System Policies Reference
AxonFlow ships with 63 system policies (53 pattern-based + 10 condition-based) that provide comprehensive security and compliance coverage out-of-the-box.
Overview
| Category | Evaluation | Count | Severity Range |
|---|---|---|---|
| Security - SQL Injection | Pattern-Based (Agent) | 37 | Critical - Medium |
| Security - Admin Access | Pattern-Based (Agent) | 4 | High - Medium |
| PII - Global | Pattern-Based (Agent) | 7 | Critical - Low |
| PII - United States | Pattern-Based (Agent) | 2 | Critical |
| PII - European Union | Pattern-Based (Agent) | 1 | Critical |
| PII - India | Pattern-Based (Agent) | 2 | Critical |
| Risk Management | Condition-Based (Orchestrator) | 2 | - |
| Compliance | Condition-Based (Orchestrator) | 3 | - |
| Security Controls | Condition-Based (Orchestrator) | 2 | - |
| Cost Management | Condition-Based (Orchestrator) | 2 | - |
| Access Control | Condition-Based (Orchestrator) | 1 | - |
Pattern-Based System Policies
Security - SQL Injection (security-sqli)
37 patterns covering all major SQL injection techniques.
UNION-Based Injection (2 patterns)
| ID | Name | Severity | Action |
|---|---|---|---|
sys_sqli_union_select | UNION SELECT Detection | Critical | Block |
sys_sqli_union_injection | UNION Injection After Termination | Critical | Block |
Boolean-Based Blind Injection (3 patterns)
| ID | Name | Severity | Action |
|---|---|---|---|
sys_sqli_or_true | OR True Condition | High | Block |
sys_sqli_or_string | OR String Condition | High | Block |
sys_sqli_and_false | AND False Condition | High | Block |
Time-Based Blind Injection (4 patterns)
| ID | Name | Severity | Action |
|---|---|---|---|
sys_sqli_sleep | MySQL SLEEP Function | Critical | Block |
sys_sqli_waitfor | SQL Server WAITFOR DELAY | Critical | Block |
sys_sqli_pg_sleep | PostgreSQL pg_sleep | Critical | Block |
sys_sqli_benchmark | MySQL BENCHMARK Function | Critical | Block |
Error-Based Injection (3 patterns)
| ID | Name | Severity | Action |
|---|---|---|---|
sys_sqli_extractvalue | EXTRACTVALUE Function | High | Block |
sys_sqli_updatexml | UPDATEXML Function | High | Block |
sys_sqli_convert_int | CONVERT INT Injection | High | Block |
Stacked Queries (5 patterns)
| ID | Name | Severity | Action |
|---|---|---|---|
sys_sqli_stacked_drop | Stacked DROP Statement | Critical | Block |
sys_sqli_stacked_delete | Stacked DELETE Statement | Critical | Block |
sys_sqli_stacked_update | Stacked UPDATE Statement | Critical | Block |
sys_sqli_stacked_insert | Stacked INSERT Statement | Critical | Block |
sys_sqli_stacked_exec | Stacked EXEC Statement | Critical | Block |
Comment-Based Injection (3 patterns)
| ID | Name | Severity | Action |
|---|---|---|---|
sys_sqli_inline_comment | Inline Comment Injection | High | Block |
sys_sqli_line_comment_mysql | MySQL Line Comment Injection | High | Block |
sys_sqli_line_comment_dash | Double-Dash Comment Injection | High | Block |
Generic Patterns (9 patterns)
| ID | Name | Severity | Action |
|---|---|---|---|
sys_sqli_select_from | SELECT FROM After Termination | Critical | Block |
sys_sqli_admin_bypass | Authentication Bypass | Critical | Block |
sys_sqli_hex_encoding | Hex-Encoded Payload | Medium | Block |
sys_sqli_char_function | CHAR Function Obfuscation | High | Block |
sys_sqli_concat_select | CONCAT with Embedded SELECT | High | Block |
sys_sqli_information_schema | INFORMATION_SCHEMA Access | High | Block |
sys_sqli_sys_tables | System Tables Access | High | Block |
sys_sqli_load_file | LOAD_FILE Function | Critical | Block |
sys_sqli_into_outfile | INTO OUTFILE/DUMPFILE | Critical | Block |
Dangerous Query Patterns (8 patterns)
| ID | Name | Severity | Action |
|---|---|---|---|
sys_sqli_drop_table | DROP TABLE Statement | Critical | Block |
sys_sqli_drop_database | DROP DATABASE Statement | Critical | Block |
sys_sqli_truncate | TRUNCATE TABLE Statement | Critical | Block |
sys_sqli_alter_table | ALTER TABLE Statement | High | Block |
sys_sqli_delete_no_where | DELETE Without WHERE | Critical | Block |
sys_sqli_create_user | CREATE USER Statement | Critical | Block |
sys_sqli_grant | GRANT Privileges Statement | Critical | Block |
sys_sqli_revoke | REVOKE Privileges Statement | Critical | Block |
Security - Admin Access (security-admin)
| ID | Name | Severity | Action | Description |
|---|---|---|---|---|
sys_admin_users_table | Users Table Access | High | Block | Access to users table |
sys_admin_audit_log | Audit Log Access | High | Block | Access to audit logs |
sys_admin_config_table | Configuration Table Access | High | Block | System config access |
sys_admin_info_schema | Information Schema Access | Medium | Block | System schema access |
PII - Global (pii-global)
Universal patterns applicable in all regions.
