PolicyObligation
Defines mandatory actions that must be performed when a policy decision is made, ensuring that access control decisions are accompanied by necessary security, compliance, or operational activities. Obligations are the 'must-do' requirements triggered by policy evaluation - when access is granted, specific actions like logging, encryption, notification, or data masking must occur. Unlike the access decision itself (permit/deny), obligations are post-decision requirements that enforce additional controls. For example, accessing sensitive data might obligate the system to create detailed audit logs, send notifications to data owners, or apply encryption to responses. Obligations can be conditional based on the decision outcome - different obligations for permit versus deny. They support compliance requirements like GDPR's notification obligations for data breaches or HIPAA's audit requirements for patient record access. The entity tracks obligation fulfillment to ensure all required actions complete successfully - if an obligation fails, the entire access might be revoked. Obligations can be chained (one triggering another), time-bound (must complete within X seconds), or compensating (alternative actions if primary fails). This mechanism transforms simple yes/no access decisions into complex, auditable, compliant operations that meet regulatory and business requirements while maintaining security posture.
Properties
| Property | Type | Mode | Description | Required |
|---|---|---|---|---|
| obligationId | uuid | stored | Unique identifier for this obligation | Required |
| policyId | uuid | stored | Policy that defines this obligation | Required |
| obligationCode | string | stored | Unique code for this obligation type Example: | Required |
| name | string | stored | Human-readable obligation name Example: | Required |
| description | string | stored | Explanation of what this obligation requires Example: | Optional |
| obligationType | string | enum | Category of obligation Values: | Required |
| triggerEvent | string | enum | When this obligation is triggered Values: | Optional |
| executionTime | string | enum | When obligation must be executed Values: | Optional |
| isMandatory | boolean | stored | Whether obligation must succeed for access to proceed | Optional |
| parameters | string | stored | JSON parameters for obligation execution Example: | Optional |
| conditions | string | stored | JSON conditions for when obligation applies Example: | Optional |
| target | string | stored | System or service that fulfills obligation Example: | Optional |
| timeout | integer | stored | Maximum milliseconds for obligation completion | Optional |
| retryPolicy | string | stored | JSON retry configuration if obligation fails Example: | Optional |
| fallbackObligation | uuid | stored | Alternative obligation if this one fails | Optional |
| compensatingAction | string | stored | Action to take if obligation cannot be fulfilled | Optional |
| priority | integer | stored | Execution order when multiple obligations exist | Optional |
| chainedObligations | string | stored | JSON array of obligations triggered by this one | Optional |
| fulfillmentTracking | boolean | stored | Whether to track obligation completion | Optional |
| complianceMapping | string | stored | Regulatory requirements this addresses Example: | Optional |
| validationRules | string | stored | JSON rules to verify obligation was fulfilled | Optional |
| isActive | boolean | stored | Whether this obligation is currently enforced | Optional |
| createdAt | DateTime | stored | When obligation was defined | Required |
| metadata | object | stored | Additional obligation configuration | Optional |
Examples
Example 1
{
"@type": "PolicyObligation",
"obligationId": "obl_audit_001",
"policyId": "pol_sensitive_data",
"obligationCode": "OBL_AUDIT_SENSITIVE",
"name": "Sensitive Data Access Audit",
"description": "Create detailed audit log for all sensitive data access including full context and data accessed",
"obligationType": "audit",
"triggerEvent": "on_permit",
"executionTime": "after_access",
"isMandatory": true,
"parameters": "{\"log_level\":\"detailed\",\"include_query\":true,\"include_results_summary\":true,\"pii_masking\":false,\"retention_days\":2555}",
"conditions": "{\"data_classification\":[\"sensitive\",\"confidential\"],\"user_role\":{\"$ne\":\"auditor\"}}",
"target": "audit_service",
"timeout": 3000,
"retryPolicy": "{\"max_retries\":3,\"backoff\":\"exponential\",\"initial_delay\":500}",
"priority": 100,
"fulfillmentTracking": true,
"complianceMapping": "{\"sox\":\"Section 404\",\"gdpr\":\"Article 30\"}",
"validationRules": "{\"required_fields\":[\"user_id\",\"resource_id\",\"timestamp\",\"operation\"],\"max_delay_seconds\":5}",
"isActive": true,
"createdAt": "2024-01-01T00:00:00Z",
"metadata": {
"alert_security_team": true,
"real_time_monitoring": true
}
}Example 2
{
"@type": "PolicyObligation",
"obligationId": "obl_encrypt_002",
"policyId": "pol_data_export",
"obligationCode": "OBL_ENCRYPT_EXPORT",
"name": "Export Data Encryption",
"description": "Apply AES-256 encryption to all data exports before transmission",
"obligationType": "encryption",
"triggerEvent": "on_permit",
"executionTime": "before_access",
"isMandatory": true,
"parameters": "{\"algorithm\":\"AES-256-GCM\",\"key_source\":\"kms\",\"include_integrity_check\":true}",
"target": "encryption_service",
"timeout": 10000,
"retryPolicy": "{\"max_retries\":1,\"immediate_retry\":true}",
"fallbackObligation": "obl_deny_export",
"compensatingAction": "deny_access_with_error",
"priority": 200,
"chainedObligations": "[\"obl_notify_dpo\",\"obl_log_export\"]",
"fulfillmentTracking": true,
"isActive": true,
"createdAt": "2024-01-01T00:00:00Z",
"metadata": {
"encryption_required_by": [
"gdpr",
"company_policy"
],
"key_rotation_days": 90
}
}