# Data Access Policy
# Defines who can access which data classifications.

name: data-access
description: Controls agent access to data based on classification and role
version: "1.0.0"

rules:
  - name: deny-external-restricted
    description: External agents cannot access restricted data
    conditions:
      agent_role: external
      data_type: restricted
    effect: deny
    priority: 100

  - name: escalate-confidential-external
    description: Confidential data going external requires escalation
    conditions:
      data_type: confidential
      target: external
    effect: escalate
    priority: 90

  - name: deny-restricted-external
    description: Restricted data must never leave internal systems
    conditions:
      data_type: restricted
      target: external
    effect: deny
    priority: 100

  - name: allow-public-any
    description: Public data can be accessed by anyone
    conditions:
      data_type: public
    effect: allow
    priority: 10

  - name: allow-internal-internal
    description: Internal data accessible within internal systems
    conditions:
      data_type: internal
      target: internal
    effect: allow
    priority: 50