Overview

Policy restrictions protect operations that change the governance rules of the vault, such as modifying approver groups, updating restriction rules, or rotating user keys. They are one of three restriction categories alongside Transaction Restrictions and Config Restrictions.

Like config restrictions, policy restrictions carry no filters. They are all-or-nothing: if a policy restriction exists, it applies to every governance operation. The restriction specifies only which approver groups must sign off.

Evaluation Semantics

Policy restrictions follow the same additive model as transaction restrictions:

1. Every policy restriction is checked.
2. Since there are no filters, every policy restriction always matches.
3. All approval requirements from all matching restrictions accumulate.
4. The operation proceeds when every accumulated requirement is satisfied.
5. If no policy restriction exists, governance operations are allowed without approvals.

Governed Operations

The following operations require policy restriction approval when at least one policy restriction is configured:

Self-Governance

Policy restrictions protect the "update policy restriction" operation itself. This creates a self-governance loop: changing the policy restriction rules requires satisfying the current policy restriction rules. This prevents any single user from unilaterally weakening the approval requirements for governance changes.

The same principle applies to changes to approver groups. If a policy restriction requires 2 of owner approval, then adding or removing members from the owner group also requires 2 owner approvals.

Example

A single policy restriction protects all governance operations:

Result:

• Changing an approver group's membership requires 2 owner approvals.
• Updating any transaction restriction rule requires 2 owner approvals.
• Modifying this policy restriction itself requires 2 owner approvals.
• User registration and deletion require no approval (uncategorized, not governed by policy restrictions).