Zero Trust Architecture · JSON Structure

Zero Trust Architecture Policy Structure

Structure documenting the Zero Trust access policy evaluated by a Policy Decision Point (PDP) per NIST SP 800-207.

Type: Properties: 0
Access ControlAuthenticationAuthorizationCybersecurityIdentity ManagementLeast PrivilegeNetwork SecurityNISTSecurityZero Trust

Zero Trust Access Policy is a JSON Structure definition published by Zero Trust Architecture.

Meta-schema:

JSON Structure

zero-trust-architecture-policy-structure.json Raw ↑ 
{
  "name": "Zero Trust Access Policy",
  "description": "Structure documenting the Zero Trust access policy evaluated by a Policy Decision Point (PDP) per NIST SP 800-207.",
  "properties": [
    {
      "name": "policyId",
      "type": "string",
      "description": "Unique identifier for this access policy.",
      "required": true
    },
    {
      "name": "name",
      "type": "string",
      "description": "Human-readable name of the policy.",
      "required": true
    },
    {
      "name": "description",
      "type": "string",
      "description": "Description of the policy's purpose and scope.",
      "required": false
    },
    {
      "name": "version",
      "type": "string",
      "description": "Policy version in semantic versioning format.",
      "required": false
    },
    {
      "name": "effect",
      "type": "string",
      "description": "Whether the policy allows or denies access. Enum: allow, deny.",
      "required": true
    },
    {
      "name": "subjects",
      "type": "array",
      "description": "Principals (users, service accounts, workloads) this policy applies to.",
      "required": true,
      "items": {
        "name": "subject",
        "type": "object",
        "properties": [
          { "name": "type", "type": "string", "description": "Type of principal: user, group, service-account, workload, device." },
          { "name": "id", "type": "string", "description": "Identifier for the principal." },
          { "name": "attributes", "type": "object", "description": "Additional attributes for context-aware evaluation." }
        ]
      }
    },
    {
      "name": "resources",
      "type": "array",
      "description": "Resources this policy governs access to.",
      "required": true,
      "items": {
        "name": "resource",
        "type": "object",
        "properties": [
          { "name": "type", "type": "string", "description": "Type of resource." },
          { "name": "id", "type": "string", "description": "Resource identifier." },
          { "name": "actions", "type": "array", "description": "Permitted HTTP methods or operations." }
        ]
      }
    },
    {
      "name": "conditions",
      "type": "object",
      "description": "Contextual conditions that must be satisfied for the policy to apply.",
      "required": false,
      "properties": [
        {
          "name": "devicePosture",
          "type": "object",
          "description": "Device health and compliance requirements.",
          "properties": [
            { "name": "managed", "type": "boolean", "description": "Device must be enterprise-managed." },
            { "name": "encryptionEnabled", "type": "boolean", "description": "Disk encryption must be enabled." },
            { "name": "osVersion", "type": "string", "description": "Minimum required OS version." },
            { "name": "edrInstalled", "type": "boolean", "description": "EDR agent must be installed." }
          ]
        },
        {
          "name": "network",
          "type": "object",
          "description": "Network location constraints.",
          "properties": [
            { "name": "allowedIpRanges", "type": "array", "description": "CIDR ranges from which access is permitted." },
            { "name": "requireVpn", "type": "boolean", "description": "Whether VPN or ZTNA tunnel is required." }
          ]
        },
        {
          "name": "time",
          "type": "object",
          "description": "Time-based access restrictions.",
          "properties": [
            { "name": "allowedHours", "type": "string", "description": "Permitted access windows." }
          ]
        },
        {
          "name": "riskScore",
          "type": "object",
          "description": "Risk-based access threshold.",
          "properties": [
            { "name": "maxScore", "type": "integer", "description": "Maximum acceptable risk score 0-100." }
          ]
        },
        {
          "name": "authenticationStrength",
          "type": "string",
          "description": "Required authentication assurance level."
        }
      ]
    },
    {
      "name": "enforcementMode",
      "type": "string",
      "description": "Whether the policy is actively enforced or audit-only. Enum: enforce, audit, disabled.",
      "required": false
    },
    {
      "name": "created",
      "type": "string",
      "description": "Date the policy was created (ISO 8601 date).",
      "required": false
    },
    {
      "name": "modified",
      "type": "string",
      "description": "Date the policy was last modified (ISO 8601 date).",
      "required": false
    },
    {
      "name": "owner",
      "type": "string",
      "description": "Team or individual responsible for this policy.",
      "required": false
    }
  ]
}