Policy engine
The policy engine controls who can access what, when, and under what conditions. Policies are the primary tool for enforcing least privilege in VaultPAM.
What policies cover
VaultPAM policies are access control rules that can:
- Allow or deny access to a Safe or resource based on user, role, or group
- Restrict access by time of day (for example, no access outside business hours)
- Require approval before a session or credential checkout proceeds
- Grant Just-in-Time (JIT) access that expires automatically after a set duration
- Require MFA as a condition for access, even if MFA is not enforced globally
Who should read this section
This section is written for Org Admins and Policy Managers who are responsible for designing and maintaining the access control posture of the organisation.
Concepts
Policies in VaultPAM are attached to Safes. A Safe without a policy falls back to the default: access is restricted to Safe members only. Policies add conditions on top of membership.
For a conceptual explanation of what a policy is and how it interacts with Safes, see What is a policy?.