PermissionCondition

Defines conditional logic that must be satisfied for permissions to be valid, implementing dynamic authorization where access rights change based on runtime conditions. Unlike static permissions that are always active, conditional permissions adapt to circumstances - a user might have 'approve expenses' permission but only for amounts under $5000, only during business hours, or only for their direct reports. This entity captures complex boolean expressions, mathematical comparisons, temporal constraints, and business rules that gate permission activation. Conditions can evaluate user attributes (seniority level, certifications), resource properties (document state, data classification), environmental factors (time, location, threat level), and business context (project phase, audit mode). The entity supports nested conditions with AND/OR/NOT logic, mathematical operations for numerical comparisons, string matching with regex patterns, and date arithmetic for temporal rules. Conditions can reference external services for dynamic evaluation ('check with risk scoring API'), aggregate functions ('user has approved less than 10 items today'), and historical data ('user has not failed audit in past year'). This conditional approach enables least-privilege access that automatically adjusts to risk, implements separation of duties (can't approve what you created), and enforces business policies (no changes during freeze periods) without constant manual permission updates.

25 properties
Schema

Properties

PropertyTypeModeDescriptionRequired
conditionIduuid
stored

Unique identifier for this condition

Required
conditionNamestring
stored

Human-readable name for the condition

Example: "Business Hours Only"

Required
descriptionstring
stored

Explanation of what this condition checks

Example: "Restricts access to business hours (9 AM - 6 PM) on weekdays"

Optional
conditionTypestring
enum

Category of condition

Values: temporal, numerical, attribute, contextual, aggregate, external, composite

Required
expressionstring
stored

The condition logic expression

Example: "currentTime.hour >= 9 AND currentTime.hour <= 18 AND currentTime.dayOfWeek IN ['Mon','Tue','Wed','Thu','Fri']"

Required
evaluationModestring
enum

How the condition is evaluated

Values: static, dynamic, cached, real_time

Optional
variablesstring
stored

JSON object of variables used in expression

Example: "{\"max_amount\":5000,\"allowed_states\":[\"draft\",\"review\"],\"business_hours\":{\"start\":9,\"end\":18}}"

Optional
operatorsstring
stored

JSON array of operators used

Example: "[\">\",\"<\",\"==\",\"IN\",\"AND\",\"OR\"]"

Optional
dataRequirementsstring
stored

JSON array of data needed for evaluation

Example: "[\"user.department\",\"user.level\",\"resource.value\",\"context.time\"]"

Optional
externalDependenciesstring
stored

External services or APIs required

Example: "{\"risk_api\":\"https://risk.api/evaluate\",\"calendar_service\":\"https://calendar.api/holidays\"}"

Optional
cacheableboolean
stored

Whether condition result can be cached

Optional
cacheTimeoutinteger
stored

Seconds to cache evaluation result

Optional
fallbackBehaviorstring
enum

What to do if evaluation fails

Values: deny, allow, use_default, require_manual

Optional
nestedConditionsstring
stored

JSON array of sub-condition IDs

Optional
priorityinteger
stored

Evaluation order when multiple conditions exist

Optional
scopestring
stored

Where this condition can be applied

Example: "global"

Optional
errorMessagestring
stored

Message when condition blocks access

Example: "Access restricted to business hours (9 AM - 6 PM weekdays)"

Optional
bypassRolesstring
stored

JSON array of roles that bypass this condition

Example: "[\"admin\",\"emergency_responder\"]"

Optional
testCasesstring
stored

JSON array of test scenarios

Optional
performanceMetricsstring
stored

JSON metrics from condition evaluation

Optional
isActiveboolean
stored

Whether this condition is currently active

Optional
versioninteger
stored

Condition version number

Optional
createdByUser
stored

Who created this condition

Optional
createdAtDateTime
stored

When condition was created

Required
metadataobject
stored

Additional condition configuration

Optional

Examples

Example 1

{
  "@type": "PermissionCondition",
  "conditionId": "cond_amount_limit",
  "conditionName": "Expense Approval Limit",
  "description": "Limits expense approval based on user's approval authority and amount",
  "conditionType": "numerical",
  "expression": "resource.amount <= user.approval_limit AND resource.amount < 10000",
  "evaluationMode": "dynamic",
  "variables": "{\"default_limit\":5000,\"max_limit\":10000,\"escalation_threshold\":0.8}",
  "operators": "[\"<=\",\"<\",\"AND\"]",
  "dataRequirements": "[\"user.approval_limit\",\"user.department\",\"resource.amount\",\"resource.currency\"]",
  "cacheable": true,
  "cacheTimeout": 300,
  "fallbackBehavior": "deny",
  "priority": 100,
  "scope": "financial_operations",
  "errorMessage": "Amount exceeds your approval limit. Please escalate to your manager.",
  "bypassRoles": "[\"cfo\",\"finance_director\"]",
  "isActive": true,
  "version": 2,
  "createdAt": "2024-01-01T00:00:00Z",
  "metadata": {
    "currency_conversion": true,
    "include_tax": true
  }
}

Example 2

{
  "@type": "PermissionCondition",
  "conditionId": "cond_separation_duties",
  "conditionName": "Separation of Duties Check",
  "description": "Prevents users from approving their own requests or changes",
  "conditionType": "contextual",
  "expression": "resource.created_by != user.id AND resource.last_modified_by != user.id AND !resource.stakeholders.includes(user.id)",
  "evaluationMode": "real_time",
  "variables": "{\"check_delegation\":true,\"check_reporting_chain\":true}",
  "operators": "[\"!=\",\"!\",\"includes\",\"AND\"]",
  "dataRequirements": "[\"resource.created_by\",\"resource.last_modified_by\",\"resource.stakeholders\",\"user.id\",\"user.reports_to\"]",
  "cacheable": false,
  "fallbackBehavior": "deny",
  "priority": 200,
  "scope": "approval_workflows",
  "errorMessage": "Cannot approve your own request or changes. Separation of duties policy requires independent approval.",
  "testCases": "[{\"scenario\":\"user_approves_own\",\"should_fail\":true},{\"scenario\":\"manager_approves_report\",\"should_pass\":true}]",
  "isActive": true,
  "version": 1,
  "createdAt": "2024-01-15T00:00:00Z",
  "metadata": {
    "sox_compliant": true,
    "audit_required": true
  }
}