Action domain

Access & Control Decisions

Records authentication and authorization decisions, privilege changes, and boundary enforcement events. DAR preserves evidence of the decision under a policy context—without interpreting user intent or risk.

Receipt moment

Issue a receipt at the authorization boundary: when access is granted, denied, challenged, elevated, or revoked.

issueReceipt({ actor: "system", action: "grant_access|deny_access|challenge|elevate|revoke", object: "resource|session|privilege", ref: "decision-id", policy: "policy-version-or-rule-id" })

Preserved fields

decision type · timestamp · policy reference · stable decision reference
Optional: hashed identity reference, resource tag, correlation reference

Common integration surfaces

Identity providers, access gateways, privileged access tools, zero-trust boundaries, and regulated enterprise systems.

Why this avoids “source of truth” liability

Platforms often get pulled into explaining why access was granted or denied. DAR enables a narrower, safer posture: prove the decision occurred under a specific policy/version, and leave interpretation and adjudication to the customer’s governance process.

Example events

mfa_challenged access_denied access_granted privilege_elevated privilege_revoked

Back to hub

Action Domains → #access