AccessControlTransaction

Ensures atomic, consistent access control changes by grouping related permission modifications into transactional units that either completely succeed or completely fail. This entity addresses the critical challenge of maintaining authorization integrity when multiple interdependent changes must occur together - like rotating roles during organizational restructuring, migrating permissions between systems, or implementing new compliance policies. Each transaction encapsulates a series of access control operations (grant, revoke, modify) with ACID properties: Atomicity ensures all changes apply or none do, Consistency maintains valid permission states throughout, Isolation prevents concurrent transactions from interfering, and Durability ensures completed changes persist. Transactions support complex scenarios like swapping user roles (must revoke old before granting new), cascading permission updates (parent change affects all children), and compensating transactions (automatic rollback operations). The entity tracks transaction state through phases: planning (validating changes), execution (applying changes), verification (confirming success), and commitment (making permanent). It handles distributed transactions across multiple systems, two-phase commit protocols for coordination, and saga patterns for long-running operations. Transaction logs provide audit trails for compliance, enable point-in-time recovery for access control state, and support what-if analysis for proposed changes. This transactional approach is essential for maintaining security during bulk permission updates, preventing privilege escalation during transitions, and ensuring zero-downtime access control migrations.

31 properties

Schema

Properties

Property	Type	Mode	Description	Required
transactionId	uuid	stored	Unique identifier for this transaction	Required
transactionType	string	enum	Category of transaction Values: `role_rotation, permission_migration, bulk_update, policy_deployment, emergency_change, rollback`	Required
description	string	stored	Explanation of transaction purpose Example: `"Quarterly role rotation for security compliance"`	Required
operations	string	stored	JSON array of operations in transaction Example: `"[{\"op\":\"revoke\",\"target\":\"role_admin\",\"user\":\"user_001\"},{\"op\":\"grant\",\"target\":\"role_viewer\",\"user\":\"user_001\"}]"`	Required
state	string	enum	Current transaction state Values: `draft, validating, preparing, executing, verifying, committing, committed, rolling_back, rolled_back, failed`	Required
isolationLevel	string	enum	Transaction isolation level Values: `read_uncommitted, read_committed, repeatable_read, serializable`	Optional
atomicityMode	string	enum	How atomicity is enforced Values: `all_or_nothing, best_effort, eventual_consistency`	Optional
validationResults	string	stored	JSON validation checks performed Example: `"{\"permission_conflicts\":\"none\",\"policy_compliance\":\"passed\",\"dependency_check\":\"satisfied\"}"`	Optional
executionPlan	string	stored	JSON detailed execution strategy	Optional
affectedEntities	string	stored	JSON entities impacted by transaction Example: `"{\"users\":[\"user_001\",\"user_002\"],\"roles\":[\"role_admin\"],\"permissions\":[\"perm_delete\"]}"`	Optional
dependencies	string	stored	JSON other transactions this depends on	Optional
conflictingTransactions	string	stored	JSON transactions that conflict	Optional
rollbackPlan	string	stored	JSON strategy for reverting changes	Optional
compensatingActions	string	stored	JSON actions to undo effects	Optional
checkpoints	string	stored	JSON savepoints during execution	Optional
initiatedBy	User	stored	Who started this transaction	Required
approvedBy	User	stored	Who approved execution	Optional
startedAt	DateTime	stored	When transaction began executing	Optional
committedAt	DateTime	stored	When changes were committed	Optional
rolledBackAt	DateTime	stored	When transaction was rolled back	Optional
timeout	integer	stored	Maximum seconds for completion	Optional
retryCount	integer	stored	Number of retry attempts	Optional
maxRetries	integer	stored	Maximum retry attempts allowed	Optional
errorDetails	string	stored	JSON error information if failed	Optional
partialResults	string	stored	JSON operations that succeeded before failure	Optional
verificationStatus	string	stored	JSON post-execution verification	Optional
auditLog	string	stored	JSON detailed transaction history	Optional
isDryRun	boolean	stored	Whether this is a test run	Optional
isReversible	boolean	stored	Whether transaction can be undone	Optional
priority	integer	stored	Execution priority	Optional
metadata	object	stored	Additional transaction data	Optional

