Policy Patterns

These patterns are aligned with KeyNetra policy parsing and decision priority behavior.

Pattern 1: Explicit Admin Allow

policies:
  - policy_id: allow-read-admin
    action: read
    effect: allow
    priority: 20
    conditions:
      role: admin

Use when a role should have stable baseline access.

Pattern 2: Deny Override for High-Risk Context

policies:
  - policy_id: deny-export-external
    action: export
    effect: deny
    priority: 100
    conditions:
      role: external

Use high priority deny rules for risk boundaries.

Pattern 3: Amount Guardrail

policies:
  - policy_id: allow-approve-manager-low-value
    action: approve_payment
    effect: allow
    priority: 40
    conditions:
      role: manager
      max_amount: 10000

Pair with request payload context such as amount to enforce transaction limits.

Pattern 4: Department Scope

policies:
  - policy_id: allow-finance-read
    action: read_payment
    effect: allow
    priority: 30
    conditions:
      department: finance

Use contextual fields from context payload for scoped permissions.

Pattern 5: Progressive Rollout

Create policy in low priority allow mode.
Run simulate-policy for representative users/resources.
Run impact-analysis to estimate changed decisions.
Increase priority after validation.

Validation Checklist

Every rule has an explicit action, effect, and priority.
policy_id or policy_key is stable for rollback/audit.
Condition keys match request schema fields.
Run compile-policies and test-policy before deployment.

Pattern 1: Explicit Admin Allow​

Pattern 2: Deny Override for High-Risk Context​

Pattern 3: Amount Guardrail​

Pattern 4: Department Scope​

Pattern 5: Progressive Rollout​

Validation Checklist​

Related Pages​