Skip to content

Class: AdditionalRestriction

The Additional Restriction object describes supplementary access controls and

guardrails that constrain or limit granted permissions beyond the primary

policy. These restrictions are typically applied through hierarchical policy

frameworks, organizational controls, or conditional access mechanisms. Examples

include AWS Service Control Policies (SCPs), Resource Control Policies (RCPs),

Azure Management Group policies, GCP Organization policies, conditional access

policies, IP restrictions, time-based constraints, and MFA requirements.

URI: ocsf:AdditionalRestriction

 classDiagram
    class AdditionalRestriction
    click AdditionalRestriction href "../AdditionalRestriction/"
      Object <|-- AdditionalRestriction
        click Object href "../Object/"

      AdditionalRestriction : policy





        AdditionalRestriction --> "1" Policy : policy
        click Policy href "../Policy/"



      AdditionalRestriction : status

      AdditionalRestriction : status_id





        AdditionalRestriction --> "0..1 _recommended_" AdditionalRestrictionStatusIdEnum : status_id
        click AdditionalRestrictionStatusIdEnum href "../AdditionalRestrictionStatusIdEnum/"

Inheritance

Slots

Name Cardinality and Range Description Inheritance
policy 1
Policy		 Detailed information about the policy document that defines this restriction, direct
status 0..1
String		 The current status of the policy restriction, normalized to the caption of th... direct
status_id 0..1 recommended
AdditionalRestrictionStatusIdEnum		 The normalized status identifier indicating the applicability of this policy direct

Usages

used by used in type used
AccessAnalysisResult additional_restrictions range AdditionalRestriction

In Subsets

Aliases

  • Additional Restriction

Identifier and Mapping Information

Schema Source

Mappings

Mapping Type Mapped Value
self ocsf:AdditionalRestriction
native ocsf:AdditionalRestriction

LinkML Source

Direct

name: AdditionalRestriction
description: 'The Additional Restriction object describes supplementary access controls
  and

  guardrails that constrain or limit granted permissions beyond the primary

  policy. These restrictions are typically applied through hierarchical policy

  frameworks, organizational controls, or conditional access mechanisms. Examples

  include AWS Service Control Policies (SCPs), Resource Control Policies (RCPs),

  Azure Management Group policies, GCP Organization policies, conditional access

  policies, IP restrictions, time-based constraints, and MFA requirements.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Additional Restriction
is_a: Object
slots:
- policy
- status
- status_id
slot_usage:
  policy:
    name: policy
    description: 'Detailed information about the policy document that defines this
      restriction,

      including policy metadata, type, scope, and the specific rules or conditions

      that implement the access control.'
    required: true
  status:
    name: status
    description: 'The current status of the policy restriction, normalized to the
      caption of the

      <code>status_id</code> enum value.'
  status_id:
    name: status_id
    description: 'The normalized status identifier indicating the applicability of
      this policy

      restriction.'
    range: AdditionalRestrictionStatusIdEnum
    recommended: true

Induced

name: AdditionalRestriction
description: 'The Additional Restriction object describes supplementary access controls
  and

  guardrails that constrain or limit granted permissions beyond the primary

  policy. These restrictions are typically applied through hierarchical policy

  frameworks, organizational controls, or conditional access mechanisms. Examples

  include AWS Service Control Policies (SCPs), Resource Control Policies (RCPs),

  Azure Management Group policies, GCP Organization policies, conditional access

  policies, IP restrictions, time-based constraints, and MFA requirements.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Additional Restriction
is_a: Object
slot_usage:
  policy:
    name: policy
    description: 'Detailed information about the policy document that defines this
      restriction,

      including policy metadata, type, scope, and the specific rules or conditions

      that implement the access control.'
    required: true
  status:
    name: status
    description: 'The current status of the policy restriction, normalized to the
      caption of the

      <code>status_id</code> enum value.'
  status_id:
    name: status_id
    description: 'The normalized status identifier indicating the applicability of
      this policy

      restriction.'
    range: AdditionalRestrictionStatusIdEnum
    recommended: true
attributes:
  policy:
    name: policy
    description: 'Detailed information about the policy document that defines this
      restriction,

      including policy metadata, type, scope, and the specific rules or conditions

      that implement the access control.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Policy
    rank: 1000
    alias: policy
    owner: AdditionalRestriction
    domain_of:
    - PermissionAnalysisResult
    - AdditionalRestriction
    - Assessment
    - Authorization
    - DataClassification
    - DataSecurity
    - ManagedEntity
    - SecurityControlProfile
    - ScanActivity
    - AccountChange
    range: Policy
    required: true
  status:
    name: status
    description: 'The current status of the policy restriction, normalized to the
      caption of the

      <code>status_id</code> enum value.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Status
    rank: 1000
    alias: status
    owner: AdditionalRestriction
    domain_of:
    - RelatedEvent
    - Ticket
    - Whois
    - AdditionalRestriction
    - Check
    - Compliance
    - DataClassification
    - HttpResponse
    - BaseEvent
    - Finding
    - IncidentFinding
    - DroneFlightsActivity
    range: string
  status_id:
    name: status_id
    annotations:
      sibling:
        tag: sibling
        value: status
    description: 'The normalized status identifier indicating the applicability of
      this policy

      restriction.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Status ID
    rank: 1000
    alias: status_id
    owner: AdditionalRestriction
    domain_of:
    - Ticket
    - AdditionalRestriction
    - Check
    - Compliance
    - DataClassification
    - BaseEvent
    - Finding
    - IncidentFinding
    - RemediationActivity
    - DroneFlightsActivity
    range: AdditionalRestrictionStatusIdEnum
    recommended: true