ResourceTag
Attaches metadata labels to resources that drive access control decisions, enabling attribute-based access control (ABAC) where permissions are determined by matching tags between users, resources, and policies. Resource tags are key-value pairs that describe characteristics like classification level, data sensitivity, project ownership, compliance scope, or business criticality. Unlike traditional access control that explicitly lists who can access what, tag-based control uses tag matching rules - a user with 'department:finance' tag can access resources tagged 'visibility:finance'. This approach dramatically simplifies permission management for large-scale systems where explicitly maintaining access lists becomes impractical. Tags support hierarchical relationships (parent tags imply child tags), tag inheritance (resources inherit parent folder tags), and tag propagation (tags flow through data lineage). The entity enables dynamic authorization that automatically adjusts as tags change, policy-driven access where rules reference tags instead of specific resources, and compliance enforcement where regulatory tags trigger specific controls. Tags can be system-generated (auto-classification), user-applied (manual labeling), or inherited (from containers). They support multi-dimensional classification where resources have multiple tag types (sensitivity, project, owner, retention), enabling complex access decisions based on tag combinations. This tagging system is essential for cloud resource management, data governance, regulatory compliance, and implementing scalable access control in dynamic environments where resources are constantly created and modified.
Properties
| Property | Type | Mode | Description | Required |
|---|---|---|---|---|
| tagId | uuid | stored | Unique identifier for this tag assignment | Required |
| resourceType | string | stored | Type of resource being tagged Example: | Required |
| resourceId | string | stored | Identifier of the tagged resource | Required |
| tagKey | string | stored | Tag category or namespace Example: | Required |
| tagValue | string | stored | Tag value within the category Example: | Required |
| tagType | string | enum | Category of tag Values: | Required |
| source | string | enum | How tag was applied Values: | Optional |
| confidence | number | stored | Confidence in tag accuracy (0-1) | Optional |
| scope | string | enum | Tag visibility and usage scope Values: | Optional |
| inheritance | string | enum | How tag inherits to children Values: | Optional |
| propagation | string | enum | How tag propagates through relationships Values: | Optional |
| parentTagId | uuid | stored | Parent tag this was inherited from | Optional |
| tagHierarchy | string | stored | JSON tag hierarchy path Example: | Optional |
| relatedTags | string | stored | JSON array of related tag IDs | Optional |
| conflictingTags | string | stored | JSON array of mutually exclusive tags Example: | Optional |
| impliedTags | string | stored | JSON tags automatically implied Example: | Optional |
| accessImplications | string | stored | JSON access control effects of this tag Example: | Optional |
| policyBindings | string | stored | JSON policies triggered by this tag Example: | Optional |
| validFrom | DateTime | stored | When tag becomes effective | Optional |
| validUntil | DateTime | stored | When tag expires | Optional |
| isTemporary | boolean | stored | Whether tag is temporary | Optional |
| appliedBy | User | stored | Who applied this tag | Optional |
| appliedAt | DateTime | stored | When tag was applied | Required |
| verifiedBy | User | stored | Who verified tag accuracy | Optional |
| verifiedAt | DateTime | stored | When tag was verified | Optional |
| lastReviewedAt | DateTime | stored | Last tag review date | Optional |
| nextReviewDate | DateTime | stored | When tag needs review | Optional |
| isActive | boolean | stored | Whether tag is currently active | Optional |
| removalReason | string | stored | Why tag was removed | Optional |
| metadata | object | stored | Additional tag data | Optional |
Examples
Example 1
{
"@type": "ResourceTag",
"tagId": "tag_001",
"resourceType": "document",
"resourceId": "doc_financial_report_2024",
"tagKey": "data_classification",
"tagValue": "highly_confidential",
"tagType": "security",
"source": "automated",
"confidence": 0.95,
"scope": "internal",
"inheritance": "recursive",
"propagation": "downstream",
"tagHierarchy": "[\"sensitive\",\"confidential\",\"highly_confidential\"]",
"impliedTags": "[{\"key\":\"encryption_required\",\"value\":\"AES256\"},{\"key\":\"access_review\",\"value\":\"quarterly\"}]",
"accessImplications": "{\"min_clearance_level\":3,\"required_mfa\":true,\"session_recording\":true,\"watermarking\":true}",
"policyBindings": "[\"data_loss_prevention\",\"insider_threat_monitoring\",\"encryption_at_rest\"]",
"appliedBy": "system_classifier",
"appliedAt": "2024-03-01T10:00:00Z",
"verifiedBy": "user_data_steward",
"verifiedAt": "2024-03-02T09:00:00Z",
"lastReviewedAt": "2024-03-15T00:00:00Z",
"nextReviewDate": "2024-06-15T00:00:00Z",
"isActive": true,
"metadata": {
"classification_model": "ml_classifier_v3",
"confidence_factors": [
"keyword_match",
"context_analysis",
"metadata_scan"
]
}
}Example 2
{
"@type": "ResourceTag",
"tagId": "tag_002",
"resourceType": "database",
"resourceId": "db_customer_analytics",
"tagKey": "compliance_scope",
"tagValue": "gdpr",
"tagType": "compliance",
"source": "manual",
"confidence": 1,
"scope": "internal",
"inheritance": "direct_children",
"propagation": "downstream",
"relatedTags": "[\"tag_pii\",\"tag_eu_data\"]",
"conflictingTags": "[\"tag_public_data\"]",
"accessImplications": "{\"restricted_regions\":[\"non_eu\"],\"retention_limit\":\"3_years\",\"right_to_deletion\":true}",
"policyBindings": "[\"gdpr_compliance_policy\",\"data_retention_policy\",\"cross_border_transfer_policy\"]",
"appliedBy": "user_compliance_officer",
"appliedAt": "2024-01-15T14:00:00Z",
"isTemporary": false,
"isActive": true,
"metadata": {
"legal_basis": "consent",
"data_subjects": "eu_residents",
"dpo_approved": true
}
}