Policy Enforcement
How Tessera evaluates every decryption request in real time against the requester's clearance attributes — using Open Policy Agent as the Policy Decision Point inside the Key Access Service.
A classified file may be stored on a shared drive, emailed to a partner organisation, archived in a document management system, or transferred across a domain boundary. At every one of those points, the file is accessible to systems — and potentially people — that are not authorised to read it.
Traditional access control — file permissions, ACLs, role-based group membership — is attached to the storage system, not the data. Once a file moves, the access control does not move with it. The protection is gone.
Tessera inverts this by embedding the access policy inside the encrypted file, cryptographically bound so it cannot be separated from the content. The policy is evaluated by the Key Access Service (KAS) at the moment of decryption, against the live attributes of the requester. The file decrypts only if every policy condition is satisfied — and that evaluation is performed fresh every time, never cached.
The model that makes this precise and auditable is Attribute-Based Access Control (ABAC). The engine that evaluates the policy is Open Policy Agent (OPA).
An ABAC decision requires two sets of attributes: the resource attributes — what the file requires — and the subject attributes — what the requester holds. Both sets are expressed as structured URIs so they can be compared unambiguously by the policy engine.
Derived from the STANAG 4774 Confidentiality Label. The label's
classification level, categories, and releasability markings are translated
— via the domain XMLSPIF — into required attribute URIs that are embedded
as the ABAC policy inside the .ztdf archive.
A NATO SECRET / REL GBR document produces required attributes for
classification/value/secret and relto/value/gbr.
Both must be satisfied.
Carried in the requester's JWT access token, issued by the identity provider after authentication. The token contains the user's clearance level, category authorisations, COI memberships, and releasability markings as structured claims presented to the KAS on every request.
A user cleared to NATO SECRET with GBR releasability holds attributes
classification/value/secret and relto/value/gbr
in their token.
All attribute values are expressed as URIs under a shared
https://nato.int/attr/ namespace, following the structure
https://nato.int/attr/<tag-set>/value/<value>.
A shared namespace means a .ztdf file protected on one system
can be evaluated by a partner KAS without translation — both understand the
same attribute identifiers.
When a file is protected, the STANAG 4774 Confidentiality Label does not
merely accompany the file — it drives the access policy. The XMLSPIF
maps each label value to an attribute URI, and those URIs become the required
attributes of the ABAC policy embedded in the .ztdf archive.
.ztdf manifestThe HMAC binding is critical: the policy is bound to the Data Encryption Key using HMAC-SHA256. Any attempt to alter the policy — to relax a restriction and gain access — invalidates the binding and the KAS refuses to proceed. The policy and the encrypted payload are inseparable.
Open Policy Agent (OPA) is a CNCF-graduated open-source policy engine. It evaluates structured queries against Rego policies — a declarative language purpose-built for access control — and returns a structured decision. Tessera uses OPA as the Policy Decision Point (PDP) inside the KAS.
Rego rules are readable, version-controlled, and independently testable. The policy is entirely separate from the KAS application code — the KAS asks OPA for a decision, it does not implement the evaluation itself.
Policy bundles are distributed by the Management Service and loaded by each KAS instance at runtime. Policy can be updated and pushed to all KAS instances without restarting the service.
OPA produces a structured decision record for every evaluation: the input attributes, the rules invoked, and the outcome. This feeds the full audit trail required by ACP-240 Supp-2.
Custom ABAC implementations are difficult to audit and easy to get wrong. OPA cleanly separates the policy decision from the application logic. This means security administrators can review, test, and update policy rules without touching the KAS codebase — satisfying the two-person scrutiny requirement of ACP-240 Supp-2, where policy changes require independent review before they can be pushed to production.
Every decryption request follows the same evaluation path. No step can be skipped, and any failure at any step results in a DENY — no key is released and no reason that could assist an attacker is disclosed.
.ztdf manifest. This confirms
the ABAC policy has not been altered since the file was encrypted.
OPA policy is not hardcoded in the KAS. Rego rules are compiled into OPA bundles and distributed to all KAS instances by the Management Service. This separates policy authoring from service deployment and supports the two-person scrutiny model required by ACP-240 Supp-2.
A KAS operating in an isolated High-Side zone has no Management Service connection. It ships with a pre-built, pre-approved OPA bundle compiled for that specific deployment. Policy updates require a controlled maintenance window and a fresh approval cycle — by design, not by limitation. The isolation ensures that High-Side policy cannot be altered from the Low Side.
When a .ztdf archive contains Key Access Objects (KAOs) pointing
to multiple KAS instances — each responsible for a different security domain or
Community of Interest — the ABAC evaluation at each KAS is independent and
domain-scoped.
The enterprise KAS brokers requests to domain-specific KAS instances on behalf of the client. Each domain KAS runs its own Rego policy tailored to that domain's clearance requirements. The client receives DEK fragments from each KAS and combines them — a complete key is produced only if every domain KAS grants access.
Multiple KAOs share the same session identifier. Any single KAS that grants access can release the full DEK. Used for high-availability: if the primary KAS is unreachable, a secondary KAS operating under the same policy can fulfil the request.
Multiple KAOs carry different session identifiers. Every KAS in the set must grant access before the DEK fragments can be combined. Used for compartmented access: a document shared with a COI requires both the base clearance KAS and the COI-specific KAS to independently approve.