This post shows how a similar adaptation may be required on-premise.
Segmentation of Retention and Regular Access Control Policies
Even when we don’t live in a cloud world, there may be reasons for segmentation. Take records management, for instance.
Any piece of data that is marked as a record, may not be deleted until after the end of the retention period (at which point it must be deleted).
This is an access control policy that clearly takes precedence over the regular policies.
A similar situation exists with legal holds.
While it’s certainly possible to achieve that with various policy sets and clever policy combining, the principle of segmentation encourages us to take a different approach. We would like to physically separate the policies into different layers, so that they can never interfere with each other.
Segmenting XACML Policies Using Layered Policy Decision Points
The PDP with retention policies is asked for a decision first. When the decision is
NotApplicable it means the resource being accessed is not under retention, and the decision is forwarded to the next PDP, which uses regular access control policies.
The retention policies will probably require a PIP to look up resource attributes, like