AccessDecisionStrategy
Represents a strategy for combining multiple access control voters to make final authorization decisions in a multi-voter access control system. This entity defines how individual voter decisions (allow, deny, abstain) are aggregated into a final access decision, similar to Symfony's AccessDecisionManager or Spring Security's AccessDecisionVoter pattern. Strategies include affirmative (allow if any voter allows), consensus (allow if majority allows), unanimous (allow only if all voters allow), and custom decision logic. The entity enables sophisticated access control scenarios where multiple factors (user permissions, resource ownership, time restrictions, IP location, business rules) are evaluated independently by voters and then combined according to the strategy. It supports use cases such as requiring both role-based permission AND resource ownership, allowing access during business hours OR from whitelisted IPs, and implementing defense-in-depth security through multiple independent checks.
Properties
| Property | Type | Mode | Description | Required |
|---|---|---|---|---|
| name | string | stored | Unique identifier for the strategy Example: | Required |
| label | string | stored | Human-readable display name for the strategy Example: | Required |
| description | string | stored | Detailed explanation of how this strategy combines voter decisions Example: | Optional |
| strategy | string | stored | The decision-making strategy type Values: Example: | Required |
| allowOnTie | boolean | stored | For consensus strategy: whether to allow access when votes are tied (equal allow and deny votes) | Optional |
| allowOnAbstain | boolean | stored | Whether to allow access when all voters abstain (no definitive decision) | Optional |
| isDefault | boolean | stored | Whether this is the default strategy used when no specific strategy is configured Example: | Optional |
| metadata | json | stored | Additional strategy configuration (custom logic rules, priority ordering, etc.) | Optional |
Examples
Example 1
{
"@type": "AccessDecisionStrategy",
"name": "affirmative",
"label": "Affirmative (Allow if Any Allows)",
"description": "Grants access if at least one voter votes to allow. Denies if all voters deny or abstain.",
"strategy": "affirmative",
"allowOnAbstain": false,
"isDefault": true
}Example 2
{
"@type": "AccessDecisionStrategy",
"name": "unanimous",
"label": "Unanimous (Allow Only if All Allow)",
"description": "Grants access only if all voters vote to allow. Denies if any voter denies or all abstain.",
"strategy": "unanimous",
"allowOnAbstain": false,
"isDefault": false
}Example 3
{
"@type": "AccessDecisionStrategy",
"name": "consensus",
"label": "Consensus (Allow if Majority Allows)",
"description": "Grants access if majority of voters allow. Uses allowOnTie to break ties.",
"strategy": "consensus",
"allowOnTie": false,
"allowOnAbstain": false,
"isDefault": false
}Example 4
{
"@type": "AccessDecisionStrategy",
"name": "deny-unless-allow",
"label": "Deny Unless Allow (Default Deny)",
"description": "Denies access by default unless at least one voter explicitly allows. Most secure strategy.",
"strategy": "deny-unless-allow",
"allowOnAbstain": false,
"isDefault": false
}Example 5
{
"@type": "AccessDecisionStrategy",
"name": "allow-unless-deny",
"label": "Allow Unless Deny (Default Allow)",
"description": "Allows access by default unless at least one voter explicitly denies. Least restrictive strategy.",
"strategy": "allow-unless-deny",
"allowOnAbstain": true,
"isDefault": false
}