| ID | Name | Severity | Action | Description |
|---|---|---|---|---|
sys_pii_credit_card | Credit Card Number | Critical | Block | Visa, MC, Amex, Discover |
sys_pii_email | Email Address | Medium | Log | Standard email format |
sys_pii_phone | Phone Number | Medium | Log | International formats |
sys_pii_ip_address | IP Address | Medium | Log | IPv4 addresses |
sys_pii_passport | Passport Number | High | Block | Generic passport format |
sys_pii_dob | Date of Birth | High | Log | Common date formats |
sys_pii_booking_ref | Booking Reference | Low | Log | 6-char alphanumeric |
PII - United States (pii-us)
| ID | Name | Severity | Action | Description |
|---|---|---|---|---|
sys_pii_ssn | Social Security Number | Critical | Block | XXX-XX-XXXX format |
sys_pii_bank_account | Bank Account Number | Critical | Block | Routing + account number |
PII - European Union (pii-eu)
| ID | Name | Severity | Action | Description |
|---|---|---|---|---|
sys_pii_iban | IBAN | Critical | Block | International Bank Account Number |
PII - India (pii-india)
| ID | Name | Severity | Action | Description |
|---|---|---|---|---|
sys_pii_pan | PAN (Permanent Account Number) | Critical | Block | 10-char with entity type validation |
sys_pii_aadhaar | Aadhaar Number | Critical | Block | 12-digit UID (DPDP Act 2023) |
Condition-Based System Policies
Condition-based policies use context-aware rules evaluated by the Orchestrator. These provide runtime governance for risk, compliance, cost, and access control.
Policy ID Naming Convention
System policy IDs follow the pattern: sys_ + category abbreviation + specific pattern name.
| Prefix | Meaning | Example |
|---|---|---|
sys_sqli_ | SQL injection pattern | sys_sqli_union_select |
sys_admin_ | Admin access control | sys_admin_users_table |
sys_pii_ | PII detection pattern | sys_pii_ssn |
sys_dyn_ | Dynamic/condition-based policy | sys_dyn_high_risk_block |
Risk Management (dynamic-risk)
| ID | Name | Condition | Action |
|---|---|---|---|
sys_dyn_high_risk_block | Block High-Risk Queries | risk_score > 0.8 | Block |
sys_dyn_anomalous_access | Anomalous Access Detection | risk_score > 0.5 | Warn |
Risk score thresholds:
| Risk Score | Action | Description |
|---|---|---|
> 0.8 | Block | High-risk query immediately rejected |
> 0.5 | Warn | Elevated-risk query allowed with warning logged |
<= 0.5 | Allow | Normal-risk query proceeds without policy match |
Condition example:
{
"id": "sys_dyn_high_risk_block",
"name": "Block High-Risk Queries",
"conditions": {
"risk_score": { "gt": 0.8 }
},
"action": "block",
"message": "Query blocked due to high risk score."
}
Compliance (dynamic-compliance)
| ID | Name | Condition | Action |
|---|---|---|---|
sys_dyn_hipaa | HIPAA Compliance | data_category == "healthcare" | Block (if PHI detected) |
sys_dyn_gdpr | GDPR Compliance | data_region == "eu" and PII present | Block |
sys_dyn_financial | Financial Data Protection | data_category == "financial" | Block (if PCI data detected) |
Condition example:
{
"id": "sys_dyn_hipaa",
"name": "HIPAA Compliance",
"conditions": {
"data_category": "healthcare",
"contains_phi": true
},
"action": "block",
"message": "Protected Health Information detected. HIPAA compliance requires blocking this query."
}
Security Controls (dynamic-security)
| ID | Name | Condition | Action |
|---|---|---|---|
sys_dyn_tenant_isolation | Tenant Isolation | target_tenant != request_tenant | Block |
sys_dyn_debug_restrict | Debug Mode Restriction | debug == true and environment == "production" | Block |
Cost Management (dynamic-cost)
| ID | Name | Condition | Action |
|---|---|---|---|
sys_dyn_expensive_query | Expensive Query Limit | estimated_cost > cost_threshold | Warn |
sys_dyn_llm_cost | LLM Cost Optimization | monthly_usage > monthly_limit | Block |
Access Control (dynamic-access)
| ID | Name | Condition | Action |
|---|---|---|---|
sys_dyn_sensitive_data | Sensitive Data Control | Response contains salary, SSN, or medical records | Block |
Querying System Policies
List All System Policies
const policies = await client.listStaticPolicies({
tier: 'system'
});
console.log(`Total system policies: ${policies.length}`);
Filter by Category
// Get all SQL injection policies
const sqli = await client.listStaticPolicies({
tier: 'system',
category: 'security-sqli'
});
// Get all PII policies
const pii = await client.listStaticPolicies({
tier: 'system',
category: 'pii-global'
});
REST API
# All system policies
curl "http://localhost:8080/api/v1/static-policies?tier=system"
# Filtered by category
curl "http://localhost:8080/api/v1/static-policies?tier=system&category=security-sqli"
Customizing System Policies (Enterprise)
Enterprise Feature
Policy overrides require an Enterprise license.
You cannot modify system policy patterns, but you can:
- Disable a policy for your organization
- Change the action (only to more restrictive or disable)
- Set an expiration for temporary overrides
Example: Disable Email Detection
await client.createPolicyOverride({
policyId: 'sys_pii_email',
enabledOverride: false,
overrideReason: 'Internal tool - no customer email exposure',
});
Example: Escalate to Block
await client.createPolicyOverride({
policyId: 'sys_pii_dob',
actionOverride: 'block', // Was 'log'
overrideReason: 'HIPAA requirement - block all DOB exposure',
});
Related
- Policy Hierarchy - Understanding tier inheritance
- SDK Methods - Full API reference
- Policy Testing - Test patterns before deployment