{ "$defs": { "AccessReviewCadence": { "description": "Access-review cadence.", "enum": [ "monthly", "quarterly", "semi_annual", "annual" ], "type": "string" }, "AccessReviewDecision": { "description": "Reviewer's decision on a given grant.", "oneOf": [ { "enum": [ "retain", "revoke", "downgrade" ], "type": "string" }, { "const": "pending", "description": "Held pending further info (and a follow-up grant review).", "type": "string" } ] }, "AccessReviewStatus": { "description": "Review lifecycle.", "enum": [ "scheduled", "open", "closed", "overdue" ], "type": "string" }, "GrantDecision": { "description": "Decision on one access grant.", "properties": { "decision": { "$ref": "#/$defs/AccessReviewDecision", "description": "Reviewer's decision." }, "effective_at": { "anyOf": [ { "$ref": "#/$defs/IsoDate" }, { "type": "null" } ], "description": "Effective date for any change." }, "justification": { "description": "Free-form justification.", "type": "string" }, "person": { "$ref": "#/$defs/PathRef", "description": "PathRef to the person holding the grant." }, "role": { "description": "Role / privilege label (e.g. \"admin\", \"read-only\", \"billing\").", "type": "string" } }, "required": [ "person", "role", "decision", "justification" ], "type": "object" }, "IsoDate": { "description": "ISO 8601 date (YYYY-MM-DD).", "format": "date", "type": "string" }, "PathRef": { "description": "Path-based cross-reference relative to .corpospec/ root.\nPattern: `^[a-z0-9_-]+(/[a-z0-9_.-]+)+$`", "pattern": "^[a-z0-9_-]+(/[a-z0-9_.-]+)+$", "type": "string" } }, "$id": "https://corpospec.com/schemas/v0.16.0/access-review.schema.json", "$schema": "https://json-schema.org/draft/2020-12/schema", "additionalProperties": false, "description": "Periodic access-review record (per-system, per-period).", "properties": { "cadence": { "$ref": "#/$defs/AccessReviewCadence" }, "completed_at": { "anyOf": [ { "$ref": "#/$defs/IsoDate" }, { "type": "null" } ] }, "control_basis": { "description": "Control reference (e.g. \"ISO 27001 A.5.18 + A.8.2; SOC 2 CC6.2\").", "type": "string" }, "decisions": { "description": "Per-grant decisions.", "items": { "$ref": "#/$defs/GrantDecision" }, "type": "array" }, "due_date": { "$ref": "#/$defs/IsoDate" }, "entity": { "$ref": "#/$defs/PathRef" }, "evidence_ref": { "anyOf": [ { "$ref": "#/$defs/PathRef" }, { "type": "null" } ], "description": "PathRef to evidence (export of access list, signed log)." }, "grants_reviewed": { "description": "Total grants reviewed.", "format": "int32", "type": "integer" }, "id": { "$ref": "#/$defs/PathRef" }, "period_end": { "$ref": "#/$defs/IsoDate" }, "period_start": { "$ref": "#/$defs/IsoDate" }, "reviewer": { "$ref": "#/$defs/PathRef", "description": "PathRef to the primary reviewer (system owner)." }, "second_reviewer": { "anyOf": [ { "$ref": "#/$defs/PathRef" }, { "type": "null" } ], "description": "PathRef to a secondary reviewer (two-eye / four-eye sign-off)." }, "status": { "$ref": "#/$defs/AccessReviewStatus" }, "system": { "$ref": "#/$defs/PathRef", "description": "PathRef to the system being reviewed." } }, "required": [ "id", "entity", "system", "cadence", "status", "period_start", "period_end", "due_date", "reviewer", "grants_reviewed", "decisions", "control_basis" ], "title": "AccessReview", "type": "object", "x-corpospec-pillar": "legal" }