coulomb/flex-auth
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
main
flex-auth/examples/caring/redact_policy_package.md
tegwick 18054bd160
Some checks failed
CI / Build and Test (push) Has been cancelled
Details
CI / Lint (push) Has been cancelled
Details
Add CARING examples and coverage
2026-05-17 06:05:18 +02:00

133 lines
2.5 KiB
Markdown
Raw Permalink Blame History

---
id: markitect.documents.mask-pii
name: Markitect masked PII read
namespace: markitect:document
version: v1
status: draft
package: flexauth.markitect.redact
actions:
- read
owner: team:project-reviewers
caring:
profile: caring-0.4.0-rc2
enforce: false
canonical_roles:
- Verifier
organization_relations:
- Customer
scopes:
- level: Resource
id: document:alpha-plan
tenant: tenant:alpha
planes:
- Data
capabilities:
- View
- Mask
exposure_modes:
- Masked
conditions:
- Logged
restrictions:
- ExportBlocked
metadata:
source: examples/caring/redact_policy_package.md
---
# Markitect Masked PII Read
This package returns a redaction decision when a verifier may inspect a
document only through masked fields.
## Rules
```rego
import future.keywords.if
import future.keywords.in
default decision := {"effect": "deny", "reason": "no_matching_rule"}
decision := {
"effect": "redact",
"reason": "masked_pii",
"obligations": [{
"type": "mask_fields",
"parameters": {"fields": ["email", "phone"]}
}]
} if {
input.action == "read"
input.resource.id == "document:alpha-plan"
"Mask" in input.caring_context.capabilities
"Masked" in input.caring_context.exposure_modes
}
```
## Tests
```rego test
package flexauth.markitect.redact_test
import future.keywords.if
import data.flexauth.markitect.redact
test_masked_reader_gets_redaction if {
redact.decision.effect == "redact" with input as {
"action": "read",
"resource": {"id": "document:alpha-plan"},
"caring_context": {
"capabilities": ["View", "Mask"],
"exposure_modes": ["Masked"]
}
}
}
```
## Fixtures
```yaml fixture
id: fixture:masked-pii-redact
request:
id: check:masked-pii
subject:
id: user:bob
type: Human
tenant: tenant:alpha
action: read
resource:
id: document:alpha-plan
type: document
system: markitect-tool
tenant: tenant:alpha
caring_context:
id: descriptor:tenant-alpha-masked-pii-reviewer
profile: caring-0.4.0-rc2
subject_type: Human
organization_relation: Customer
canonical_role: Verifier
scope:
level: Resource
id: document:alpha-plan
tenant: tenant:alpha
resource: document:alpha-plan
planes:
- Data
capabilities:
- View
- Mask
exposure_modes:
- Masked
conditions:
- Logged
restrictions:
- ExportBlocked
expect:
effect: redact
reason: masked_pii
obligations:
- type: mask_fields
parameters:
fields:
- email
- phone
```
Reference in New Issue View Git Blame Copy Permalink