\"]"`	Required
conditions	string	stored	JSON conditions that must be true for policy to apply Example: `"{\"time_of_day\":{\"$between\":[\"08:00\",\"18:00\"]},\"location\":{\"$in\":[\"office\",\"vpn\"]}}"`	Optional
obligations	string	stored	JSON array of required actions when policy triggers Example: `"[{\"action\":\"audit_log\",\"level\":\"detailed\"},{\"action\":\"notify\",\"target\":\"security_team\"}]"`	Optional
ruleLogic	string	stored	Complex boolean logic for policy evaluation Example: `"((user.department == 'finance' AND resource.value > 10000) OR user.role == 'auditor')"`	Optional
conflictResolution	string	enum	How to handle conflicts with other policies Values: `deny_overrides, allow_overrides, priority_based, most_restrictive`	Optional
version	integer	stored	Policy version number	Optional
isActive	boolean	stored	Whether this policy is currently enforced	Optional
isDraft	boolean	stored	Whether this is a draft version	Optional
testMode	boolean	stored	Whether to run in test mode (log but don't enforce)	Optional
validFrom	DateTime	stored	When this policy becomes effective	Optional
validUntil	DateTime	stored	When this policy expires	Optional
complianceFramework	string	stored	Compliance requirement this policy addresses Example: `"GDPR Article 32"`	Optional
approvedBy	User	stored	Who approved this policy	Optional
approvedAt	DateTime	stored	When policy was approved	Optional
createdBy	User	stored	Policy author	Required
createdAt	DateTime	stored	When policy was created	Required
metadata	object	stored	Additional policy configuration	Optional

Examples

Example 1

{
  "@type": "AccessPolicy",
  "policyId": "pol_gdpr_001",
  "code": "POL_GDPR_DATA_LOCALITY",
  "name": "GDPR Data Locality Requirement",
  "description": "Ensures personal data of EU residents is only accessed from approved EU locations or with explicit consent",
  "type": "preventive",
  "scope": "global",
  "priority": 100,
  "effect": "deny",
  "subjects": "{\"all_users\":true}",
  "resources": "{\"data_residency\":\"EU\",\"contains_pii\":true}",
  "actions": "[\"read\",\"write\",\"export\",\"process\"]",
  "conditions": "{\"$or\":[{\"access_location\":{\"$in\":\"EU_COUNTRIES\"}},{\"user_consent\":true},{\"legal_basis\":{\"$exists\":true}}]}",
  "obligations": "[{\"action\":\"audit_log\",\"level\":\"full\",\"retain_days\":2555},{\"action\":\"encrypt\",\"algorithm\":\"AES-256\"}]",
  "conflictResolution": "deny_overrides",
  "version": 2,
  "isActive": true,
  "isDraft": false,
  "testMode": false,
  "complianceFramework": "GDPR Article 44-49",
  "approvedBy": "compliance_officer",
  "approvedAt": "2024-01-01T00:00:00Z",
  "createdAt": "2023-12-01T10:00:00Z",
  "metadata": {
    "eu_countries": [
      "DE",
      "FR",
      "IT",
      "ES",
      "NL",
      "BE",
      "PL"
    ],
    "audit_requirement": "quarterly_review"
  }
}

Example 2

{
  "@type": "AccessPolicy",
  "policyId": "pol_finance_002",
  "code": "POL_HIGH_VALUE_TRANSACTION_MFA",
  "name": "High-Value Transaction MFA Policy",
  "description": "Requires multi-factor authentication and manager approval for financial transactions exceeding thresholds",
  "type": "preventive",
  "scope": "resource_type",
  "priority": 90,
  "effect": "require_approval",
  "subjects": "{\"$or\":[{\"role\":{\"$in\":[\"accountant\",\"finance_manager\"]}},{\"department\":\"finance\"}]}",
  "resources": "{\"resource_type\":\"financial_transaction\",\"value\":{\"$gte\":10000}}",
  "actions": "[\"approve\",\"execute\",\"modify\"]",
  "conditions": "{\"$and\":[{\"time\":{\"$between\":[\"06:00\",\"22:00\"]}},{\"location\":{\"$ne\":\"blacklisted_countries\"}}]}",
  "obligations": "[{\"action\":\"require_mfa\"},{\"action\":\"manager_approval\",\"timeout\":\"24h\"},{\"action\":\"audit_log\",\"include_screenshot\":true}]",
  "ruleLogic": "transaction.value > 10000 AND (transaction.value > 50000 ? requires_cfo_approval : requires_manager_approval)",
  "conflictResolution": "most_restrictive",
  "version": 1,
  "isActive": true,
  "isDraft": false,
  "testMode": false,
  "validFrom": "2024-01-01T00:00:00Z",
  "complianceFramework": "SOX Section 404",
  "approvedBy": "cfo",
  "approvedAt": "2024-01-01T00:00:00Z",
  "createdBy": "security_architect",
  "createdAt": "2023-12-15T14:00:00Z",
  "metadata": {
    "thresholds": {
      "low": 1000,
      "medium": 10000,
      "high": 50000,
      "critical": 100000
    }
  }
}