Skip to content
On-demand recording | SAP IdM End of Life: Migration Without Disruption | With Deloitte · 60 min Watch recording

AuthZEN & Conservative Merge

AuthZEN standardizes the decision envelope (allow/deny + constraints/obligations/TTL + reasons). Conservative merge intersects constraints across layers to avoid over‑grant.

Decision envelope


{
  "decision": "Permit",
  "constraints": [{ "id": "stream_tokens_max", "value": 2048 }],
  "obligations": [{ "id": "step_up_mfa" }],
  "ttl_ms": 5000,
  "reasons": ["policy:agent.tools.invoke"]
}

Conservative merge

Given multiple applicable policies, compute the minimum/most restrictive outcome per constraint category, never a union that over‑grants.