OCSF.Policy (OCSF v0.1.0)

Copy Markdown View Source

Sink redaction policy.

Defines which data classes a sink allows, denies, or transforms before writing. Every sink declares a policy; apply/2 enforces it on an event by walking nested objects and dropping or transforming fields based on their __ocsf_fields__/0 classification.

:credential is always denied — not configurable.

Example

policy = %OCSF.Policy{
  allow: [:identifier, :tenant, :taxonomic, :temporal],
  deny:  [:contact, :identity, :network],
  transform: []
}

redacted = OCSF.Policy.apply(policy, event)
# redacted event has no PII fields

See OCSF.Classification, OCSF.Sink.

Summary

Types

t()
transform()

Functions

apply(policy, event)

Apply a policy to an event, returning a redacted event.

Types

t()

@type t() :: %OCSF.Policy{
  allow: [OCSF.Classification.data_class()],
  deny: [OCSF.Classification.data_class()],
  transform: keyword()
}

transform()

@type transform() ::
  :truncate_v4_24
  | :truncate_v6_48
  | :hash_salted
  | :ua_parse_only
  | :drop
  | {module(), atom(), list()}

Functions

apply(policy, event)

@spec apply(t(), OCSF.Event.t()) :: OCSF.Event.t()

Apply a policy to an event, returning a redacted event.

Walks all nested objects and drops fields whose data class is denied. :credential is always dropped regardless of policy. deny always wins over allow.