Documentation
Authorization Policies
Authorization Policies
Managed Mode reference. You do not configure these policies. They require your service to send authorization and tenant evidence in context.
Trigger example (derived from the managed catalog)
These policies trigger when ASG does not receive required authorization/tenant evidence in
context, or when the evidence indicates the actor is not allowed.Example ActionKind where these policies apply: data.read
Common required context fields: account_id, actor_user_id, allowed_scopes, authz_decision, connector_id, current_roles, requested_change, requested_scopes, resource_tenant_id, session_user_id, tenant_id
Example decision
json
{
"status": "BLOCK",
"decision_id": "dec_...",
"reasons": [
"Block cross-tenant access or mutations."
]
}Resolution
Populate the required authorization and tenant evidence fields in
context, then re-validate.| Summary | Domain | Severity | Applies to | Required context | Remediation |
|---|---|---|---|---|---|
| Block cross-tenant access or mutations. | tenant | BLOCK | data.read, data.write, data.delete, data.export, data.share, admin.access | account_id, tenant_id, resource_tenant_id | Verify tenant scoping. Ensure all queries/actions are constrained to the requesting tenant. |
| Block privilege escalation and unauthorized role changes. | authorization | BLOCK | identity.role_change, identity.auth_change, admin.access, integrations.scope_change | actor_user_id, requested_change, current_roles, authz_decision | Require admin approval and audited change ticket. Validate actor permissions server-side. |
| Block actions when session identity/account mismatch is detected. | authorization | BLOCK | workflow.execute, data.write, money.refund, admin.access | session_user_id, account_id, actor_user_id | Re-authenticate and validate server-side identity. Investigate potential replay or token confusion. |
| Block scope expansions that increase permissions beyond allowed plan/policy. | authorization | BLOCK | integrations.scope_change, identity.auth_change | connector_id, requested_scopes, allowed_scopes | Reject escalations. Require admin approval and update allowlist/entitlements if justified. |
Legal & Responsibility Notice
Summary
Informational only
Provided for general guidance. Not legal, compliance, security, or professional advice.
You control implementation
You are responsible for policies, prompts, integrations, workflows, and regulatory requirements.
Liability limitation
To the maximum extent permitted by law, the company disclaims liability for losses arising from use of this documentation or implementations based on it.