ACLEntry

Defines access control list entries that specify precise permissions for principals on specific resources, implementing discretionary access control (DAC) at the most granular level. ACL entries are the building blocks of resource-centric security, where each resource (file, folder, database, API endpoint) maintains a list of who can do what with it. Unlike role-based permissions that apply broadly, ACL entries provide fine-grained control for specific resource instances. Each entry defines a principal (user, group, or service), the resource they can access, and exactly what operations are allowed or denied. This is essential for implementing ownership models where resource creators control access, handling exceptions to broader policies, and managing shared resources with complex permission requirements. ACL entries support inheritance from parent resources (folders passing permissions to files), explicit deny rules that override allows, and conditional access based on resource state or context. They can specify different permissions for different aspects of a resource - for example, allowing read of metadata but not content, or permitting updates to certain fields only. The system evaluates ACL entries in a specific order, considering inheritance, explicit entries, and deny-before-allow rules. This granular control is crucial for compliance scenarios requiring proof of exactly who had access to specific data at specific times.

30 properties

Schema

Properties

Property	Type	Mode	Description	Required
aclId	uuid	stored	Unique identifier for this ACL entry	Required
resourceType	string	stored	Type of resource this ACL applies to Example: `"document"`	Required
resourceId	string	stored	Specific resource identifier Example: `"doc_financial_report_2024"`	Required
principalType	string	enum	Type of principal being granted access Values: `user, group, role, service, everyone, authenticated, anonymous`	Required
principalId	string	stored	Identifier of the principal	Required
permissions	string	stored	JSON array of granted permissions Example: `"[\"read\",\"write\",\"delete\",\"share\"]"`	Required
grantType	string	enum	Whether permissions are granted or denied Values: `allow, deny`	Required
scope	string	enum	Scope of the ACL entry Values: `resource_only, resource_and_children, children_only, recursive`	Optional
inheritanceType	string	enum	How this ACL interacts with inherited permissions Values: `override, merge, block_inheritance`	Optional
isInherited	boolean	stored	Whether this ACL was inherited from parent	Optional
inheritedFrom	string	stored	Parent resource this was inherited from	Optional
priority	integer	stored	Evaluation order (higher priority evaluated first)	Optional
conditions	string	stored	JSON conditions for when ACL applies Example: `"{\"resource_state\":\"published\",\"time_range\":\"business_hours\"}"`	Optional
fieldRestrictions	string	stored	JSON specifying field-level permissions Example: `"{\"allowed_fields\":[\"title\",\"summary\"],\"denied_fields\":[\"salary\",\"ssn\"]}"`	Optional
maxAccessCount	integer	stored	Maximum number of times resource can be accessed	Optional
currentAccessCount	integer	stored	Current access count	Optional
validFrom	DateTime	stored	When this ACL becomes effective	Optional
validUntil	DateTime	stored	When this ACL expires	Optional
grantedBy	User	stored	Who created this ACL entry	Optional
grantedAt	DateTime	stored	When ACL was granted	Required
reason	string	stored	Explanation for this ACL entry	Optional
requiresMfa	boolean	stored	Whether MFA is required for access	Optional
requiresApproval	boolean	stored	Whether access requires runtime approval	Optional
approvalConfig	string	stored	JSON configuration for approval workflow	Optional
auditLevel	string	enum	Level of auditing for access via this ACL Values: `none, basic, detailed, full`	Optional
propagate	boolean	stored	Whether to propagate to child resources	Optional
isActive	boolean	stored	Whether this ACL entry is active	Optional
lastUsedAt	DateTime	stored	Last time this ACL was used for access	Optional
usageCount	integer	stored	Number of times this ACL has been used	Optional
metadata	object	stored	Additional ACL configuration	Optional

Examples

Example 1

{
  "@type": "ACLEntry",
  "aclId": "acl_doc_001",
  "resourceType": "document",
  "resourceId": "doc_annual_report_2024",
  "principalType": "group",
  "principalId": "grp_finance_team",
  "permissions": "[\"read\",\"write\",\"comment\",\"version\"]",
  "grantType": "allow",
  "scope": "resource_only",
  "inheritanceType": "merge",
  "isInherited": false,
  "priority": 50,
  "conditions": "{\"document_state\":[\"draft\",\"review\"],\"work_hours\":true}",
  "fieldRestrictions": "{\"denied_fields\":[\"executive_summary\",\"confidential_notes\"]}",
  "validFrom": "2024-01-01T00:00:00Z",
  "validUntil": "2024-12-31T23:59:59Z",
  "grantedBy": "user_cfo",
  "grantedAt": "2024-01-01T00:00:00Z",
  "reason": "Finance team needs edit access to prepare annual report",
  "requiresMfa": true,
  "requiresApproval": false,
  "auditLevel": "detailed",
  "propagate": false,
  "isActive": true,
  "lastUsedAt": "2024-03-15T10:30:00Z",
  "usageCount": 156,
  "metadata": {
    "project": "annual_report_2024",
    "sensitivity": "high"
  }
}

Example 2

{
  "@type": "ACLEntry",
  "aclId": "acl_folder_002",
  "resourceType": "folder",
  "resourceId": "folder_customer_data",
  "principalType": "user",
  "principalId": "user_contractor_123",
  "permissions": "[\"read\",\"list\"]",
  "grantType": "deny",
  "scope": "recursive",
  "inheritanceType": "override",
  "isInherited": false,
  "priority": 100,
  "conditions": "{\"after_date\":\"2024-06-01\"}",
  "maxAccessCount": 0,
  "validFrom": "2024-06-01T00:00:00Z",
  "grantedBy": "user_security_admin",
  "grantedAt": "2024-05-15T00:00:00Z",
  "reason": "Contractor engagement ends May 31, 2024 - preventive access removal",
  "requiresMfa": true,
  "auditLevel": "full",
  "propagate": true,
  "isActive": true,
  "metadata": {
    "contract_end": "2024-05-31",
    "security_review": "required"
  }
}