PolicyRule
Represents individual rules within an access policy, providing granular conditions and actions that compose complex policy logic. While an AccessPolicy defines the overall security requirement, PolicyRules are the building blocks that implement specific checks and decisions. Each rule evaluates a specific condition (like 'user is contractor' or 'time is outside business hours') and specifies what should happen when that condition is met. Rules can be combined using boolean logic (AND, OR, NOT) to create sophisticated policies. For example, a policy preventing data exfiltration might have rules checking data volume, destination, time of day, and user history. Rules support various evaluation methods including simple comparisons, regex patterns, mathematical operations, and even external service calls for dynamic decisions. They can trigger multiple actions like logging, notifications, step-up authentication, or access denial. The entity includes rule versioning to track changes, testing capabilities to validate logic, and performance metrics to identify slow-evaluating rules. Rules can be shared across policies for consistency and can be temporarily disabled for troubleshooting. This granular approach allows security teams to build precise, maintainable policies that can adapt to evolving threats and compliance requirements without complete rewrites.
Properties
| Property | Type | Mode | Description | Required |
|---|---|---|---|---|
| ruleId | uuid | stored | Unique identifier for this rule | Required |
| policyId | uuid | stored | Parent policy this rule belongs to | Required |
| ruleName | string | stored | Descriptive name for the rule Example: | Required |
| description | string | stored | Explanation of what this rule checks Example: | Optional |
| ruleOrder | integer | stored | Evaluation sequence within the policy | Required |
| ruleType | string | enum | Type of rule evaluation Values: | Required |
| evaluationMode | string | enum | How the rule is evaluated Values: | Optional |
| attribute | string | stored | Attribute being evaluated Example: | Optional |
| operator | string | enum | Comparison operator Values: Example: | Optional |
| value | string | stored | Value to compare against (can be JSON) Example: | Optional |
| expression | string | stored | Complex expression for advanced rules Example: | Optional |
| script | string | stored | Script code for script-based evaluation | Optional |
| externalService | string | stored | External service URL for dynamic evaluation Example: | Optional |
| combineOperator | string | enum | How to combine with previous rule Values: | Optional |
| negateResult | boolean | stored | Whether to negate the rule result | Optional |
| onMatch | string | enum | Action when rule matches Values: | Optional |
| onNoMatch | string | enum | Action when rule doesn't match Values: | Optional |
| actions | string | stored | JSON array of actions to execute Example: | Optional |
| isEnabled | boolean | stored | Whether this rule is active | Optional |
| isCacheable | boolean | stored | Whether rule results can be cached | Optional |
| cacheTimeout | integer | stored | Seconds to cache rule results | Optional |
| performanceImpact | string | enum | Expected performance impact Values: | Optional |
| failureMode | string | enum | What to do if rule evaluation fails Values: | Optional |
| timeout | integer | stored | Maximum milliseconds for rule evaluation | Optional |
| errorMessage | string | stored | Message to show when rule denies access | Optional |
| statistics | string | stored | JSON statistics about rule evaluation | Optional |
| version | integer | stored | Rule version number | Optional |
| createdAt | DateTime | stored | When rule was created | Required |
| createdBy | User | stored | Who created this rule | Optional |
| metadata | object | stored | Additional rule configuration | Optional |
Examples
Example 1
{
"@type": "PolicyRule",
"ruleId": "rule_contractor_check",
"policyId": "pol_data_access",
"ruleName": "Contractor PII Access Check",
"description": "Prevents contractors from accessing customer PII unless explicitly authorized",
"ruleOrder": 1,
"ruleType": "condition",
"evaluationMode": "complex",
"expression": "user.employment_type == 'contractor' AND resource.contains_pii == true AND user.pii_authorization != true",
"combineOperator": null,
"negateResult": false,
"onMatch": "deny",
"onNoMatch": "continue",
"actions": "[{\"type\":\"audit_log\",\"severity\":\"high\",\"message\":\"Contractor attempted PII access\"},{\"type\":\"alert\",\"target\":\"security_team\"}]",
"isEnabled": true,
"isCacheable": true,
"cacheTimeout": 600,
"performanceImpact": "low",
"failureMode": "deny",
"timeout": 100,
"errorMessage": "Access denied: Contractors cannot access customer PII without explicit authorization",
"statistics": "{\"evaluations\":15234,\"matches\":89,\"avg_time_ms\":12}",
"version": 2,
"createdAt": "2024-01-15T10:00:00Z",
"metadata": {
"compliance_ref": "privacy_policy_3.2",
"risk_score": 8
}
}Example 2
{
"@type": "PolicyRule",
"ruleId": "rule_time_window",
"policyId": "pol_maintenance_window",
"ruleName": "Business Hours Check",
"description": "Allows sensitive operations only during business hours unless emergency flag is set",
"ruleOrder": 2,
"ruleType": "condition",
"evaluationMode": "script",
"script": "const now = new Date(); const hour = now.getHours(); const isWeekday = now.getDay() >= 1 && now.getDay() <= 5; return (isWeekday && hour >= 9 && hour < 17) || context.emergency_override === true;",
"combineOperator": "AND",
"negateResult": false,
"onMatch": "permit",
"onNoMatch": "deny",
"actions": "[{\"type\":\"log\",\"message\":\"After-hours access attempt\"}]",
"isEnabled": true,
"isCacheable": false,
"performanceImpact": "negligible",
"failureMode": "deny",
"timeout": 50,
"errorMessage": "This operation is only allowed during business hours (Mon-Fri 9AM-5PM) unless emergency access is granted",
"version": 1,
"createdAt": "2024-02-01T09:00:00Z",
"metadata": {
"timezone": "America/New_York",
"holidays_api": "https://api.company.com/holidays"
}
}