Protection Policies
Policies are reusable protection profiles assigned to protected operations.
Reusable profiles
A policy defines allowed roles, low/medium/high behavior, step-up challenge type, redaction fields, velocity controls, and other protection settings.
One policy can protect many operations. For example, Critical Financial Write Policy can protect payment_transaction.create and bank_account.update.
In the v1 assignment model, ProtectedOperation.policyId is the runtime pointer to the reusable policy. PolicyAssignment mirrors that relationship for environment-scoped assignment queries.
Versioning
Policy versions preserve the exact rules used for past decisions. Updating a policy publishes a new version and affects every assigned protected operation in that environment.
Basic and advanced mode
Basic mode shows operation name, operation key, action/resource, sensitivity, assigned policy, roles, decision routing, challenge, and redaction.
Advanced mode is intentionally hidden by default and exposes raw JSON, thresholds, velocity rules, and debugging fields.
Next steps