RBAC / ABAC (policy-as-code)

Tessera blends the two NIST access-control models without picking a side. RBAC (INCITS 359) is simple and auditable; ABAC (SP 800-162) is flexible. The bridge the standard itself suggests — “a role may be viewed as a subject attribute” — becomes role-centric RBAC-A: the role sets the permission envelope and attribute rules may only narrow it. An access change recalculates grant = target - current and revoke = current - target; an add-only update would silently accumulate privilege.

Authorization is expressed over NIST’s four input categories — subject (with roles), resource, action, and environment — with roles and bindings living in data and the per-request facts in input. Separation of Duties is a Rego matrix evaluated both at request time (preventive) and during periodic review sweeps (detective).

# NIST four input categories: subject / resource / action / environment.
# ABAC constraints only NARROW the role-granted envelope (add-only would be a bug).
package authz

abac_constraints contains "within_business_hours" if {
    input.environment.time_hour >= 9
    input.environment.time_hour < 18
}

# Separation of Duties as a Rego matrix — evaluated preventively (request
# time) and detectively (review sweeps).
sod_violation if {
    some a, b in input.subject.roles
    data.sod_matrix[a][b]
}