← Back to Awards Plugin

5.2.7 Domain Policy Reference

Last Updated: December 4, 2025
Status: Complete
Plugin: Awards
Source: plugins/Awards/src/Policy/DomainPolicy.php

Overview

The DomainPolicy class provides authorization control for Domain entities within the Awards plugin. It implements organizational structure management authorization, categorical access control, and administrative oversight through delegation to the base policy framework.

Class Definition

namespace Awards\Policy;

class DomainPolicy extends BasePolicy

All authorization methods are inherited from BasePolicy and delegate to the centralized _hasPolicy() method.

Domain Management Authorization

Entity-Level Access Control

The policy inherits standard CRUD authorization methods:

Method	Purpose
canView()	Domain viewing with organizational access validation
canAdd()	Domain creation with administrative permission requirements
canEdit()	Domain editing with entity-level authorization
canDelete()	Domain removal with referential integrity validation
canIndex()	Domain listing with organizational scoping

Categorical Operations

All domain-specific operations leverage the inherited BasePolicy framework:

• Category Management: Award domain organization with categorical structure
• Administrative Configuration: Domain configuration with permission-based access control
• Award Integration: Domain-award relationship management
• Reporting Access: Domain analytics with administrative visibility

Authorization Flow

1. Super User Check: Administrative override through BasePolicy.before()
2. Permission Discovery: Domain operation permissions resolved through PermissionsLoader
3. Administrative Validation: Administrative access validation through warrant-based checking
4. Entity Authorization: Domain-specific authorization through entity-level access control

Organizational Access Control

Administrative Management

• Administrative Permissions: Domain operations require administrative authority
• System Management: Global domain management for award system coordination
• Organizational Integration: Integration with organizational structure and branch hierarchy
• Configuration Control: Domain configuration authorization with administrative oversight

Referential Integrity Protection

• Award Relationships: Domain deletion authorized only when award relationships are properly managed
• Categorical Integrity: Domain modifications respect award categorization
• Business Rule Enforcement: Domain operations validated against business rules

Usage Examples

Controller Integration

// Standard CRUD authorization in DomainsController
public function view($id) {
    $domain = $this->Domains->get($id);
    $this->Authorization->authorize($domain); // Uses canView()
    $this->set(compact('domain'));
}

public function edit($id) {
    $domain = $this->Domains->get($id);
    $this->Authorization->authorize($domain); // Uses canEdit()
    // Edit processing...
}

Administrative Operations

// Administrative domain management with policy validation
public function createDomain($domainData) {
    if (!$this->Authorization->can($this->Domains, 'add')) {
        throw new ForbiddenException('Not authorized to create domains');
    }
    
    $domain = $this->Domains->newEntity($domainData);
    return $this->Domains->save($domain);
}

Domain Configuration Management

// Domain configuration with authorization validation
public function configureDomain($domainId, $configData) {
    $domain = $this->Domains->get($domainId);
    
    if (!$this->Authorization->can($domain, 'edit')) {
        throw new ForbiddenException('Not authorized to configure domain');
    }
    
    $this->Domains->patchEntity($domain, $configData);
    return $this->Domains->save($domain);
}

Referential Integrity Validation

// Domain deletion with referential integrity checking
public function deleteDomain($domainId) {
    $domain = $this->Domains->get($domainId, ['contain' => ['Awards']]);
    
    if (!$this->Authorization->can($domain, 'delete')) {
        throw new ForbiddenException('Not authorized to delete domain');
    }
    
    if (!empty($domain->awards)) {
        throw new BadRequestException('Cannot delete domain with associated awards');
    }
    
    return $this->Domains->delete($domain);
}

Integration Points

Awards Controller Integration

• CRUD Operations: Standard authorization through BasePolicy delegation
• Administrative Interface: Permission-based feature visibility
• Configuration Management: Domain configuration with administrative oversight
• Award Coordination: Domain-award relationship management

RBAC System Integration

• Permission Framework: Integration with KMP RBAC through BasePolicy
• Warrant System: Warrant-based permission validation
• Administrative Authority: Administrative role requirements for domain management
• Role Integration: Domain operations authorized through administrative permissions

Awards Plugin Integration

• Award Management: Domain-award authorization with categorical relationship management
• Level Integration: Domain-level coordination with hierarchical access control
• Recommendation System: Domain-recommendation authorization with workflow integration

Security Considerations

Access Control Security

• Authentication Required: All operations require authenticated user identity
• Permission Validation: Comprehensive administrative permission checking
• Administrative Protection: Configuration protection through permission requirements
• System Security: Operations secured through administrative authority validation

Data Protection

• Administrative Control: Domain data access limited to administrative users
• Configuration Security: Configuration protected through administrative permissions
• Referential Integrity: Authorization respects award relationships
• Audit Trail: Authorization decisions logged for compliance monitoring

Related Documentation

• Awards Plugin Overview
• Award Policy Reference
• RBAC Security Architecture