← Back to portfolio

Zero Trust Policy Engine

Status

Prototype

Maturity

Static policy model with decision table, interactive simulator, and GitHub repository

Evidence

Decision logic documented · Sanitized demo view · Interactive simulator · GitHub repository available on request

Next

Add live backend enforcement layer

Architecture

Actor
Policy Engine
Conditions Check
Allow / Deny Decision
Audit Log

Problem Statement

Traditional perimeter-based access control assumes internal network location implies trust. Modern enterprise environments — remote work, SaaS, multi-cloud, contractor access, service-to-service calls — have no meaningful perimeter. Every access request, regardless of origin, must be evaluated against explicit policy conditions.

Policy Model

Access is granted only when all applicable conditions evaluate to true. Any single condition failure results in an explicit deny with a logged reason. The model covers both human and service account actors, with scope enforcement applying only to non-human identities.

Condition 1

Identity active

Account exists, is not disabled, and is not suspended in the directory

Condition 2

MFA satisfied

A valid second factor was presented and verified within the session

Condition 3

Role valid

The actor holds a role that grants access to the requested resource

Condition 4

Token valid

Presented access token is not expired, not revoked, and signature is valid

Condition 5

Risk acceptable

Risk score for this access context is below the configured threshold

Condition 6

Scope assigned

For service accounts: requested resource is within the assigned OAuth2 scope set

Decision Logic

// Policy evaluation (pseudocode)

ALLOW if:

identity_active == true

AND mfa_satisfied == true (humans only)

AND role_valid == true

AND token_valid == true

AND risk_score < threshold

AND scope_assigned == true (service accounts only)

DENY otherwise — log reason explicitly

Decision Table

This Zero Trust policy decision table documents six representative access scenarios — human and service account actors evaluated against the policy conditions above.

Zero Trust policy decision table — six actors with conditions evaluated and final allow/deny decision
ActorRoleResourceMFATokenScopeRiskDecisionReason
AliceEngineerAdmin APINoValidN/ALowDeniedMFA not satisfied
BobOperatorTenant DashboardYesValidN/ALowAllowedAll conditions met
CarolAdminUser DirectoryYesValidN/ALowAllowedFull policy pass
ServiceBotService AccountBilling APIN/AValidMissingLowDeniedRequired scope not assigned
Legacy AppService AccountSCIM APIN/AExpiredAssignedLowDeniedToken expired
ContractorExternalAudit LogsYesValidN/AHighDeniedRisk score too high

Policy Decision View — Sanitized Demo View

Sanitized demo views — illustrative examples based on the documented policy model above.

Decision: ALLOWEDSANITIZED DEMO VIEW

Actor

Bob

Role

Operator

Resource

Tenant Dashboard

Conditions evaluated

  • ✓ Identity active
  • ✓ MFA satisfied
  • ✓ Role valid
  • ✓ Token valid
  • ✓ Risk acceptable (Low)
  • — Scope N/A (human actor)
access.granted | actor=bob | role=operator
resource=tenant_dashboard | risk=low
ts=2026-05-17T09:14:22Z
Decision: DENIEDSANITIZED DEMO VIEW

Actor

ServiceBot

Role

Service Account

Resource

Billing API

Conditions evaluated

  • ✓ Identity active
  • — MFA N/A (service account)
  • ✓ Role valid
  • ✓ Token valid
  • ✓ Risk acceptable (Low)
  • ✗ Scope assigned: MISSING
access.denied | actor=servicebot | role=svc_account
resource=billing_api | reason=scope_missing
ts=2026-05-17T09:14:55Z

Interactive Policy Simulator

This interactive policy simulator lets you toggle conditions and see decision outcomes update in real time. It is a front-end prototype — it illustrates the policy model documented above.

Sanitized demo — no backend, no real enforcement. Front-end prototype only; demonstrates condition evaluation logic, not live access control.

Policy EvaluationSANITIZED DEMO

Toggle conditions below to see decision outcomes in the panel on the right.

Click any condition to toggle it. All conditions must pass for access to be granted.

Policy Decision

ALLOW

Reason

All conditions satisfied

Audit event generated

yes
access.granted | actor=demo-user
resource=protected_resource | decision=allow
ts=2026-05-17T00:00:00Z

GitHub Repository

zero-trust-policy-engine

Policy model, condition evaluation logic, decision table, and interactive simulator prototype. Available on request.

GitHub — available on request

Employer Value

Risk reduced

Excessive access, undetected anomalies

Operational value

Consistent, auditable access decisions across all identity types

IAM domain

Zero Trust architecture, policy enforcement, adaptive access

Seniority signal

Thinks in policies, not permissions

Evidence Roadmap

Policy model, decision table, sanitized demo views, interactive simulator, and GitHub repository are all documented. Next step is a live enforcement backend.

Policy model documentation

[ Documented above ]

Decision table

[ Documented above ]

Policy Decision View

[ Sanitized policy decision view added ]

Interactive simulator

[ Front-end prototype added ]

GitHub repository

[ Available on request ]