PermissionConditionLink
Associates conditions with permissions, roles, or policies, creating dynamic authorization rules where access rights are contingent upon runtime condition evaluation. This junction entity bridges static permission definitions with dynamic conditions, enabling context-aware access control. Rather than granting permissions unconditionally, this link makes them dependent on specific circumstances being met. For example, linking 'delete_records' permission with 'business_hours' condition ensures deletion only occurs during monitored times. The entity supports multiple conditions per permission with complex boolean combinations (ALL must pass, ANY can pass, custom logic), weighted conditions where some are more important than others, and fallback chains where alternative conditions apply if primary ones fail. It handles condition precedence, determining which conditions to evaluate first for performance optimization, and short-circuit evaluation to skip unnecessary checks. The link can be temporary (conditions only apply during specific periods), progressive (different conditions at different trust levels), or contextual (different conditions in different environments). This mechanism enables sophisticated scenarios like escalating approval requirements based on risk, time-based permission activation for temporary access, and compliance rules that overlay business permissions. The entity maintains evaluation history for audit purposes and performance metrics for optimization.
Properties
| Property | Type | Mode | Description | Required |
|---|---|---|---|---|
| linkId | uuid | stored | Unique identifier for this condition link | Required |
| targetType | string | enum | Type of entity this condition is linked to Values: | Required |
| targetId | string | stored | ID of the linked entity | Required |
| conditionId | uuid | stored | The condition being linked | Required |
| linkType | string | enum | Nature of the link Values: | Optional |
| evaluationOrder | integer | stored | Order in which this condition is evaluated | Optional |
| combineOperator | string | enum | How to combine with other conditions Values: | Optional |
| customLogic | string | stored | Custom combination logic if operator is CUSTOM | Optional |
| weight | number | stored | Importance weight for weighted evaluation | Optional |
| shortCircuit | boolean | stored | Whether to stop evaluation if this condition fails | Optional |
| mandatory | boolean | stored | Whether this condition must be evaluated | Optional |
| scope | string | stored | Context where this link applies Example: | Optional |
| parameters | string | stored | JSON parameters passed to condition Example: | Optional |
| overrideValues | string | stored | JSON values that override condition defaults | Optional |
| fallbackConditionId | uuid | stored | Alternative condition if primary fails | Optional |
| negateResult | boolean | stored | Whether to invert the condition result | Optional |
| validFrom | DateTime | stored | When this link becomes active | Optional |
| validUntil | DateTime | stored | When this link expires | Optional |
| evaluationCount | integer | stored | Number of times evaluated | Optional |
| successCount | integer | stored | Number of successful evaluations | Optional |
| failureCount | integer | stored | Number of failed evaluations | Optional |
| avgEvaluationTime | number | stored | Average milliseconds for evaluation | Optional |
| lastEvaluatedAt | DateTime | stored | Last evaluation timestamp | Optional |
| isActive | boolean | stored | Whether this link is active | Optional |
| createdBy | User | stored | Who created this link | Optional |
| createdAt | DateTime | stored | When link was created | Required |
| metadata | object | stored | Additional link configuration | Optional |
Examples
Example 1
{
"@type": "PermissionConditionLink",
"linkId": "link_001",
"targetType": "permission",
"targetId": "perm_delete_records",
"conditionId": "cond_business_hours",
"linkType": "required",
"evaluationOrder": 1,
"combineOperator": "AND",
"weight": 1,
"shortCircuit": true,
"mandatory": true,
"scope": "production",
"parameters": "{\"timezone\":\"America/New_York\",\"include_holidays\":false}",
"negateResult": false,
"evaluationCount": 1523,
"successCount": 1245,
"failureCount": 278,
"avgEvaluationTime": 12.5,
"lastEvaluatedAt": "2024-03-15T14:30:00Z",
"isActive": true,
"createdAt": "2024-01-01T00:00:00Z",
"metadata": {
"business_justification": "Prevent accidental deletions outside monitored hours",
"compliance_requirement": "SOX-404"
}
}Example 2
{
"@type": "PermissionConditionLink",
"linkId": "link_002",
"targetType": "role",
"targetId": "role_financial_approver",
"conditionId": "cond_amount_limit",
"linkType": "restricting",
"evaluationOrder": 2,
"combineOperator": "AND",
"weight": 0.8,
"shortCircuit": false,
"mandatory": true,
"parameters": "{\"max_amount\":50000,\"currency\":\"USD\",\"check_budget\":true}",
"overrideValues": "{\"escalation_threshold\":40000}",
"fallbackConditionId": "cond_request_approval",
"negateResult": false,
"validFrom": "2024-01-01T00:00:00Z",
"validUntil": "2024-12-31T23:59:59Z",
"evaluationCount": 892,
"successCount": 756,
"failureCount": 136,
"avgEvaluationTime": 25.3,
"isActive": true,
"createdAt": "2024-01-01T00:00:00Z",
"metadata": {
"annual_review_required": true,
"auto_adjust_for_inflation": true
}
}