servicenow~6 min to deploy

HIPAA-Grade Access Change Gate

Privileged-access and production-change controls for ServiceNow ITSM — proving every change followed the approved path.

For: Platform and security leads at health-tech and regulated orgs

HIPAA §164.312(a)SOC 2 CC6.2ISO 27001 A.5.18

What it enforces

Role scope enforcement

Blocks production access for roles without administrative scope.

Maintenance window gate

Allows changes only inside scheduled maintenance windows or with lead approval.

Evidence completeness

Restrains a change request until linked Jira / CAB evidence is present.

Run this policy in the simulator Deploy in Shadow Mode

hipaa-grade-access-change.yaml

# HIPAA-Grade Access Change Gate
# Fork: tune roles, windows, and evidence sources to your environment.
apiVersion: decionis.dev/v1
kind: PolicyPack
metadata:
  name: hipaa-grade-access-change
  surface: servicenow
  standards: [HIPAA-164.312, SOC2-CC6.2, ISO27001-A.5.18]
defaults:
  mode: shadow
  emit_dossier: true
rules:
  - name: role_scope_enforcement
    when: "request == 'access.prod_db'"
    decision: |
      APPROVE IF actor.role == 'Lead' OR actor.role in admin_scope
      BLOCK OTHERWISE
    reason_code: role_lacks_admin_scope
  - name: maintenance_window_gate
    when: "change.type == 'production'"
    decision: |
      APPROVE IF window == 'scheduled_maintenance' OR approver.role == 'Lead'
      ESCALATE OTHERWISE
    reason_code: outside_maintenance_window
  - name: evidence_completeness
    when: "change.type == 'production'"
    decision: |
      RESTRAIN IF change.jira_evidence == null
      ALLOW OTHERWISE
    reason_code: cab_evidence_missing

Fork it, change the thresholds to match your environment, and deploy in shadow mode first — it defaults to listen-only so nothing in your live pipeline changes.

Loading…

Open-Policy Exchange