Access policies

Attribute-based access control layered over entitlement grants. A subject needs a grant to act at all; any matching deny policy wins; where an allow policy claims a scope, its conditions must match. Policies are bitemporal — this screen shows the set in force at the snapshot below.

Viewing the current state

valid2026-05-19 23:05:58 system2026-05-19 23:05:58

Valid time — business effective date

System time — when the record was known

Active policies

in force at this snapshot

Allow rules

condition-gated permits

Deny rules

override every allow

Subjects governed

named across all policies

Policy catalogue

2 of 2 policyies

Effect	Policy	Subject	Scope	Action	Conditions
deny	deny-usd-instruments-api-20260519213907 Deny USD instruments 20260519213907	abac-api-20260519213907	instrument	read	1 rule
deny	smoke-abac-policy-20260519204017607 Smoke ABAC policy	smoke-abac-subject-20260519204017607	instrument	read	1 rule

Access simulator

Evaluate a request against grants & ABAC

Acting subject Simulated — does not change who you are acting as.

Entity type

Action

Record optional

Property optional

Request context

No context attributes. Add request-time facts such as region or mfa that policies test via context.<key>.

Decision order: the subject must hold an entitlement grant; any matching deny wins; a matching allow must satisfy every condition.