Zero Trust Policy Engine
Status
Prototype
Maturity
Static policy model with decision table, interactive simulator, and GitHub repository
Evidence
Decision logic documented · Sanitized demo view · Interactive simulator · GitHub repository available on request
Next
Add live backend enforcement layer
Architecture
Problem Statement
Traditional perimeter-based access control assumes internal network location implies trust. Modern enterprise environments — remote work, SaaS, multi-cloud, contractor access, service-to-service calls — have no meaningful perimeter. Every access request, regardless of origin, must be evaluated against explicit policy conditions.
Policy Model
Access is granted only when all applicable conditions evaluate to true. Any single condition failure results in an explicit deny with a logged reason. The model covers both human and service account actors, with scope enforcement applying only to non-human identities.
Condition 1
Identity active
Account exists, is not disabled, and is not suspended in the directory
Condition 2
MFA satisfied
A valid second factor was presented and verified within the session
Condition 3
Role valid
The actor holds a role that grants access to the requested resource
Condition 4
Token valid
Presented access token is not expired, not revoked, and signature is valid
Condition 5
Risk acceptable
Risk score for this access context is below the configured threshold
Condition 6
Scope assigned
For service accounts: requested resource is within the assigned OAuth2 scope set
Decision Logic
// Policy evaluation (pseudocode)
ALLOW if:
identity_active == true
AND mfa_satisfied == true (humans only)
AND role_valid == true
AND token_valid == true
AND risk_score < threshold
AND scope_assigned == true (service accounts only)
DENY otherwise — log reason explicitly
Decision Table
This Zero Trust policy decision table documents six representative access scenarios — human and service account actors evaluated against the policy conditions above.
| Actor | Role | Resource | MFA | Token | Scope | Risk | Decision | Reason |
|---|---|---|---|---|---|---|---|---|
| Alice | Engineer | Admin API | No | Valid | N/A | Low | Denied | MFA not satisfied |
| Bob | Operator | Tenant Dashboard | Yes | Valid | N/A | Low | Allowed | All conditions met |
| Carol | Admin | User Directory | Yes | Valid | N/A | Low | Allowed | Full policy pass |
| ServiceBot | Service Account | Billing API | N/A | Valid | Missing | Low | Denied | Required scope not assigned |
| Legacy App | Service Account | SCIM API | N/A | Expired | Assigned | Low | Denied | Token expired |
| Contractor | External | Audit Logs | Yes | Valid | N/A | High | Denied | Risk score too high |
Policy Decision View — Sanitized Demo View
⚠Sanitized demo views — illustrative examples based on the documented policy model above.
Actor
Bob
Role
Operator
Resource
Tenant Dashboard
Conditions evaluated
- ✓ Identity active
- ✓ MFA satisfied
- ✓ Role valid
- ✓ Token valid
- ✓ Risk acceptable (Low)
- — Scope N/A (human actor)
resource=tenant_dashboard | risk=low
ts=2026-05-17T09:14:22Z
Actor
ServiceBot
Role
Service Account
Resource
Billing API
Conditions evaluated
- ✓ Identity active
- — MFA N/A (service account)
- ✓ Role valid
- ✓ Token valid
- ✓ Risk acceptable (Low)
- ✗ Scope assigned: MISSING
resource=billing_api | reason=scope_missing
ts=2026-05-17T09:14:55Z
Interactive Policy Simulator
This interactive policy simulator lets you toggle conditions and see decision outcomes update in real time. It is a front-end prototype — it illustrates the policy model documented above.
⚠Sanitized demo — no backend, no real enforcement. Front-end prototype only; demonstrates condition evaluation logic, not live access control.
Toggle conditions below to see decision outcomes in the panel on the right.
Click any condition to toggle it. All conditions must pass for access to be granted.
Policy Decision
ALLOW
Reason
All conditions satisfied
Audit event generated
yesresource=protected_resource | decision=allow
ts=2026-05-17T00:00:00Z
GitHub Repository
zero-trust-policy-engine
Policy model, condition evaluation logic, decision table, and interactive simulator prototype. Available on request.
Employer Value
Risk reduced
Excessive access, undetected anomalies
Operational value
Consistent, auditable access decisions across all identity types
IAM domain
Zero Trust architecture, policy enforcement, adaptive access
Seniority signal
Thinks in policies, not permissions
Evidence Roadmap
Policy model, decision table, sanitized demo views, interactive simulator, and GitHub repository are all documented. Next step is a live enforcement backend.
Policy model documentation
[ Documented above ]
Decision table
[ Documented above ]
Policy Decision View
[ Sanitized policy decision view added ]
Interactive simulator
[ Front-end prototype added ]
GitHub repository
[ Available on request ]