d-bis/as4-411
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
as4-411/docs/adr/003-policy-engine-abac.md
defiQUG c24ae925cf
Some checks failed
CI / lint (push) Has been cancelled
Details
CI / build (push) Has been cancelled
Details
Initial commit: AS4/411 directory and discovery service for Sankofa Marketplace 
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-08 08:44:20 -08:00

30 lines
849 B
Markdown
Raw Permalink Blame History

# ADR-003: Policy Engine Model (ABAC)
## Status
Accepted.
## Context
Resolution must respect tenant scope and allow/deny rules using an attribute-based model.
## Decision
### Model
- Policies are stored per tenant with rule_json (ABAC attributes), effect (allow/deny), and priority.
- Tenant is enforced by restricting resolution to that tenant when request.tenant is set.
### MVP Rule Shape
- Deny: rule_json.participantId or rule_json.participantIds — exclude those participants.
- Allow (restrictive): if any allow policy exists, rule_json.participantId/participantIds — only include those participants.
### Ordering
- Deny applied first; then allow restriction. Policies loaded by tenant and ordered by priority.
## Consequences
- Simple allow/deny by participant supported; ABAC can be extended via rule_json and filter logic.
Reference in New Issue View Git Blame Copy Permalink