Entitlement Exception Mechanism
Status
-
Proposed -
Trialing -
Under review -
Approved -
Retired
Context & Scope
Typically, entitlements are strictly enforced. There are no exceptions. In reality, all rules will have exceptions from time to time. The entitlement mechanism must have a means of permitting exceptions. Ideally, exceptions will be isolated.
Decision
There needs to be a clear mechanism by which exceptions to rules are implemented. Either by implementing special-purpose, focused rules, or through something else. Given a rule like "users from this country cannot access data with attribute Y" there needs to be a method of saying "except user A" or similar.
Rationale
Exceptions are conceptually different for operators: temporary or permanent, based on job role, business unit, or individual needs. They are likely to run on different lifecycles. (e.g., broad rule for a whole business unit doesn't change, but temporary exceptions are granted and revoked).
Consequences
Perhaps defining a different kind of rule, or changing the execution order/precedence.
When to revisit
In case of performance degradation.
Decision criteria and trade-offs
- Usability
- Maintainability
- Configurability
- Performance
Decision timeline
July 2020 - Proposed