---
id: markitect.documents.mask-pii
name: Markitect masked PII read
namespace: markitect:document
version: v1
status: draft
package: flexauth.markitect.redact
actions:
  - read
owner: team:project-reviewers
caring:
  profile: caring-0.4.0-rc2
  enforce: false
  canonical_roles:
    - Verifier
  organization_relations:
    - Customer
  scopes:
    - level: Resource
      id: document:alpha-plan
      tenant: tenant:alpha
  planes:
    - Data
  capabilities:
    - View
    - Mask
  exposure_modes:
    - Masked
  conditions:
    - Logged
  restrictions:
    - ExportBlocked
metadata:
  source: examples/caring/redact_policy_package.md
---

# Markitect Masked PII Read

This package returns a redaction decision when a verifier may inspect a
document only through masked fields.

## Rules

```rego
import future.keywords.if
import future.keywords.in

default decision := {"effect": "deny", "reason": "no_matching_rule"}

decision := {
  "effect": "redact",
  "reason": "masked_pii",
  "obligations": [{
    "type": "mask_fields",
    "parameters": {"fields": ["email", "phone"]}
  }]
} if {
  input.action == "read"
  input.resource.id == "document:alpha-plan"
  "Mask" in input.caring_context.capabilities
  "Masked" in input.caring_context.exposure_modes
}
```

## Tests

```rego test
package flexauth.markitect.redact_test

import future.keywords.if
import data.flexauth.markitect.redact

test_masked_reader_gets_redaction if {
  redact.decision.effect == "redact" with input as {
    "action": "read",
    "resource": {"id": "document:alpha-plan"},
    "caring_context": {
      "capabilities": ["View", "Mask"],
      "exposure_modes": ["Masked"]
    }
  }
}
```

## Fixtures

```yaml fixture
id: fixture:masked-pii-redact
request:
  id: check:masked-pii
  subject:
    id: user:bob
    type: Human
    tenant: tenant:alpha
  action: read
  resource:
    id: document:alpha-plan
    type: document
    system: markitect-tool
    tenant: tenant:alpha
  caring_context:
    id: descriptor:tenant-alpha-masked-pii-reviewer
    profile: caring-0.4.0-rc2
    subject_type: Human
    organization_relation: Customer
    canonical_role: Verifier
    scope:
      level: Resource
      id: document:alpha-plan
      tenant: tenant:alpha
      resource: document:alpha-plan
    planes:
      - Data
    capabilities:
      - View
      - Mask
    exposure_modes:
      - Masked
    conditions:
      - Logged
    restrictions:
      - ExportBlocked
expect:
  effect: redact
  reason: masked_pii
  obligations:
    - type: mask_fields
      parameters:
        fields:
          - email
          - phone
```