Policy Engine
Fine-grained access control β beyond role-based to adaptive, contextual, and risk-aware policies
6
Active Policies
18
Total Violations
2,831
Total Enforcements
11
Services Covered
Policy Type Coverage
AWS Access β Engineering Only
ACTIVERestricts all AWS console and API access to employees in the Engineering or Platform Engineering departments. Enforced at provisioning and during quarterly access reviews.
89
Enforced
3
Violations
1
Services
Privileged Access β Hardware MFA Required
ACTIVEAny access to critical systems (AWS Admin, Okta Super Admin, GitHub Admin, CrowdStrike Admin) requires hardware-backed MFA (FIDO2 / YubiKey). Enforced contextually on every session.
2,341
Enforced
12
Violations
4
Services
Finance Data β Separation of Duties
ACTIVEPrevents any single employee from holding both Salesforce Admin and NetSuite Admin roles. Detects toxic combinations that could enable fraud.
4
Enforced
1
Violations
1
Services
Contractor Access β Time-Bound & Scoped
ACTIVEContractors automatically receive time-limited access aligned to their contract end date. Access expires automatically. No admin-level entitlements permitted.
156
Enforced
0
Violations
4
Services
Elevated Access β JIT Only for Production
ACTIVEDirect production environment access is forbidden by default. Engineers must request Just-in-Time access, which expires in 4 hours and requires manager approval.
234
Enforced
0
Violations
2
Services
Risk-Based Access Throttling
ACTIVEUsers with a risk score above 70 are automatically stepped down to read-only access pending security review. Above 90, access is suspended entirely.
7
Enforced
2
Violations
11
Services
Beyond Simple Access: Nexus Policy Hierarchy
Who
RBAC + ABAC β identity, role, department, employment type
What
Entitlement profiles β not just access, but exact configuration, features, and permissions
When & Where
Time-based and context-aware β device compliance, location, session risk
How much
JIT, SoD, and risk-based β least-privilege with automatic escalation and revocation