Policy Evaluation Flow Diagram

This diagram shows the complete flow of how Alien Giraffe evaluates access requests, from initial authentication through policy matching, fallback evaluation, approval workflows, and final decision.

Complete Evaluation Flow

graph TD
    A[User Access Request] --> B[Authentication]
    B --> C{Authenticated?}
    C -->|No| D[Deny: Authentication Failed]
    C -->|Yes| E[Gather Context]
    E --> F[Search Matching Policies]
    F --> G{Policy Found?}
    G -->|Yes| H[Evaluate Policy Conditions]
    G -->|No| I[Check Fallback Policies]
    H --> J{Conditions Met?}
    J -->|Yes| K{Approval<br/>Required?}
    J -->|No| L[Deny: Policy Condition Failed]
    K -->|Yes| M[Request Approval]
    K -->|No| N[Grant Access]
    M -->|Approved| N
    M -->|Denied| L
    I --> O{Fallback Found?}
    O -->|Yes| P[Evaluate Fallback]
    O -->|No| Q[Deny: No Policy Match]
    P --> R{Fallback Allows?}
    R -->|No| Q
    R -->|Yes| S{Fallback Requires<br/>Approval?}
    S -->|No| N
    S -->|Yes| T[Request Approval]
    T -->|Approved| N
    T -->|Denied| Q
    N --> U[Audit Log: Granted]
    L --> V[Audit Log: Denied]
    Q --> V
    D --> V

Loading diagram...

Flow Explanation

Primary Path (Policy Match)

1. User Access Request → User initiates request for data access
2. Authentication → Verify user identity via SSO/IAM
3. Gather Context → Collect request details (user, resource, time, purpose, duration)
4. Search Matching Policies → Find policies that match the request criteria
5. Evaluate Policy Conditions → Check constraints, timeframes, and restrictions
6. Approval Required? → Determine if human approval is needed
7. Grant Access → Issue temporary credentials

Fallback Path (No Policy Match)

1. Check Fallback Policies → Search for applicable fallback (resource → namespace → global)
2. Evaluate Fallback → Check if fallback allows this request
3. Fallback Requires Approval? → Determine if fallback has human-in-the-loop approval
4. Request Approval → Route to appropriate approvers if required
5. Grant Access or Deny → Based on fallback and approval outcome

Approval Workflow

When approval is required (for either policies or fallbacks):

• Identify Approvers - Manager, data owner, security team, or custom roles
• Send Notification - Email, Slack, or portal notification
• Wait for Decision - With configurable timeout
• Escalate if Needed - After timeout threshold
• Apply Decision - Grant if approved, deny if rejected or timed out

Denial Points

Access can be denied at multiple stages:

• Authentication Failed - User identity cannot be verified
• Policy Condition Failed - Policy exists but conditions not met (wrong time, wrong context, etc.)
• No Policy Match - No policy or fallback covers this request
• Approval Denied - Human approver rejects the request
• Approval Timeout - No approval received within timeout period

Audit Logging

Every request is logged regardless of outcome:

• Granted: Policy/fallback used, approval flow (if any), credentials issued
• Denied: Denial reason, which stage failed, policies evaluated

Related Documentation

• Policy Evaluation & Fallback Handling - Full guide on policy evaluation
• Constraints - JIT access and approval workflows
• Monitoring & Auditing - View policy evaluation logs