Examples

Example 1

{
  "@type": "AccessControlTransaction",
  "transactionId": "txn_role_rotation_001",
  "transactionType": "role_rotation",
  "description": "Quarterly security role rotation - Q1 2024 admin privilege reduction",
  "operations": "[{\"seq\":1,\"op\":\"revoke\",\"type\":\"role\",\"target\":\"role_super_admin\",\"users\":[\"user_001\",\"user_002\"]},{\"seq\":2,\"op\":\"grant\",\"type\":\"role\",\"target\":\"role_admin\",\"users\":[\"user_001\",\"user_002\"]},{\"seq\":3,\"op\":\"grant\",\"type\":\"role\",\"target\":\"role_super_admin\",\"users\":[\"user_003\"]},{\"seq\":4,\"op\":\"audit\",\"type\":\"log\",\"message\":\"Q1 2024 role rotation completed\"}]",
  "state": "committed",
  "isolationLevel": "serializable",
  "atomicityMode": "all_or_nothing",
  "validationResults": "{\"conflict_check\":\"passed\",\"permission_continuity\":\"maintained\",\"compliance_check\":\"passed\"}",
  "affectedEntities": "{\"users\":[\"user_001\",\"user_002\",\"user_003\"],\"roles\":[\"role_super_admin\",\"role_admin\"],\"permission_count\":47}",
  "rollbackPlan": "{\"strategy\":\"reverse_operations\",\"checkpoint_based\":true,\"verification_required\":true}",
  "initiatedBy": "user_security_admin",
  "approvedBy": "user_ciso",
  "startedAt": "2024-03-01T00:00:00Z",
  "committedAt": "2024-03-01T00:05:23Z",
  "timeout": 600,
  "retryCount": 0,
  "verificationStatus": "{\"all_operations\":\"successful\",\"permission_state\":\"consistent\",\"no_orphaned_permissions\":true}",
  "isReversible": true,
  "priority": 100,
  "metadata": {
    "compliance_requirement": "ISO_27001",
    "change_ticket": "CHG-2024-001"
  }
}

Example 2

{
  "@type": "AccessControlTransaction",
  "transactionId": "txn_emergency_002",
  "transactionType": "emergency_change",
  "description": "Emergency revocation of compromised contractor access",
  "operations": "[{\"seq\":1,\"op\":\"revoke\",\"type\":\"all_permissions\",\"user\":\"contractor_compromised\"},{\"seq\":2,\"op\":\"revoke\",\"type\":\"all_roles\",\"user\":\"contractor_compromised\"},{\"seq\":3,\"op\":\"disable\",\"type\":\"account\",\"user\":\"contractor_compromised\"},{\"seq\":4,\"op\":\"notify\",\"targets\":[\"security_team\",\"contractor_manager\"]}]",
  "state": "committed",
  "isolationLevel": "read_committed",
  "atomicityMode": "all_or_nothing",
  "validationResults": "{\"emergency_override\":true,\"skip_approval\":true}",
  "affectedEntities": "{\"users\":[\"contractor_compromised\"],\"roles\":5,\"permissions\":23,\"sessions\":3}",
  "initiatedBy": "user_soc_analyst",
  "startedAt": "2024-03-15T15:30:00Z",
  "committedAt": "2024-03-15T15:30:05Z",
  "timeout": 30,
  "retryCount": 0,
  "verificationStatus": "{\"access_revoked\":true,\"sessions_terminated\":true,\"account_disabled\":true}",
  "isReversible": true,
  "priority": 999,
  "metadata": {
    "incident_id": "SEC-2024-156",
    "threat_level": "critical"
  }
}