Status: Implemented
Security and compliance teams need to define what should happen when a critical user document expires. UMS must apply predictable access consequences while keeping the reason visible and auditable.
| Actor | Responsibility | | :— | :— | | Security Architect | Defines access impact for expired critical documents. | | Global Administrator | Publishes or updates enforcement policies. | | Affected User | Receives access restrictions or warnings based on policy. |
When the user provides a renewed and approved document, the system removes the restriction according to the configured policy.
If the selected document type is not access-critical, the system prevents publication of a blocking policy and suggests a notification-only rule.
code, value, and description.[!NOTE] En la implementación real de C# (base de código),
AccessEnforcementPolicyes una Entidad hija encapsulada dentro del Agregado DocumentType, bajo el espacio de nombres unificado Ums.Domain.Approvals.
DocumentType Aggregate Root.Code, Value (JSON containing policy timing/action), Description.Code, tenant scope, and DocumentTypeId.BLOCK_USER, RESTRICT_PROFILE, and LOG_ONLY.PUT /access-enforcement-policies/{policyId}/action.DocumentType (AR), AccessEnforcementPolicy (Child Entity), UserAccount (AR), Profile (AR)AccessEnforcementPolicyE2ETests.cs covers policy creation, GET by ID, action updates, deactivation, and validation when neither ProfileId nor RoleId is supplied.UpdateAccessEnforcementActionCommandValidatorTests.cs verifies that the command accepts the domain action names BlockUser, RestrictProfile, and LogOnly.AccessEnforcementPolicyCommandHandlerTests.cs covers the create, deactivate, and update command handlers.UserDocumentEndpoints.cs exposes the enforcement execution route used to preserve traceability when the policy is applied.